A Beginner’s Guide to HIPAA Compliant Websites
If you’re involved in the healthcare industry, you should be thinking about how HIPAA affects your website. This guide serves as a great starting point for learning about HIPAA guidelines in the online world.
In part 1, we will identify if your website is at risk for violating HIPAA. In part 2, we will discuss how to ensure your website is compliant. And in part 3, we include some further reading on HIPAA.
Part 1: Are you at risk of violating HIPAA?
Does your website need to be HIPAA compliant?
To answer that question, you must answer this one: does your website store or transmit protected health information? If so, your website needs to comply with HIPAA regulations. More details below.
What is protected health information?
Protected health information (PHI) is personally identifiable medical or payment information related to health services. That includes:
- Identifiable demographic or genetic information related to health
- Information relating to the physical or mental condition of an individual
- Payment or financial information related to healthcare
Is your website collecting protected health information?
If your website collects any individually identifiable medical information, such as symptoms, conditions, or requested healthcare services, you are collecting PHI.
You might be receiving PHI through:
- Contact forms that ask about symptoms, medical services, medications or other health-related information
- Online patient forms
- Live chat
- Patient Portals
- Patient reviews or testimonials
- Any other information-collecting tools on your website
How do you know if you’re storing protected health information?
Once you understand what PHI is and whether you collect it through your website, you should consider how and if you are storing that information. The Privacy Rule of HIPAA requires that entities that store PHI take reasonable measures to protect it. If you keep individually identifiable medical information on a server, that server must be encrypted and secure.
How do you know if you’re transmitting protected health information?
Transmitting PHI includes sending information via email, web forms or other types of digital messaging. To stay HIPAA compliant when transmitting PHI, all emails, email servers and web forms involved should be encrypted and secured.
Do you need to sign a business associate contract?
That may include:
- Hosting providers
- Digital marketing firms
- Other partners that have access to data you collect
What is a business associate contract?
A business associate contract is an agreement between an organization and its “business associate” that has access to PHI collected by the organization. The contract requires that business partners follow HIPAA guidelines to keep PHI secure. Learn more about the provisions of the business associate agreement here.
What if your website is not HIPAA compliant?
If your website collects, stores, or transmits PHI, and does not take reasonable measures to secure that data, you may be in violation of HIPAA. If you are, you run the risk of HIPAA penalty fines, which are not cheap. Depending on the scale of the violation, the number of patients affected, and the level of negligence, a fine can range from $100 to $50,000.
Part 2: How to Make Your Website HIPAA Compliant
How do you make your website HIPAA compliant?
If your site is not compliant, you should establish new processes, starting with these essential steps:
- Purchase and implement an SSL certificate for your website
- Ensure all web forms on your site are encrypted and secure
- Only send emails containing PHI through encrypted email servers
- Partner with web hosting companies that are HIPAA compliant and have processes for protecting PHI
- Sign a business associate contract with third-parties that have access to your patients’ PHI
- Ensure that PHI is only accessible to authorized individuals
- Establish processes to delete, backup and restore PHI as needed
Still not sure if your website is HIPAA compliant?
Because the internet is such a vast, ever-changing landscape, the language around HIPAA regulations for websites are intentionally vague at times. This leads to a lot of uncertainty. However, if you take reasonable steps to secure PHI, control who accesses it and partner with HIPAA compliant organizations, you can protect your patient’s privacy and avoid violations and fines.
Part 3: HIPAA Resources
This guide is not comprehensive, so we have included some helpful resources and next steps to familiarize yourself with HIPAA and website compliance.
- Learn More About HIPAA
- About Business Associates
- Staying Compliant
Partner with an Internet Marketing firm specializing in healthcare
Full Media works with healthcare organizations of all sizes to grow their patients online through digital marketing and web development. Learn more about Full Media and our work in the healthcare industry.
This article is for general information only and is not formal legal advice.
Celebrating more than a decade with Full Media, Lauren has served in a wide variety of roles that have helped her gain a well-rounded understanding of digital marketing and website development.
Lauren began as an Internet Marketing Analyst with a specialty in paid search advertising, providing both SEO and PPC management to a diverse group of clients. After spending time as the department Director for Internet Marketing and subsequently Production (website development team), she was promoted to be the Director of Operations. In this role, Lauren is responsible for providing the infrastructure to Full Media team members that facilitate client success through a mix of leadership, process improvements, and growth in team capabilities. She also serves as the project manager for custom website projects, using her combined expertise in marketing and development to ensure the successful launch of complex website redesign projects.Read Full Bio