What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was put into effect in 1996 to ensure the protection of sensitive patient information in medical contexts. Therefore, clinics, pharmacies, hospitals, medical practices and healthcare providers that work online need to verify that their websites are in accordance with HIPAA, in order to ensure the security of personal patient information that is received and stored on their websites. But what is it exactly that HIPAA requires for a website to be in compliance? How do you know if your website is HIPAA compliant? Is there a HIPAA compliant web developer to do this for me? First, let’s understand if your website needs to be HIPAA compliant.
Does my website need to be HIPAA compliant?
The answer to this question is simple: do you collect, store or transmit Protected Health Information (PHI) on your website? If your answer is yes, then your website needs to be HIPAA compliant.
Protected health information (PHI): is any information about the health status, provision of healthcare and/or payment related to health services of a specific individual.
There are three ways to gather Protected Health Information (PHI):
This refers to a website collecting any identifiable medical information through contact forms, online patient forms, live chats, patient portals, etc. If any of this information, including patient symptoms, conditions or healthcare services, is being collected then the website is collecting PHI.
If a website is collecting PHI then it is most likely storing PHI as well. HIPAA requires that entities storing PHI need to do so on a server that is encrypted and secure.
To transmit PHI refers to passing along this information, either via email, webforms or any other type of digital messaging. If this is being done on a server that is not encrypted and secure, then the website is in violation of HIPAA requirements.
If your website either collects, stores or transmits Protected Health Information (PHI) then it needs to meet HIPAA requirements. There are specialized HIPAA compliant web developers that will ensure your website is meeting all the requirements. However, if you are still unsure if your website needs to be HIPAA compliant, then you can check out the full checklist here: https://www.hipaahq.com/hipaa-security-rule-compliance-checklist/
HIPAA Compliance Requirements
There are a number of HIPAA compliance requirements, certifications and audits that need to be completed in order for a website to be HIPAA compliant. A lot of online healthcare providers and medical offices opt to hire an outside agency or a HIPAA compliant web developer that can make your website HIPAA approved for you. This can save you a lot of time and energy. However, make sure the web developer or digital agency is familiar with the HIPAA compliance guidelines before committing.
If you do choose to make your website HIPAA compliant yourself, you must have these extra security features put into place to protect the client’s personal information:
The simplest way to know if you already have an SSL certificate is to look at your website’s URL. If there is a letter “s” after “http”- “https://” then this means the sensitive data being transmitted on the website is secure. If your website fails to have an SSL certificate then it is not in compliance with HIPAA.
To avoid data loss, all of the information gathered from your website needs to be stored and backed up. You can backup data either on any cloud service or by creating a local backup.
Employees must sign a privacy agreement in order to access the protected health documentation that is input into the website. Every authorized individual from the company may need different levels of permission to fulfill their job duties.
If you are working with any third party vendors, service providers or a HIPAA compliant web developer, make sure that they sign a HIPAA Business Associate Agreement that will provide them with access to your website.
Removal of Information
When ensuring your website is compliant with HIPAA regulations, you must make sure you have the ability to permanently delete any patient information. Upon their request or transfer to another service provider, the confidential information needs to be removed from the website as well as the backup server.
All information that is stored onto your website and your backup data needs to be encrypted. This information needs to be encrypted even when trying to access it from a backup file such as the cloud. All files stored have to be encrypted according to HIPAA guidelines.
It is no small task to be responsible for client’s personal data. Your website needs to be confident that there is no way for the saved information to be accessed, tampered with or viewed. If you are unsure about this, look into hiring someone on the outside, such as a specialized web developer, to be certain that your patient’s personal saved information is encrypted and secure.
What is HIPAA Compliant Hosting?
Another important factor to understand is HIPAA compliant hosting. HIPAA compliant hosting refers to the server that is handling or “hosting” all the different patient information. A HIPAA compliant server is one that follows the guidelines defined by HIPAA to prevent medical record information breaches. If you are handling PHI then the server you are using to access this information needs to meet the HIPAA compliant server requirements.
What happens if my website is not HIPAA compliant?
If your website is in violation of HIPAA there are a series of consequences that can result in penalty fines up to $50,000 depending on the number of patients affected and level of negligence. This is why we recommend hiring an agency that helps you take preventative measures to optimize your website for compliance with HIPAA.
Should I hire a HIPAA compliant website developer?
We recommend hiring a HIPAA compliant website developer or company to ensure your website is in complete adherence with the guidelines and not risk clients’ sensitive information. All medical practices, clinics, pharmacies, healthcare providers and even companies selling medical equipment online need to be in accordance with HIPAA guidelines. The internet is a dangerous place to be handling sensitive information, which is why HIPAA exists in the first place. If you are not sure how to ensure your website complies with HIPAA, then look into hiring a company that can safely and effectively do it for you. It is not worth the risk of sensitive patient information and/or enormous fines when there are companies that will sign a HIPAA Business Associate Agreement with you to make sure all of the extra security measures are in place and functioning on your company’s website.