HIPAA eCommerce

Account Settings on a HIPAA Compliant Portal or Website

Updated  |  9 min read

One of the most important aspects of your website—whether it’s eCommerce, a doctor/patient portal, or a clinical trial—is letting the end-user self-serve. Allowing customers to enter their own information delivers considerable advantages for your website.

  • The end-user (customer, patient) can take their time and gather necessary information from home.
  • The end-user doesn’t have to fill out physical paperwork on the spot, when they often don’t have the information at hand.
  • The end-user is responsible for the information as entered, absolving your company of responsibility.
  • Your staff doesn’t have to take time transferring information from hard copies into the system.
  • Your staff doesn’t have to take time entering information as the end-user stands with them

What Kind of Information Is Gathered?

It’s important that you’re not gathering any more information than you need to. First, offering too many fields on a form can overwhelm a user, maybe to the point of giving up on it altogether. Second, keeping too much electronic protected health information (ePHI) around means that much more to lose—and be fined for—should you suffer a data breach on your HIPAA compliant portal.

But in most instances, there will still need to be a considerable amount of information collected and put into a user account. Beyond name and contact information, the most common types of information gathered are:

  • Height
  • Weight
  • Sex
  • Date of birth / age
  • Blood type
  • Medical history
  • Allergies
  • Doctor contact information
  • Insurance information, including Medicare or Medicaid
  • Non-insurance payment methods
  • Preferred pharmacy
hipaa information

Knowing someone’s name or preferred pharmacy isn’t considered ePHI, but it is when combined with such specific medical information. If you are trusted with this information, you are a covered entity and are bound by HIPAA law.

Reasons Information Is Stored in Accounts

It’s important to let customers know why you’re asking for information. They’ll be more understanding of your interest if they are told why it's important for you to know the name of their doctor or why you’re requesting their social security number.

Let’s take a look at three very different scenarios for collecting information that ends up in customer/end-user accounts on your HIPAA compliant website.

hipaa account information

Safer Customers, Smoother Checkouts

If you are selling medical products, including prescription medicines and medical devices, having a particular level of ePHI for the end-user is necessary. This information can flag drug interactions, prevent allergic reactions, and previous orders involving medicines.

Keeping information about healthcare providers and insurance companies can also lead to a much faster checkout process. If the patient already has the doctor’s information input to approve prescriptions, and if the insurance/payment information is the same as last time, a customer can check out much faster than if they had to do this every time.

Paired Medical Devices

Medical devices are becoming more interactive thanks to Bluetooth capabilities. The device’s ID is part of the account settings page in order to link the device to the patient. This information often ends up on the end-user's account page (or page easily accessible from the account page), and it may be stored on the medical app.

These pages can also offer support partners. For instance, the end-user can select friends or family members to view the information collected from a device that measures blood sugar levels. The support group can then encourage the person to make food choices that will change the collected numbers for the better.

Clinical Trials

Clinical trials are another aspect of medicine that is moving online. In addition to the standard ePHI that participants will need to enter to be part of the trial, results collected during the trial will also be protected by the HIPAA Privacy Rule.

How Is ePHI Protected?

No matter the level of ePHI you’re protecting according to HIPAA law, it’s vital to put systems in place to protect it. There are many ways to protect data, so make sure your vendor has the proper levels of security in place to protect the medical information you’ve been trusted with. This can be any combination of:

  • Multifactor authentication
  • Tokenized data that’s encrypted at rest
  • Role-based authentication
  • Privacy rules and accompanied workflow
  • Logging and tracking of accessed data

HIPAA Experience Matters

hipaa experience

For most developers, the greatest security hurdle they have to jump is keeping a customer’s credit card data safe. They’re simply not qualified to protect ePHI in order to meet HIPAA standards.

Having experience with the HIPAA privacy and security rules is important when picking a developer to help protect ePHI, whether it’s part of your eCommerce platform or EMR/EHR in a doctor’s office. HIPAA experts can help you take all of the necessary steps to encrypt necessary information and make sure you don’t leave holes in your security.

Clarity is dedicated to helping all covered entities protect their customer’s data, which in turn protects the covered entity’s reputation and HIPAA standing. We offer a complimentary discovery session—completely free—where we offer our services to help you find out the level of HIPAA security you need and offer ideas on how to protect it. You get to keep this plan whether you work with us or not, so let’s get the process started.

Related Posts

Stephen Beer is a Content Writer at Clarity Ventures and has written about various tech industries for nearly a decade. He is determined to demystify HIPAA, integration, and eCommerce with easy-to-read, easy-to-understand articles to help businesses make the best decisions.