Making Your Site HIPAA Compliant: Does Your Website Pass or Fail?

You are careful with patient information around your office, and take steps to protect it as outlined by HIPAA (the Health Insurance Portability and Accountability Act), designed to protect patient information). But, is your website as careful as you are?

HIPAA primarily focuses on how patients or potential patients interact with the office, and how their personal information is treated by you and your staff. Now more than ever, a patient’s first point of contact is digital—often through your website. HIPAA speaks to all forms of patient information, including data passed through or housed within your website. When it comes to patient safety, ensuring your website is HIPAA compliant is just as important as locking your office’s front door.

Making your website HIPAA compliant may seem easier said than done, but educating yourself is a good place to start. Once you understand what information to protect and what to look for on your site, you’ll be well on your way to compliance.

Information ABCs: PHI and PII

HIPAA is primarily concerned with protecting PHI, and in the case of your website, ePHI. Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. Electronic protected health information (ePHI) is any protected health information (PHI) that is created, stored, transmitted, or received electronically.

Beyond the strictly medical information about an individual, personally identifiable information should also be treated with care. Personally identifiable information (PII) is any information that can be used to identify, contact, or locate an individual, either alone or combined with other easily accessible sources—think legal name, email address, phone number, etc.

Websites can be common crossing points for both of these types of information. For example, does your website allow your patients to submit any PHI or PII via web forms? If these are not set up correctly, something as simple as a “contact us” form may represent an area of risk. This is why it’s important to take a close look at how you’re treating patient information received digitally and make sure it’s HIPAA compliant.

Website HIPAA Compliance Checklist

HIPAA is a complex law that recommends many items and requires a few, but ultimately every practice has to determine for themselves whether they’re in compliance. Because there is flexibility in interpretation, consider the following checklist a good starting point for your exploration into HIPAA and whether your website is compliant.

  • Be encrypted when it is transmitted online, as well as when stored or archived, if possible.
  • Only be accessed by authorized personnel using monitored, unique access controls.
  • Be available if needed, securely backed-up in case the primary information storage is deleted or corrupted.
  • Have its integrity maintained; not edited or tampered with.
  • Be able to be permanently deleted if needed, from every area of storage or record.
  • Be located on servers that meet HIPAA security rule requirements, either in-house or with a company you have a HIPAA Business Associate Agreement with.

Again, this checklist isn’t an exhaustive survey of all aspects of HIPAA and medical websites, but it should give you an impression of how your website currently stacks up to HIPAA’s requirements. If you’re unsure about whether your website is handling ePHI appropriately in any of the above areas, now might be a good time for either more education on your part, or a conversation with your hosting company or other web support organizations you work with.

One way to make HIPAA compliance easier is to select web vendors who are compliant in the first place. Hosting, design and integrated services can be sourced and provided by HIPAA compliant companies, taking much of the guesswork out of the compliance process. That said, you’re ultimately responsible for your patient’s information, so taking the time to understand HIPAA and how it affects your practice is very worthwhile.