HIPAA eCommerce

Secure Orders on a HIPAA Compliant Website

Updated  |  5 min read

ECommerce is complex enough, but everything gets even more complicated when healthcare is brought into the equation. It isn’t just the addition of security to protect HIPAA-covered information; it’s the complexities around ordering restricted products such as prescription drugs or medical devices. Your HIPAA compliant website needs to protect information at every step, from ordering through shipping.

hipaa ordering steps

Many eCommerce platforms can’t accommodate the additional steps often needed during the ordering process. If they do allow plugins to help, they usually compromise security in some way (we’re looking at you, WordPress).

Let’s take a look at the common problems that occur, and the solutions that are needed to streamline the process.

Who Needs Advanced Ordering Options?

When it comes to restricted materials, certain information must be validated and approved before the item(s) can be shipped. This can be a necessity in the healthcare industry and beyond.

advanced ordering options
  • Pharmaceuticals – Validating a prescription is the most common type of restriction that requires approval. The platform may contact the doctor directly to verify the prescription.
  • Medical Devices and At-Home Test Kits – Anyone can walk into a store and buy crutches, but complex devices—such as insulin pumps—need a prescription. The same is true for some at-home test kits.
  • Chemicals – There are many dangerous chemicals that can only be shipped to approved parties. This can be simple, like verifying that a high school teacher can buy chemicals for a class. It can also require more extensive checks, such as if someone is ordering chemicals that can be used to make explosives.
  • Corporate Approvals – Some orders must be approved by a manager before being shipped. For instance, companies with multiple offices may allow each office to order their own office supplies but still require final approval from the corporate headquarters before the order is finalized.
The Region Problem

Even if someone is approved to purchase restricted items, their shipping address might not be. Some states (or countries if shipping internationally) have restrictions on the import of specific pharmaceuticals. If a restriction is found, the customer should be informed of the reason and then given alternative methods for acquiring what they need.

hipaa workflows

Guide Customers Through Your Workflow

Healthcare and insurance are confusing enough without your eCommerce experience adding to a customer’s headaches.

You should focus on the customer experience and test it extensively before launch. Anything a customer is unfamiliar with should be carefully explained. The right eCommerce platform can perfectly balance the workflow of a customer with the workflow of your business.

Top Tip

If you can be the one component of healthcare that makes their life a little easier, customers will remember you and return with more business.

Product-Specific Workflows

An eCommerce healthcare site must also be able to accommodate additional informational steps once a customer has selected an item. You may need to provide important information about a drug—interactions, side effects, warnings—and get a customer’s electronic signature acknowledging they have read this additional information.

Of course, not every product needs these additional steps. For instance, a customer might order a restricted medication that requires a doctor’s approval and receipt confirmation of side effect disclosures...but they might also want to order some Advil and a weekly pillbox organizer at the same time. These last two items will not need any additional steps between adding them to the cart and the checkout. In other words, workflows can be altered per product on your HIPAA website.

product specific workflows
email communication

Keep Customers Informed

Many customers have been spoiled when it comes to most consumer products. After we hit the “place order” button, we tend to expect the items on our doorstep in one or two days.

For eCommerce businesses that sell restricted items, this is often an impossibility. The steps that have to happen (often including a doctor’s approval) slow the process down considerably. A customer shouldn’t expect two-day delivery if the average doctor takes three days to approve a prescription.

That’s why we have three very important words for you: Manage customer expectations.

It's better to under-promise and over-deliver. You need to make it perfectly clear that it might take a doctor a week to respond via the doctor portal, and then fulfillment and shipping might take four days after that. In practice this likely won’t take that long, since you could set a system alert to call the doctor after only three unresponsive days.

Carefully consider the message you're sending to the customer. Let them know that you are ready to ship as soon as approval is received. Keep them informed with carefully spaced emails or texts to let them know what stage their order is at. Even as they wait, they want to know that they are not forgotten.

manage customer expectations
secure ePHI

Keep ePHI Safe

Of course, keeping electronic protected health information (ePHI) safe is another essential task that your eCommerce platform must excel at.

Protecting ePHI isn’t a task that should be taken lightly. Failing to secure data at every step could lead to considerable government-imposed fines. But what might be even worse is the hit to your reputation when patients or customers find out that you didn’t do enough to protect their HIPAA-covered data.

HIPAA Projects Deserve Experienced Developers

Have you been wondering how to make a website HIPAA compliant? It’s vital to find a developer that has experience protecting HIPAA data and can help you find the holes in security that a typical developer might not know about. HIPAA data requires special care that goes beyond simply protecting someone’s credit card number.

Clarity would like to help you get started on your HIPAA journey, or help you increase the security with your current system. Our experience can help you make sure you’re doing what you can to protect the information that needs to be protected. We offer a complimentary consultation to help you create a HIPAA checklist that’s tailored specifically to your business and workflow. If we’re not a good fit for you, you can take this information with you to the next developer. Get in touch to start the process!

hipaa expert
hipaa ecommerce

Work with HIPAA Experts

Find out what solution is best for your business by signing up for a free discovery session with our experts.

Related Posts

Stephen Beer is a Content Writer at Clarity Ventures and has written about various tech industries for nearly a decade. He is determined to demystify HIPAA, integration, and eCommerce with easy-to-read, easy-to-understand articles to help businesses make the best decisions.