HIPAA eCommerce

Customer Registration and Account Creation on HIPAA Sites

Updated  |  6 min read

Registering a patient or customer for HIPAA portal access should offer as little resistance as possible. People have come to expect a smooth process with every website they visit, and any struggle could make them abandon the process altogether.

Sometimes creating accounts means gathering some information now and waiting to gather other pertinent information in the future. Other times that information needs to be collected immediately to determine what information they are allowed access to. The important thing to remember is that it can be customized for your business needs. It can even be customized per customer.

As a covered entity—a company tasked with collecting and protecting ePHI—it is your legal responsibility to uphold the HIPAA Security Rule and the HIPAA Privacy Rule. Failure to do so could lead to fines and the loss of your good reputation, so make sure you have a plan in place to address any problems that HIPAA enforcers might find.

Too much ePHI?

In the case of registration, it might even be pertinent to ask a surprising question: “Is my business collecting too much ePHI?”

Three Important Areas of Focus for Registration

Registration on a HIPAA compliant website or portal should be seamless and easy for customers, but that’s not all you need to address. There are three primary areas to focus on when it comes to registering each customer.

Registration Forms

The registration process will often be determined by your business logic and the customer themselves. It’s very important to take the time to think through the process and what might make the process as smooth as possible for anyone creating an account with you.

  • Gather everything now: Some sites want as much information as possible right up front. While this might seem like overkill, it can actually be beneficial by assessing eligibility. For instance, if a site is selling a particular medical device, medical information gathered at the beginning could immediately let the customer know if they are a good candidate or not.
  • Ease the customer in: Most companies decide to ease a customer into the “give us your information” stage. Customers may get limited access to a site and can only access more once they offer more information. Once they create an account they are more likely to feel invested and input more information as necessary. This additional information can even wait until checkout, or will only be needed if they are requesting certain restricted medications.
Hipaa registration form basic information.

The important thing to remember is that the experience should be as streamlined as possible so as not to upset the customer (or potential customer). If a customer requests a restricted medication, it’s best to gather delivery information sooner rather than later, as some states don’t allow certain medications delivered.

HIPAA Security and Privacy Rules

If you are in the healthcare industry, you are almost certainly considered a covered entity. Those who wrote the HIPAA law made it very clear that security is up to each individual covered entity.

Registration on your portal usually requires the gathering of ePHI, such as when height, weight, and any tests are directly associated with an individual. Even such simple information must be protected if it is directly associated with a patient’s name or other identifying information (phone number, address).

One problem is that the same publicly accessible endpoints—such as a HIPAA portal login— that allows a customer to login also presents a security point that can be hacked.

HIPAA Security and Privacy Rules.

It’s vital that you be proactive to make sure that your security is up-to-date and maintains compliance with the HIPAA Security Rule. Regular testing of portals is a must to keep EMR/EHR safe. So long as you find an experienced developer that follows industry best practices and will share the responsibility by signing a BAA, you shouldn’t have much to worry about if a HIPAA audit occurs.

It might even be pertinent to ask a surprising question: “Is my business collecting too much ePHI?” Do you really need to collect as much information as you do, or are you collecting more than you need because it was the default setting on a page template? The less ePHI you gather, the less you can get in trouble in case of a security breach.

Workflow, Triggers, and Branching Logic

As we said before, sometimes workflows will be determined by each user. While they will be none the wiser, their experience may be significantly different from the next person who accesses your site. Common scenarios include:

  • Linking to preexisting accounts: A person might have a preexisting account with a company but has never interacted with it online before. For example, they might get their prescriptions filled at the grocery store pharmacy but have decided to order the most recent prescription online.
  • Linking devices to accounts: A person may purchase a Bluetooth-enabled medical device that connects to a medical app, and this will often be the reason they sign up with a tracking site. Connecting the device will only need to happen the first time, meaning that subsequent visits will bypass this step.
  • Appointment scheduling: There may come a time when a client needs to have a consultation with a doctor or pharmacist before they can move forward with a purchase. This will trigger the process of scheduling a telehealth appointment.

Branching logic is an excellent way to customize a customer’s online journey so that they complete the proper steps without having to wade through questions that don’t apply to them.

Work with Clarity

It’s important to work with a developer with a track history of making HIPAA eCommerce websites as efficient possible. At the same time, the developer should have HIPAA experience to help protect the ePHI in your care. Experience in the field can reduce problems that have been fixed on previous sites, portals, and apps involving covered entities.

Clarity understands the needs of those in the healthcare industry and the importance of keeping HIPAA-covered data secure. Our website offers an extensive array of free resources that detail some of the biggest mistakes covered entities make, as well as the solutions that keep them HIPAA compliant. If you have an ePHI problem in need of a solution, it’s likely we’ve dealt with it before.

We also offer a complimentary discovery session to help you plan for your future. We will put together a roadmap to help you upgrade (or create) your portals so that it works with your back-office software and processes. This is a plan you get to take with you no matter which developer you go with, so there’s really nothing to lose. Get in touch with us today to get the process started!


Discover Your HIPAA Solution

Click the button below to take advantage of our free discovery session. There's no risk and no obligation to work with us afterwards—so why not give it a try?

HIPAA workshop

Related Posts

Stephen Beer is a Content Writer at Clarity Ventures and has written about various tech industries for nearly a decade. He is determined to demystify HIPAA, integration, and eCommerce with easy-to-read, easy-to-understand articles to help businesses make the best decisions.