Ron Halversen, vice-president of sales and marketing at Clarity Ventures, discusses the basics of getting a HIPAA compliant website.

RON HALVERSEN: Hi. Ron from Clarity. The purpose of this video is to help explain to you what is required to build a HIPAA compliant website. For more than 15 years, Clarity's built over 1,300 websites with our largest single vertical being medical portals.

what is hipaa

These are just some of the portals that I use in my demos. Medical portals can be anything from a simple doctor or hospital's website, patient portal, and e-pharmacy, treatment, therapy applications, mobile health apps, and much more. The big question our customers always have is, "When does it have to be HIPAA compliant, and what does that mean in terms of money and time?" Let's dive in and talk about that.

what is hipaa

There are four compliance rules to HIPAA. First off, let's be clear about a few things. There is no such thing as HIPAA certification. There is a governing board that has defined the HIPAA compliance rules or guidelines, and if or when a violation takes place, has the authority to audit you and assess a penalty.

The four rules are, one, HIPAA privacy, which means implementing rules and safeguards to protect the privacy of patient health information or PHI. The privacy rule applies to computer information about patients, conversations between doctors and medical staff, billing information, medical charge, and prescription information.

Second is HIPAA security, which limits the sharing of confidential data to authorized stakeholders who directly help patients in some way. The HIPAA security rule has three components: technical safeguards or securing the data, administrative safeguards, and physical safeguards, such as how or where the data is stored. All of your imformation, including that found in your HIPAA-compliant billing software, must contain this security.

The third is HIPAA enforcement, ensuring that business associates or partners also safeguard PHI and share information only in the patient's best interests. The HIPA enforcement rule, mostly concerns penalties and investigations when companies are found to be non-compliant.

The last rule applies when a PHI data breach take place and applies to the HIPPA breach notification guidelines. Breaches occur when unauthorized people gain access to protected health information in some manner that's not permitted under the HIPAA privacy rule. These breaches include unauthorized access to physical areas, inadvertent disclosures, stolen or misplaced documents, and digital hacks.

what is hipaa

Because so many organizations do not have the knowledge of how to approach the technical side or security for HIPAA compliant websites, it is important to choose a company that has experience in integrating and implementing procedures that will keep this information safe.

When it comes to developing a HIPAA strategy or a requirements list for a website, to help make it a little easier to understand, we classify them into one of three tiers, each being more complex and taking longer to develop.

what is hipaa

HIPPA Tier I. Most clients have had their websites for a while and they are not HIPAA compliant. When they call to ask for it to become HIPAA compliant, that would typically mean standing up a new encrypted and compliant site and doing a full migration of data and functionality to the new website. Many times, this is cost-prohibitive, and they really don't need a full HIPAA compliant website. They only need a HIPAA compliant onboarding form or forms on their site. When you fill out a form and submit it, the data that is on the screen before being transmitted to the recipient can or cannot be secure. This is often referred to as data in transit.

By applying an SSL certificate, it encrypts the data on the screen and protects it in transit, so you're not storing the data in the website's HIPAA-compliant database or file structure. You can simply customize the form to not store the PH data on the site and have the form data emailed directly to a HIPAA compliant mailbox, and you're good. Simple, easy HIPAA compliance by working around the HIPAA requirements, and it all costs a few hundred bucks when implemented by HIPAA experts.

what is hipaa

HIPAA Tier II. The next tier is where taking our forms example above, we opt to store the PHI data from the form in the website's database. The data is then referred to at rest and must be encrypted and secured. This is where 80% of the sites that end up needing to be HIPAA land. This is common for our online pharmacies, treatment portals, and more. With these sites, you need the SSL to secure and encrypt the data on the screen and a fully HIPAA-compliant hosting environment, which includes an encrypted database and file store. Adding Tier II HIPAA to a website typically runs a few thousand dollars and a HIPAA-compliant hosting environment, which runs between $100 and $400 a month.

what is hipaa

HIPAA Tier III. The final tier is where full HIPAA guidelines are needed. This is mostly commonly used for doctor-patient portals. The main difference with Tier III is the ability to edit PHI data. For example, a doctor could mark a patient as being diagnosed with type 1 diabetes, then change it later back to type 2, and then if the person died of complications from diabetes, an insurance company could audit the doctor's office, and with Tier III, there would be an encrypted user log that shows that Dr. Bob diagnosed the patient on X date with type I, but then changed it later to type II on Y date and time.

 

Non-Compliance Will Cost You

Failing to do what you can to remain HIPAA compliant can lead to fines and cost you the loyalty of your customers. Let Clarity show you how to remain compliant.

Lorem ipsum dolorem

Now you understand the three tiers, if you needed an online HIPAA eCommerce site, it would typically only need to be Tier II since we're taking orders for medication, et cetera, but not editing PHI data about the purchaser, patient, or diagnosis. There are also less restrictions as you may be a healthcare worker ordering prescriptions for someone else, so the prescriptions may not even be tied to the purchaser.

That's a little about HIPAA compliant website development. Hope that helps. And just click here if you need a HIPAA compliant portal. On the of that page, there's a HIPAA resource section with links to many other HIPAA and compliance articles. Thanks for watching.