[kohanz]

Thanks for the helpful response. There are a bunch of great resources out there for achieving HIPAA compliance and given those, I'm confident that we can achieve it. What is unclear to me is, if we build such a solution, and then go into the OR, open a browser and type in http://<ourwebapp>.com, I'd expect the odds of us actually reaching that web page are low (e.g. will be blocked by a firewall). Is making sure that channel works just a matter of reassuring and negotiating with the hospital IT so that they ensure such access?

[tubbzor]

IMO you are thinking too far down the rabbit hole. If you are at the point of being implemented by a hospital or healthcare system implies you have already negotiated your product, licenses, etc and have the green light for all facets of what you offer (ie. access in the OR) by the boss(es). Hospital IT will listen to whatever said boss tells them to do, such as allowing access to your app if necessary.

[lbhnact]

This is true. Once buy-in is achieved then IT will generally do what they need.