Does Your Medical Practice Have a HIPAA-Compliant Website?Posted on
You probably already know that HIPAA violation fines can run as high as $50,000 per incident. If that’s not enough of a reason for you to make sure your healthcare practice website is HIPAA-compliant, we can think of several others. This article will explore those reasons and offer some helpful suggestions for creating a HIPAA compliant website for 2022.
If your website collects, stores, or transmits PHI (protected health information) or ePHI (electronic protected health information), and you don’t take reasonable measures to secure those data, you may be in violation of HIPAA. If you are, you run the risk of HIPAA penalty fines. Depending on the scale of violation, number of patients affected, and level of negligence, fines can range from $100 to $50,000.
Data breaches typically have three main causes. They can be caused by third-party errors, employee actions and lost or stolen devices containing PHI or ePHI. So, ask yourself: does my website have what it takes to be HIPAA compliant?
What is the current state of HIPAA compliance?
A recent survey found the following facts about HIPAA compliance:
- 58% of respondents have a HIPAA compliance plan
- 23% of respondents did not have a compliance plan
- 45% of respondents have breach notification policies
- 67% of healthcare organizations plan to invest in HIPAA audit services
What are the requirements for a HIPAA website?
In a nutshell, any information that is transmitted from your website must always be encrypted and secure. Your PHI should be backed up, recoverable and accessible only by authorized personnel who have unique access rights. The information should never be altered. Personal health information should be permanently erasable when it is no longer needed.
Does your website meet HIPAA security standards?
If you answer yes to the following questions, your website probably meets HIPAA security standards:
- Does your website have automatic back-ups that are recoverable at any time?
- Are the data that’s transmitted from your website encrypted?
- Are your stored data encrypted?
- Are your website data accessible only by authorized persons with unique permissions?
- If your website is no longer needed, can it be permanently deleted?
- Do you have a HIPAA Business Associate Agreement with the company that hosts
your website? If not, does the server that hosts your website meet HIPAA security rules?
What constitutes PHI (protected health information)?
PHI is personally identifiable medical or payment information related to a patient’s health services. It includes identifiable demographic or genetic information related to the physical or mental condition of an individual. It also includes payment or financial information related to an individual’s healthcare. If your website collects individually identifiable medical information such as symptoms, conditions, or requested healthcare services, that’s PHI.
If you collect health information from online contact forms or patient forms that ask about symptoms, medical services, medications or other health-related information, you must be HIPAA compliant. Ditto for live chat, patient portals, patient reviews or testimonials and other information-collecting tools that may be on your website. The Privacy Rule of HIPAA requires that anyone who stores PHI must take reasonable measures to protect it. If your individually identifiable medical information is stored on a server, that server must also be encrypted and secure. You may be transmitting PHI when you send information via email, web forms or other types of digital messaging. To stay HIPAA compliant, all emails, email servers and web forms should be encrypted and secured.
How can you have a HIPAA compliant website?
If you find that your website is not compliant, you should follow these essential steps:
- Purchase and install an SSL certificate for your site
- Ensure that all web forms on your site are encrypted and secure
- Send emails containing PHI only through encrypted email servers
- Ensure that PHI is only accessible to authorized individuals
- Partner with a HIPAA-compliant web hosting company that protects PHI
- Sign a business associate contract with any third parties who have access to your patients’ PHI or who provide HIPAA-compliant web hosting
- Establish processes to delete, backup and restore PHI as needed
Healthcare professionals already know that PHI and ePHI must meet the safety rules and requirements of the Health Insurance Portability and Accountability Act and the Department of Health and Human Services. If you take reasonable steps to secure PHI, control access to it and partner with other HIPAA-compliant organizations, you can protect your patients’ privacy and avoid violations and fines.
Why is HIPAA compliance such a big issue?
Physicians and medical administrators know that confidentiality, data security and privacy are bigger, more dangerous and more complex issues today than they were before we became an Internet-driven world. After all, health data and medical records make attractive targets for criminal activities such as cyber theft and ransomware attacks.
If those digital security issues aren’t compelling enough to keep you up at night, then consider that many healthcare websites are still not secure and may be failing to safeguard “individually identifiable health information.” That’s why being HIPAA compliant is so vital for every healthcare practice website.
How is your healthcare website, and HIPAA compliance, put at risk?
Ask yourself if your files, storage, and transmissions are secure? Remind yourself that any data “in the open” without encryption or an SSL (secure socket layer) are at risk. Make sure that all sensitive material is encrypted and secure, particularly when transmitting over the Internet.
Even simple forms can put you at risk. Often, a patient or prospective patient completes an online form that reveals their name, phone number and email address. That personal data needs the same level of protection as ePHI. Being “individually identifiable” and “protected health information” means that it’s likely to meet HIPAA’s definition of electronic protected health information.
Another big risk factor is social media. While social media is useful for discussing many topics under the healthcare umbrella, information specific to an individual patient or identifiable info such as photographs can violate personal privacy.
If you find yourself in the position of responding to online comments or review sites, let caution prevail. It’s OK to respond online. Just make sure that your reply avoids reference to a specific, identifiable or individual patient. It’s often best to use extra caution and avoid even acknowledging that someone is your patient.
Does your smartphone put you at risk?
You bet. Never forget that your smart phone is a major target for theft. Mobile devices are compact and easily to snatch from your hand or any flat surface you leave it on. That opens the door to cyber theft of your stored or accessible information. Mobile devices that are used to exchange doctor-patient communications may not be either secure or HIPAA compliant.
How do you ensure your website’s HIPAA compliance?
Your best option is to partner with a reputable healthcare marketing agency specializing in HIPAA compliant healthcare marketing. They’ll make sure that your website is HIPAA compliant and they’ll include it in your healthcare marketing plan. They’ll help you present your HIPAA compliance as a benefit to patients who are fearful about privacy issues. Best of all, a good healthcare marketing agency will help you avoid penalties and costly fines while protecting your peace of mind.