HIPAA Security and Privacy Rules
If you are in the healthcare industry, you are almost certainly considered a covered entity. Those who wrote the HIPAA law made it very clear that security is up to each individual covered entity.
Registration on your portal usually requires the gathering of ePHI, such as when height, weight, and any tests are directly associated with an individual. Even such simple information must be protected if it is directly associated with a patient’s name or other identifying information (phone number, address).
One problem is that the same publicly accessible endpoints—such as a HIPAA portal login— that allows a customer to login also presents a security point that can be hacked.
It’s vital that you be proactive to make sure that your security is up-to-date and maintains compliance with the HIPAA Security Rule. Regular testing of portals is a must to keep EMR/EHR safe. So long as you find an experienced developer that follows industry best practices and will share the responsibility by signing a BAA, you shouldn’t have much to worry about if a HIPAA audit occurs.
It might even be pertinent to ask a surprising question: “Is my business collecting too much ePHI?” Do you really need to collect as much information as you do, or are you collecting more than you need because it was the default setting on a page template? The less ePHI you gather, the less you can get in trouble in case of a security breach.