An effective website is a foundation for any digital marketing strategy. However, for healthcare providers, having a great website is not enough – it also needs to be HIPAA-compliant. This means if you are using your practice website for either transmitting or storing protected health information (PHI), it must have appropriate policies and procedures in place, in addition to the technical security.
The most important thing to do is assess what actions you want visitors to take when they visit your practice website. Do you want potential patients to be able to do a live chat, send an email, upload documents, fill out contact forms or access the patient portal? Once you identify how your visitor will interact with your website, you can work on ensuring those interactions are convenient, user-friendly and secure. However, it is important to consider the following conditions:
- Are you transmitting any PHI through your practice website?
- Are you storing PHI on a server that you are hosting?
If you are transmitting PHI on or through your practice website, then you need to ensure it is HIPAA-compliant. This includes simple transactions like scheduling an appointment.
Ensuring HIPAA compliance is one of the biggest concerns for healthcare practitioners, and for a valid reason: Most privacy violations result in severe consequences, including huge penalties and even jail time for some medical providers.
What makes matters more challenging is the fact that HIPAA laws are vague on what actions one should take to make website HIPAA-compliant.
As a healthcare practitioner, it is your responsibility to make sure that any PHI you are collecting is protected. Technological advancements can add efficiency to regular operations, but technological advancements can introduce new concerns with HIPAA compliance.
How do you make a HIPAA-compliant website?
Most healthcare providers transmit PHI at some point through their website. Remember, even appointment scheduling is an instance of transmitting PHI because it contains personal information that can be used in relation to the patient.
There are many steps that can be taken to convert your basic website into a HIPAA-compliant one. What works for you will depend on what you are trying to accomplish with your site and in what way PHI is present and transmitted.
Step #1: Transmission Encryption: Your first step is to use Secure Sockets Layer (SSL), which will protect your website. SSL is a standard web security technology that creates an encrypted link between a server and a browser. Critical information related to patients, which is contained in contact forms, appointment request forms and online contact forms, must be encrypted. You can protect the information by using an SSL certificate on your website. SSL complies with HIPAA’s data encryption standards and keeps private patient information safe. For a website, SSL is used to encrypt patient health-related information so that the initial transmission of PHI is secure. From here, the PHI can either be stored on a server or passed through to someone via email. However, it is important to ensure that your SSL configuration is strong enough to prevent encryption methods that are too weak. In addition, what if the visitor submits the PHI that is collected on your website and then your website transmits or stores that information elsewhere? This process should also be HIPAA-compliant.
Step #2: Backup: You must ensure that the PHI stored on your website or collected from your website is backed up and can be recovered in case of an accidental deletion. Whether you store data on your own server or a third-party server, it is critical to ensure that the hosting partner is HIPAA-compliant. Your server should have an antivirus installed, provide offsite backup and firewall and OS patch management. Most hosts provide this service for information stored on their servers. If your website sends information elsewhere, then those messages must also be backed up or archived, and you must take care that those backups are robust and accessible only by authorized people. It is important to note that the PHI stored in backups must also be protected in a HIPAA-compliant way – considering security, unique authorization controls and backup.
Step #3: Authorization: Who can access the PHI that resides on your website or is collected there? Is the PHI only accessible by authorized personnel having unique and audited access controls? This is where your HIPAA-compliant web hosting provider can help. However, you have to make sure your hosting provider is a trusted Business Associate with a privacy agreement. If your website collects PHI and sends it to you or others through an email solution, it is critical to understand who can access those messages. Can anyone with access to your email or the messaging system access this information? If your website stores or transmits PHI, does your website enforce unique and secure logins, which means only authorized people can access that information?
Step #4: Integrity: This means PHI should not be tampered with or altered. Unless the PHI that you transmit and store is encrypted, there is no way to prevent it from being tampered with or to verify if tampering has occurred. It is up to you to determine if tamper-proofing your PHI is needed and how to best accomplish that. Generally speaking, using SSL or AES encryption can accomplish this very task nicely.
Step #5: Storage Encryption: Is the PHI being encrypted before being stored or archived? Though it is highly recommended, it is up to your practice to determine if this is needed. If storage encryption is essential, then you need to ensure that all collected and stored PHI is encrypted and can only be accessed by the right personnel with the appropriate keys. This is important to make backups secure and to protect critical data from access by unauthorized people. Storage encryption is especially important in cases where the data may be backed up or stored in locations out of your control.
Step #6: Disposal: Can the PHI be permanently disposed of after it is no longer needed? This sounds easy, but you must consider all of the places where the PHI can be backed up and stored. You must ensure that those backups can be permanently deleted. You have to keep in mind that every location where the information is stored could be making backups and saving copies of your data. It is up to you to determine how far you want to go to ensure complete data disposal to be HIPAA-compliant.
Step #7: Business Associate: It is essential to have a HIPAA Business Associate Agreement with every vendor that handles your PHI. If your website or PHI is stored on a vendor’s servers, then you must have a Business Associate Agreement with them. This agreement will ensure that the vendor will follow the HIPAA security requirements concerning your data and servers. It is important to choose a provider who will not make your website HIPAA-compliant unless your designers take the relevant steps to ensure that its design and functionality are HIPAA-compliant.
As a healthcare practitioner, it is your responsibility to protect patient information from external threats such as thefts, hacks and data loss. If you probe deeper within the medical community, there are additional guidelines established by HIPAA. If you are handling any patient-related data through your website, it is important to have a HIPAA-compliant website, or you will fear to violate the HIPAA Security Rule. Even if you are not collecting PHI, you should still consider making your website HIPAA-compliant. This is because HIPAA-compliant websites are more secure and can prevent hackers from inserting fake forms to collect critical patient data such as Social Security numbers.
If your medical practice does not store or transmit PHI, then having a HIPAA-compliant website is not essential for you. However, we would still advise you to consider conforming to HIPAA regulations because at some point you will be handling PHI through your website.
When it comes to HIPAA-compliant web hosting, we know there are a lot of weeds to be pulled. However, with the right approach and security measures in place, you can focus on providing quality care versus worrying about your compliance and capabilities.
Do you need some help with HIPAA-compliant web hosting? Do you have a question? You can contact one of our healthcare marketing experts for a free consult.