The Health Insurance Portability and Accountability Act, commonly referred to as HIPAA, requires all companies that interact with patient data to keep it secure and private. As our lives increasingly move online, this means a HIPAA compliant website is more important than ever. Here’s what you need to know.
What are the basics of making a HIPAA compliant website?
A HIPAA compliant website starts with an understanding of what compliance actually is. Anyone who comes into contact with protected health information (PHI) – from medical records to a patient’s home address – must safeguard the privacy of that information and follow rules for its use and disclosure. These rules apply to anyone who has contact with patient information, including healthcare providers, administrative personnel, bill collections, and even the maintenance team. Essentially, anyone who comes in contact with the patient, from the doctors to the cleaning staff.
Compliance dictates that procedures are set in place that protect sensitive information and keep it confidential. When it comes to websites, this generally applies to the security of the information as it is stored online as well as the processes and procedures that are used to access it, both from a patient perspective and for a healthcare professional’s use. For example, in many states, parental access to their children’s online medical record begins to be restricted after the child turns 16. A HIPPA compliant website must be able to change the amount of access for a parent on the child’s 16th birthday.
From webhosting to data entry protocols and passwords, a HIPAA compliant website protects everyone involved in a patient’s care. If you are collecting, storing, or transmitting any protected health information, then HIPAA compliance rules apply to you and your website.
WHAT DO I NEED TO DO TO MAKE A HIPAA COMPLIANT WEBSITE?
The Security Rule of HIPAA clearly lays out the requirements for secure electronic storage and transmission of sensitive patient data. While moving patient information online has made for more efficient and mobile administration of healthcare, it has also increased the security risks faced by medical professionals.
Here are seven tasks to ensure you have a HIPAA compliant website. Of course, this is only the beginning of what you must know and your final needs may depend on what type of information you handle and other factors. Always feel free to reach out to our team at Boost for more information.
1. START WITH HIPAA COMPLIANT WEB HOSTING
Your web host is the first line of defense against compromised patient information. Ask your current host if they have HIPAA compliant practices in place. If they don’t, time to find another host. HIPAA website hosting is a crucial first line of defense for PHI.
Regular scans and updates can help prevent the compromise of sensitive information. And if security issues arise? Your web host has 48 hours to resolve it, according to HIPAA guidelines.
2. MAKE SURE YOU HAVE AN SSL CERTIFICATE FOR YOUR WEBSITE
An SSL certificate creates a secure connection between your website and its server. Think of it this way: if you seal a plastic bag with liquid in it but the seal isn’t tight, the liquid will leak. An SSL certificate helps prevent security leaks.
3. ENCRYPT AND SECURE ALL WEB FORMS
If patients can use contact forms, chatbots, or appointment services through your site, make sure they are encrypted and secure.
4. INSIST ON A BUSINESS ASSOCIATE CONTRACT
A business associate contract requires that third-party businesses are HIPAA compliant in their practices, as well.
This means that a bill collector going after delinquent payments must follow the same rules regarding protected health information as the nurse who takes a patient’s blood pressure.
5. RESTRICT ACCESS TO PHI
Not everyone in the office needs access to PHI, and the same goes for online access.
As the example above noted, as children get older parents may have less access to their children’s records. Although this can be challenging and frustrating for parents, it is the law in many states.
6. DEVELOP AND IMPLEMENT SYSTEMS FOR ACCEPTING, STORING, TRANSMITTING, AND DELETING PHI
If your office does not have systems for handling PHI, take the time to develop them and make them the standard moving forward.
If physician’s assistants are collecting PHI on unsecured tablets and leaving them in the office, this is a potential violation. There are many different ways to handle PHI. The key is to find a HIPAA compliant system that works for you and your staff.
7. PROVIDE HIPAA COMPLIANCE TRAINING TO EVERYONE WITH ACCESS
HIPPA compliance training is essential. You cannot expect your employees to understand and follow all aspects of the sometimes-complicated Privacy Rules of HIPAA without appropriate training. Remember the systems you put in place in task #6? Make sure all employees know and understand how to carry them out.
This training should also include the basics of protecting passwords and how to handle patient complaints. HIPAA rules dictate that training occurs “periodically,” so offer annual refreshers for all staff.
YOUR HIPAA COMPLIANT WEBSITE CHECKLIST
If you know that your website is out of compliance, there are steps you can take today to secure your patients’ protected health information. It takes just one patient complaint, one violation of HIPAA, to trigger an investigation.
Here is a HIPAA compliant website checklist to make it easy for you to get started. Again, your needs may go beyond what’s given here.
- Ask yourself these questions: How do healthcare providers and administrative personnel gather information? Where is it stored? How do they transmit information such as appointment reminders and test results?
- Check with your web host about their HIPAA compliant practices
- Purchase an SSL certificate for your entire website (all pages)
- Check encryption of web forms (e.g., contact forms, chatbots, email)
- Enact business associate contracts with all third-party service providers
- Evaluate who has access to PHI and adjust as needed
- Train employees in proper handling of PHI
A HIPAA compliant website is an important focus for any business in the healthcare industry. You can take steps today to protect your patients and their information.
At EGO, we offer HIPAA compliant web hosting and website design that keeps your patients’ information safe and secure. Get in touch today for more information.
