Most businesses today have a website. A website is a useful tool to educate prospective customers about your services and help to make contact with them. Websites allow your business to be found by those searching for your services. Medical practices are no different. They need websites to help patients find them and also to provide patients with necessary information. But what separates physicians from other small businesses are HIPAA regulations. Having a HIPAA complaint website is very different from a website for a plumber. HIPAA regulations are designed to protect patient data from unauthorized disclosures and they also apply to websites. We will discuss what needs to be done to ensure your practice has a HIPAA compliant website.
Quick HIPAA Overview
HIPAA (Health Insurance Portability and Accountability Act) is a set of US federal regulations that controls access and disclose of Protected Health information (PHI) by Covered Entities (CE) and Business Associates (BA). This means that both CEs and BAs who handle PHI must be HIPAA compliant. Examples of PHI include patient names, addresses, contact information such as phone numbers and email addresses, diagnosis, medical history, medications, and other types of information. This information must be kept private and secure.
Do I need a HIPAA compliant website?
Now that we know what being HIPAA compliant means, let’s see how that relates to a website. Not all websites need to be HIPAA compliant, even some of those for physicians.
For a site to be under HIPAA regulations, it needs to meet one of the following requirements:
- Does your site collect PHI in any form on the site?
- Do you send PHI from your website to other locations online such as insurance companies, hospitals, vendors?
- Does your website store PHI on the site itself?
- Does your website handle patient communications through it such as email or messages?
If you answered yes to any of the above questions, your website must be HIPAA compliant.
Some physician websites don’t need to be compliant when they are simply a page for patient information. If the site is used to give patients information about the practice or the physician, services, and location, HIPAA regulations wouldn’t apply.
How do you make a HIPAA compliant website?
If your site handles PHI, then it needs to be compliant. The first step is to understand how it handles the data. If you collect PHI on your site, be sure to use a secure form that uses SSL encryption to secure the data from the patient’s computer to your website. This is called transport encryption. It means that as the PHI moves from the patient’s computer to your website, it is encrypted and secure so that no one can eavesdrop on it along the way.
Once the data reaches your site, it will be stored there in some format. This usually means being saved in a database. The database must use encryption as well. This secures the data that is stored on the site. This is called protecting data at rest, data that is stored and not moving.
Communications on your website are also included. The email messages must be encrypted end to end. Usually this achieved with SSL encryption but if the message leaves your website, you will need to use a secure email service. Google Gmail is not a secure email service.
If your site uses a link to an EMR vendor’s patient portal, make sure the link uses SSL. You can see that is does if the link begins with https rather than just http. This will ensure that the patient information is encrypted all the way to the EMR vendor’s website. This will lower the liability you have collecting the PHI on your site. However, be sure that you have a Business Associate Agreement (BAA) with your EMR vendor (see below).
Be aware of posting pictures or testimonials of patients
Practices often take pictures of patients. This is especially true of pediatricians, OBGYNs, and plastic surgeons. Do not post these pictures anywhere online without first getting a HIPAA complaint patient authorization. This includes testimonials as well. A patient supplied testimonial isn’t an authorization to post the information online. That requires written authorization.
What can happen if my website isn’t HIPAA compliant?
Violations of HIPAA regulations result in investigations and ultimately, fines. Complete P.T., Pool & Land Physical Therapy, Inc. found out the hard way when they were required to pay a $25,000 fine to the U.S. Department of Health and Human Services Office for Civil Rights (OCR). In 2012, OCR received a compliant that Complete P.T. had disclosed the PHI of numerous patients without permission or in violations of HIPAA regulations. Complete P.T. had posted patient testimonials on its website including patient names and full face photographs. They did this without first obtaining HIPAA compliant authorizations from the patients. Posting this information confirms that the patients are patients of that practice which is a disclosure of PHI.
The disclosure was certainly not intentional but the regulations are clear. A complaint generated the OCR investigation and in the end, cost the practice $25,000.
Make sure you get a Business Associate Agreement (BAA) for any company that hosts your PHI. The company that you use to host your website has indirect access to patient data. Because of that, they will need need to sign a BAA with your practice. If they don’t, then both your practice and their company are not HIPAA compliant. If your hosting company won’t’ sign a BAA, its time to look for a new hosting company. Often vendors will say they aren’t actually touching the PHI or don’t have access. But that isn’t how the regulations work. The data is on their server at some point and must be protected.
One more point you will want to consider is to post your Notice of Privacy Practices (NPP) on your website. This gives your patients all of the required information they need concerning your practice’s HIPAA policies.
Having a HIPAA compliant website isn’t difficult but it does require planning to ensure that you follow the HIPAA regulations. This should give you a good start on what it takes to make sure you don’t fall on the wrong side of the law and protect your patient’s data.
If your practice’s website receives PHI from patients or other sources, then it must be HIPAA compliant.
Use SSL encryption to protect all PHI that comes or goes to your website.
Use database encryption for all PHI that is stored on your website.
Make sure you have a BAA with your website hosting company.
If you post patient testimonials or pictures, make sure you have a HIPAA compliant release signed by the patient in advance before posting.