The healthcare industry has a strong online presence — you can see medical websites of various types and scopes. Our web development team once shared a collection of great healthcare websites built with Drupal.
Today, we would like to discuss one industry-specific requirement that medical sites need to observe. Let’s dig deeper into what a HIPAA сompliant website is, which websites need this compliance, what happens if they do not observe it, and how to provide it.
What is a HIPAA compliant website?
A HIPAA compliant website is on that it abides by the Health Insurance Portability and Accountability Act (HIPAA). This is a federal law that protects the patients’ information. It has been created by the U.S. Department of Health and Human Services. HIPAA compliance resides on two basic rules:
- the Privacy Rule that protects the private information
- the Security Rule that encourages data safety measures
Why Medical Websites Need to be HIPAA Compliant
First, you need a HIPAA compliant website because you certainly don’t want to ruin your credibility and reputation by letting your patients’ data disclose. This is crucial in the healthcare industry and will certainly transform into business losses.
There is a list containing even the smallest HIPAA compliance breaches on the so-called “wall of shame” handled by the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services. The list includes the name of the healthcare provider business, the type of offense, and the number of patients who have suffered from it.
It’s more than a shame — there are penalties for the absence of HIPAA compliance. According to the level of the breach, they range from $100 to $50,000 per violation. The maximum penalty of $1.5 million per year. Criminal charges with a result in jail are even possible.
Healthcare websites are different: does my website need to be HIPAA compliant?
All the above does not mean you have to be scared away from starting a healthcare website. First, all requirements can be met to provide full compliance, second, it’s not all medical websites they are applicable for.
The need to be HIPAA compliant depends on the type of your users’ interaction with your healthcare website:
- If your site handles any sensitive patient’s data, including simple interactions like online appointments, you will need HIPAA compliance.
- On the contrary, if your website is just something like a medical blog, HIPAA compliance may not be necessary.
To be more exact, the key thing in deciding whether your medical website needs HIPAA compliance or not is whether it deals with (collect, stores, or transmits) the so-called e-PHI.
What is e-PHI?
E-PHI, or Electronic Protected Health Information, is defined as individually identifiable health information. E-PHI is often called just PHI. Examples may include patients’ names, phone numbers, addresses, dates of birth, social security numbers, payment information, test results, medical records, photographic images, X-Rays, MRIs, and so on. Here are some of how your website may deal with PHI:
- collecting PHI via contact forms, live chats, testimonials, and so on
- storing PHI on the server
- transmitting PHI via email, web forms, or other digital messaging
How to Make a HIPAA Compliant Website
Here is a HIPAA compliant website checklist that contains the key things needed in order to provide HIPAA compliance for websites.
Using SSL
The goal to have a HIPAA compliant website is yet another reason to switch to HTTPS if you haven’t yet. However, this step itself is important for all kinds of websites today, regardless of HIPAA. Websites with an HTTPS:// in their URL have an SSL certificate that provides encrypted data exchange between a user’s browser and the website’s server. The presence or absence of SSL is very easy to notice, and more users become aware that it may be unsafe to entrust their data to a particular website.
Data backups
As part of HIPAA compliance, your patients’ data needs to be recoverable in case it gets compromised. To achieve this, you will also need to do backups of the data collected by your website. This will prevent you from complete data losses.
Transmitted data encryption
To provide HIPAA compliance for your healthcare website, use additional data encryption services for all your web forms that collect or transmit your patients’ data. This specific data encryption is needed alongside using HTTPS.
Stored data encryption
In addition to the transmitted data encryption, you will need the stored data encryption on your website’s hosting server and in every data backup place. The server that hosts your website has to meet the HIPAA requirements, and you will need a special Business Associate Agreement (BAA) agreement with the provider.
Access control
Only authorized persons need to be able to access the PHI data on a HIPAA compliant website. To achieve this, you will need different levels of user access for your staff. Authentication with an email address will not be enough — you will need a multi-factor authentication with different steps of approval (security questions, SMS, and more). Automated logout after a certain time of inactivity will add more safety.
Timely deletion of information
For HIPAA compliance, the patients’ data that will no longer be needed should be permanently deleted from your server and database. Make sure you can remove it completely at any time that the customer has requested you to.
Make your healthcare website HIPAA compliant
The best news is that you can keep calm and rely on professionals when it comes to providing HIPAA compliance for your healthcare website.
- Our web development team has experience creating great medical websites, so we can build you a HIPAA compliant website from scratch.
- We also specialize in all kinds of website optimization, including making them compliant with all possible standards, so show us your healthcare website and we will make sure it abides by HIPAA.
Contact us for a HIPAA compliant healthcare website today!