WooCommerce and HIPAA Privacy Rule

Clarity can be your One-Stop-Shop for any eCommerce Project, Integration, and Web Design
What you Need to Know About HIPAA Privacy Rule

Applying the HIPAA Privacy Rule to WooCommerce

Having a website is crucial for a business engaging in almost any sort of activity. Being able to advertise products and services, meet clients, attract potential customers, create a personalized shopping experience, and result into successful transactions is the new way of commerce. This does not only apply to businesses selling clothes, appliances, travel packages, or other “everyday” commodities, but it can also apply to healthcare. Having appointments online, and ordering treatments and health-related services online, has seen a drastic improvement over recent years.

HIPAA Compliant Solution - Medical Development

A main concern with healthcare, especially in the online era, is the privacy of individually identifiable health information patients and customers submit online, towards personalization of their treatment or service. There are governmental bodies and regulations which oversee the protection of personal information, such as OCR of HSS (Office for Civil Rights, part of the Department of Health and Human Services), and HIPAA (Health Insurance Portability and Accountability Act). HIPAA has introduced several rules in place to safeguard protected health information (PHI, or ePHI if information is submitted online), the two most important of them being the HIPAA Privacy and Security rules. In this article, we will elaborate on the importance of the Privacy rule, and how it applies in healthcare-related eCommerce.

Connecting WooCommerce Best Practices with HIPAA Requirements

What is the Purpose of the Privacy Rule?

In order to obtain health-related services, such as treatment services or products, insurance, appointments, or anything else, users will have to supply personal information, through registration forms or questionnaires. If leaked, this information could potentially be used to identify an individual, so in order to avoid so, it should be protected and kept confidential. The HIPAA Privacy rule, also known as “Standards for Privacy of Individually Identifiable Health Information” assists with ePHI protection and confidentiality, but also allows for information flow when needed. Similar to the other HIPAA rules, the Privacy rule does not only apply to business entities offering direct services, but also to their business associates.

Information Covered by the Privacy Rule and Possible Dangers

Protecting your Clients and your Business

The information covered by the HIPAA Privacy rule is any information that can be used to identify someone, such as demographic details, social security numbers, credit card information, health-related information (hospital admissions and exits, health conditions), and handwriting samples among others. The Privacy rule covers all formats of relevant information, such as submitted online through forms, videos, photos, or over the telephone. Part of the ePHI protection as governed by HIPAA and the Privacy rule in particular, is that patients are allowed to access their ePHI and amend it or modify it as deemed necessary. Businesses have to be HIPAA compliant, meaning that basically they have to protect the confidentiality of their customers and patients by protecting their ePHI. This can be done by limiting access to ePHI from unauthorized people, encrypting ePHI, and implementing several other physical, administrative, or technical safeguards, which are stated in HIPAA Security rule.

HIPAA compliance requirements, especially with regards to the Privacy rule, could be potentially compromised by internal or external threats, such as unsolicited photographs of ePHI using smartphones, ePHI leaks through cyber-attacks, stolen portable devices (phones, laptops) where ePHI is stored. All these cases of Privacy rule breach are covered in detail by the HIPAA Security rule.

Minimum Necessities Within the Privacy Rule

This sub-rule of the HIPAA Privacy rule defines how and which part of (e)PHI should be disclosed if necessary. Other than use for treatment, payment, or healthcare operations, ePHI can only be disclosed without the patient’s authorization if such is required by the law, if the information will be useful to the patient (or potentially the public), and if ePHI is disclosed between entities or associates which are both covered by HIPAA compliance. Even in these cases though, complete access to ePHI is not encouraged, trying to keep the accessed information to the minimum necessary.

Application of HIPAA Privacy Rule in eCommerce

Having explained all about the HIPAA Privacy rule and ePHI, the next logical question is whether information we submit online for eCommerce purposes is safe. There are several well-known hosts for eCommerce, which can be used to also host HIPAA eCommerce platforms. One of them is WordPress, with WooCommerce handling the eCommerce bit of an online platform. In order for businesses who hold eCommerce platforms on WordPress using WooCommerce to be compliant with HIPAA regulations, they, as well as their business associates, need to obey the guidelines. Unfortunately, as it stands, WooCommerce, hence WordPress, is not HIPAA compliant, which means that health-related eCommerce platforms hosted through there can be open to unsolicited ePHI exposure.

How Can WordPress and WooCommerce Comply with HIPAA Privacy Rule?

Clarity Ventures HIPAA Compliance Experts

The first step is to realize where the problem is. The problem of HIPAA eCommerce platforms hosted on WordPress is that ePHI might not be sufficiently protected from unauthorized access. The aim of HIPAA Privacy and Security rules is to protect ePHI from exposure or misuse, and it is a responsibility of the business to comply with them and protect ePHI and the identity of its clients.

In order for a health-related eCommerce platform hosted on WordPress to meet HIPAA compliance requirements, a thorough risk assessment should take place, in order to identify the main issues. Besides the risk assessment, prevention of unauthorized access and use in any format (physical or online) should be prevented. Another key point to ensure that WooCommerce will comply with the HIPAA Privacy rule, and HIPAA in general, is to avoid storing ePHI within the WooCommerce environment. Using a WooCommerce ERP Integration can help towards this direction. An ERP integration, basically the use of an Enterprise Resource Planning system to bypass WooCommerce and store ePHI elsewhere, offers the possibility to use WordPress and WooCommerce without potential and existing customers experiencing any difference on the layout of their trusted eCommerce platform, allowing for an overall seamless and HIPAA-compliant operation.