HIPAA eCommerce

eCommerce Returns in a HIPAA-Sensitive Environment

Updated  |  8 min read

Do you want customers to instigate returns? Do you want to take returns? Do you want to deal with returns? Of course not, but it’s just a part of doing business.

What’s important to remember is that it’s a vital part of customer relations. How you deal with their return could be the difference between a one-star and a five-star review, so you need to have an easy-to-use, friendly, and efficient returns process in place from day one.

While HIPAA compliant portals might not be the most common type of webite that needs to take returns, there are some common instances depending on the industry. Let’s talk about the steps of a return merchandise authorization (RMA) policy and how to set customer expectations about the process.

Who Needs An RMA?

Nearly every eCommerce site on the internet needs a return merchandise authorization policy in place. Returns are inevitable, whether due to breakage, your warehouse shipping the wrong item, or customers changing their minds (more on that later).

Pharmacies, lab test kits, and medical device suppliers all have to set a policy about returns, then incorporate this policy into an eCommerce platform return process that allows customers to self-serve as much as possible.

What About Virtual Items?

Even businesses that sell virtual items may need the ability to offer refunds. Companies might take a “if you don’t like it, let us know within 30 days and you can have your money back” approach.

While there won’t be any physical item being shipped, the payment system in the eCommerce platform will still need to issue a refund.

Set Customer Expectations

You must set customer expectations when it comes to returns. You want to be as generous as possible while limiting the effect on your business’s bottom line.

Setting customer expectations starts with a clear, obvious policy. The opportunity to view the returns policy should appear often during the checkout process, have its own page, and be included in the FAQ on your HIPAA compliant website.

Here are some of the common points of a returns policy that you’ll need to address.

  • Is the item returnable according to your returns policy? – If it’s not, will you still take it back to placate the customer?
  • Is the item legally returnable? – Some items, namely pharmaceuticals, cannot be taken back except under specific circumstances.
  • Do they need approval from your team? – Do returns need the approval of someone on your team, or are they automatic? Do you want to open a chat with the customer to see why they’re unhappy with it? Perhaps they are using it incorrectly and the return is unnecessary.
  • Has the return time expired? – Customers can often be dissuaded from seeking a return if the return time has passed.
  • Do they want a refund or replacement? – Can they have either, or is only one allowed?
  • Is “I changed my mind” a valid reason? – This must be spelled out very clearly in your returns, and also have to decide how you will respond if they press the issue.

Determine the Workflow


The key takeaway from this is to set customer expectations, both before the return and after it has been started. Put yourself in the customer’s shoes and think about how you’d like the transactions to go...and what you’d do if it doesn’t go as you’d like.

For the Customer

When a customer logs into their account, they’ll be able to see past orders; this is usually where the option for returns is found. You can decide how simple you’ll make the process. For instance, is the return automatic or will it require approval? If the RMA is approved, the customer should get confirmation that it is in process and what the next steps are. You can even create the return shipping label for them (postage-paid or not).

Customers will also want to know where they are in the process once they ship it to you. Has your company received it? Has it been processed according to HIPAA standards? When will they receive their refund or replacement? All this information can easily be added to their dashboard. Again, set expectations with them about how long this could take.

For Your Team

The return process will involve your team in one way or another. Luckily, the eCommerce platform/CRM that helped the customer purchase the item can also help with the return. Stock levels can be reconciled and refunds can be issued.


EPHI that’s collected and the items associated with that information need to be protected as much during as return as during a sale. Only authorized people within your company should have access to the particulars of each sale and any returns associated with it.

During the returns process, it’s essential that you don’t include too much information in messages such as texts or emails. The email should say, “Your return has been received” instead of “Your return of [X socially embarrassing medicine] has been received.” Instead, links should be included that link to a page that the customer has to log into. The website itself would still have to adhere to HIPAA website compliance.

hipaa and rma

Experienced RMA Development

No company wants to get returns, but it’s just a requirement of doing business. Returns will happen; it’s how you deal with them that will affect how customers feel about your company. When interviewing developers, selling items is your primary concern. But make sure to talk to them about creating a returns process that’s easy for customers and fits your business logic.

Of course, the HIPAA aspect of returns can’t be ignored. You might be extremely careful with a customer’s order on the way out, but authorized employees need to be the only ones dealing with it on the way back. We can help you get a process in place that satisfies HIPAA laws and helps the customer feel that their personal health data is in good hands.

Clarity is a leader in HIPAA data security, and we help eCommerce customers improve their sales while keeping ePHI safe. We’d like to share our experience with you by offering a complimentary discovery process. We’ll take a look at your business model and make suggestions on how we can make it safer and more customer friendly. You can use this plan when you work with us, but you can also take it somewhere else if we’re not a great fit. It’s free either way!

Related Posts

Stephen Beer is a Content Writer at Clarity Ventures and has written about various tech industries for nearly a decade. He is determined to demystify HIPAA, integration, and eCommerce with easy-to-read, easy-to-understand articles to help businesses make the best decisions.