HIPAA Compliance and eCommerce: What You Need to Do to Stay Secure Five ways to protect your clients’ protected health information on your eCommerce site No matter what platform you're using—whether you need Magento, DNN, or WordPress HIPAA integration—protecting your clients’ PHI (protected health information) is difficult enough when you are a brick-and-mortar-based business. But when you add eCommerce to the mix, it gets even more complicated. You not only have to set up your website to meet HIPAA requirements, you also need to make your site easy to search, navigate and buy from. Below are just some of the unique issues that you face when running an eCommerce site that needs to be in HIPAA compliance. Sanitizing Your Sensitive Data To help keep information safe and secure on your eCommerce site, data needs to be sanitized. If you are transferring or disposing of data, the hard drive or cloud where it was stored needs to be wiped clean so nobody is able to access the sensitive information that used to be stored there. Limiting Access to Sensitive Information When an eCommerce site handles sensitive information, you need to limit who is able to access that information. Depending on their role, an employee would only have access to data that is necessary to help them perform their duties. Clients’ access to data should, at the most, be scoped to only their personal information. Limiting the number of people who are able to access sensitive data helps keep it secure and private. Logging Access and Changes to Data Employees and customers should only be able to view personal or sensitive information after they have been authenticated, preferably through a login process. Then a digital log needs to be kept, recording who accessed what information, if they updated any information, and what information they changed. The log should include the old data as well as the changes that were made. This benefits both your client and your business by being able to see who made changes if any issues arise with their information. Establishing User Rights and Roles For HIPAA-compliant websites, you not only have to establish your employees’ rights and roles within the website, you also have to do the same for your clients. The administrator should have the capability to set the roles for each, which would allow the users to review or edit information. The administrator would also be able to remove access from any user if and when he or she deems it necessary. Arranging Authentication and Security for API Access Your eCommerce site’s APIs need to be highly secured. In order to access them, you should use at least a two-factor authentication process. You want to ensure that that are no ports or openings that could possibly be exploited. It's also vital that you ensure security with your HIPAA-compliant hosting. Clarity Can Help Our team of experts at Clarity has built a number of eCommerce websites that are in HIPAA compliance for your healthcare clients. We know the unique requirements that your business faces being an eCommerce healthcare business, and we would love to help you navigate the issues that you face. From WordPress HIPAA compliance to security on EMR apps, we can help keep your ePHI secure. To find out more about HIPAA compliance for eCommerce or to speak with one of our developers about creating a HIPAA-compliant website, call or click to contact us today!