HIPAA eCommerce

HIPAA Checkout for HIPAA Compliant Websites

Updated May 3, 2023  |  5 min read

Nearly every aspect of healthcare has some sort of eCommerce aspect to it. Doctors, pharmacies, and labs all have processes to bill patients and insurance companies. It’s a business, and nearly every provider offers some sort of online billing and payment option.

Hipaa checkout.

The checkout cart of a HIPAA compliant eCommerce platform dealing with electronic protected health information (ePHI) must be more flexible than the standard checkout process you’ll find on most sites. Not only do you have to protect the information, but there are often additional security measures that have to be addressed. Let’s examine the different ways the checkout process of a typical pharmacy or medical device supplier can progress.

Who Uses ePHI-Protected Checkouts?

There are two primary differences between a typical eCommerce company (one selling garden tools, jewelry, or food) and many eCommerce businesses that have a healthcare focus (hospitals, private practices, pharmacies, medical device suppliers) and need a HIPAA compliant portal.

ePHI protected checkout.
Protecting E-PHI.

Protecting ePHI

The average eCommerce platform is designed to facilitate sales and protect its customers credit card information. Doing so shouldn’t be taken lightly; we’ve all heard of major data breaches that compromise customer data. In 2013, Target not only suffered a data breach that cost them millions of dollars, but it also hurt their reputation.

One thing Target didn’t have to worry about is securing protected health information. Each business that’s entrusted with patient data—called a covered entity, or CE—must take additional steps to ensure that this data is protected. This must be done whether the information is at rest and static as well as when it is electronically transferred, whether accessed on a medical app or HIPAA compliant website.


Most companies don’t have to worry about the legality of selling their products. As long as payment is received, they will ship to anyone who wants what they’re selling.

Online pharmacies, as well as distributors of certain medical equipment and tests, have to incorporate another step to ensure that a customer is allowed to make the purchase. One or more of these four usually applies:

Checkout permissions.
  • Doctor Approval – If the doctor wasn’t the one to send in the prescription, requests for approval can be sent to them. This is often the case with telehealth pharmacy requests.
  • Shipping Restrictions – Some items must be sent to a doctor’s office and cannot ship directly to the patient.
  • Patient Verification – Some prohibited medicines, tests, or medical devices require a patient to take a health survey (to address drug interactions or side effects) and then acknowledge that they have been given information about that particular medicine.
  • Localized Restrictions – Some medicines are restricted based on a patient’s address. Certain state laws, or even city laws, might prohibit the shipment of particular prescription medicines no matter the courier. Delivery to PO boxes is another common method that is restricted.

How CEs and Patients Interact

There are typically three types of clients that pharmacies and medical suppliers deal with: doctors, patients, and other businesses that buy and resell their products. Let’s take a look at how each of these might interact with their eCommerce platform.


Doctors will usually interact with the eCommerce business in one of two ways. The simplest way is that they will receive a notification telling them that they need to authorize a medicine or device for one of their patients. This notification is automatically sent and will contain detailed instructions on how to finalize the order, often by submitting an e-signature.

Another way that they might interact with an EMR EHR website is by acting on behalf of the patient. A doctor (or, more likely, an office assistant) may input the patient’s information and the requested order. The doctor will sign with an e-signature or get an alert asking them to do so. Some items may only be able to be sent directly to the doctor’s office, but the patient can get a notification regarding the approximate arrival date.

Patient and doctor.


A patient seeking to fill a prescription may have to go through many steps, and it’s very important that they are walked through these steps in an easy-to-follow manner. Failing to do so could make them abandon the transaction completely.

Patients may have to answer questions about their health history to ensure that there are no drug interactions with what they are ordering. They may also have to acknowledge that they have been informed about possible side effects. This list of questions will change depending on what they are attempting to order. They can then complete the order as they would shopping anywhere else, except that they need to be made aware of the need for doctor approval.

Obviously, patients will be inputting a considerable amount of ePHI when they make a purchase on a HIPAA compliant portal. This data must be kept secure from the moment it’s on their screen to the time it spends on the eCommerce platform’s servers. It also must remain secure when their doctor is informed about an authorization request.


B2B orders, where one business purchases items from another, are one of the few scenarios where ePHI data isn’t exchanged. At the same time, B2B eCommerce orders are often more complex and require specialized checkout options to make the buying business’s experience more efficient.

Common elements of a B2B transaction include split-shipping, split-fulfillment, split payment, dynamic shipping costs, sample items, and discount codes. Payment options are often extended, including credit card, purchase order, invoice, pay on account, ACH, or any other payment you may want to accept. Automation can be set up so that one person can load the cart while someone else in their company approves it.

B2b hipaa compliance.
Managing expectations.

Managing Expectations

No matter who the customer is—doctor, patient, or another business—it’s important to manage expectations. For instance, a patient may make an order and expect it to ship right away. It can’t ship right away, though, because legally it must be signed by their doctor.

When they click the order button, you need to make them aware that it could take a week for their doctor to get around to signing it. Shipping times should be added to this estimate. It’s always better to set their expectations low when it comes to how long it takes to receive their product. In many cases you’ll be able to beat that time, but managing expectations is important when there are additional steps to take.

Related Posts

Stephen Beer is a Content Writer at Clarity Ventures and has written about various tech industries for nearly a decade. He is determined to demystify HIPAA, integration, and eCommerce with easy-to-read, easy-to-understand articles to help businesses make the best decisions.