As a physician or healthcare provider, we know you are intimately familiar with HIPAA compliance laws. But did you know that your website should also be HIPAA compliant? Why? Well, since your website is an extension of your practice online, and most likely you’re managing protected health information (PHI) through your website, compliance is a must. Let’s dive in and discuss.
What Does It Mean To Have A HIPAA Compliant Website?
To be HIPAA compliant, you have to have the right safeguards in place when transmitting or storing patient's’ protected health information. This means that whenever you’re handling any sensitive patient data on your website or through your website (even simple interactions like making an appointment), it is imperative your website be HIPAA compliant.
How Do I Make Sure My Website Is HIPAA Compliant?
Step #1: Your first step to HIPAA compliance is to use SSL, which will protect your website. This feature will insure that all patient health information that passes through your web server is secure. Additionally, you are then able to pass this information through email, store it on your server or store it on a third party server.
Step #2: Your next step is to encrypt all information and data. As an example, if you collect patient information using an online form, then all data must be encrypted whether it is in transit or at rest. There are some great HIPAA email compliance services like Virtru, if you’re looking for a vendor to help.
Step #3: Your third step is to store data on a server that is HIPAA compliant. This step specifically addresses the physical security of the server, how to dispose information when it’s no longer needed and so on. For all the specifics, check out this great post about HIPAA compliant hosting.
Once you’ve completed these three initial steps, refer to this checklist:
All information shared must always be encrypted
Back up all patient health information and data
Patient health information needs to be recoverable
Safeguard information so it cannot be tampered or altered
Information no longer needed must be permanently disposed
Set up a Business Associate Agreement (BAA) with all vendors or service providers who handle patient health information
What If I Don’t Handle Protected Health Information (PHI) For Patients?
If your organization does not store or transmit PHI, then having a HIPAA compliant website is not a necessity for you. However, we would still caution you to consider complying with HIPAA regulations because chances are at some point you will handle PHI through your website.
When it comes to HIPAA website compliance we know there’s a lot of “in the weeds” work to be done. But, with the right technology and security measures in place, you can focus on providing quality patient care versus worrying about your online compliance and capabilities.
Roman has been helping clients develop and implement revenue enhancing inbound marketing strategies since 2009. Prior to becoming an inbound marketer, Roman was a management consultant with Ernst & Young, Booz Allen Hamilton, BearingPoint, and KPMG. Roman's relentless focus on client satisfaction and client results has garnered accolades from many clients and teams.