Skip to Content

Compliance Requirements & Best Practices

HIPAA Development can be Tough. Let the Experts Help you Understand What You Need
What you Need to Know, and How to Implement It

HIPAA Compliance Requirements & Best Practices

There are a very robust set of requirements when it comes to HIPAA eCommerce compliance. These requirements span over several different key components, but when looking at EP or electronic protected health information, the main thing you want to consider the privacy rule.

Keeping Things Private

Privacy Rules & Information

The privacy rule itself contains several things. The primary component is the notice of privacy practices, also known as the NP. It is an outline of how a covered entity might use the individual's private information and how they might disclose it. It essentially is covering the individual's rights whenever the electronic protected health information is being utilized and how the user can exercise those rights within the privacy practice.

The user might be able to request a deletion of their data or file a complaint. They also want to provide feedback to the covered entity or CE. It also outlines the covered entities legal duties and requires a statement by the covered entity ensuring the maintenance of the data and contact’s privacy.

Keep Intruders Out

Data Security Requirements

The security rule is rather detailed. It contains plenty of information, but ultimately it is an outline of requirements set to ensure that the data itself is protected and encrypted, preventing unintended access throughout its life cycle. This includes any kind of interaction that might occur with the dada, starting with the data’s collection to its transmission, and so on.

This also includes ensuring that access to the data is locked down and heavily restricted, keeping access to a minimum. This means employees at the data center would have a set of rules and restrictions surrounding their access, and all interaction with it is logged and monitored.

This means there would be a continual auditing of any access to the data. This way there would be a process in place to resolve any incidents where the data is accessed when it should not have been. The general idea behind the security rule is to reduce any exposure to the data, unless it’s absolutely necessary. However, when someone does need to access it, they may need to sign a business associate agreement.

Protecting Sensitive Information

Protected Health Information Guidelines

So, what exactly qualifies as protected health information? Per the Health Information Technology (HIT) guideline, PHI is defined as individually identifiable health information, including demographic information that relates the individual's past, present or future physical or mental condition. This carries over to the provision of healthcare to the individual and the past, present of future payment of said provision of healthcare. Additionally, it is any information that on a reasonable basis can be believed to help identify the individual. This includes things like a medical record, lab record, hospital bill, patient's name and other identifying information present in the medical records. Other important PHI is a social security number, address information, and phone number. Though not medical in nature, they are tied to the data that is health related, making it PHI.

The best practice with protected health information is to always make the adjustments and assumptions for any and all data is encrypted. You could also tokenize the PHI. No matter how it is done, it’s important that any medical information or demographic information that can identify someone is protected and secure.

You should follow a very detailed encryption model or use tokenization and ensure the provider signs a BA agreement. Tokenization essentially means you are leveraging a third party who does all of the encryption and validation of the data security. You would then only receive a token value and key that could pull the data for particular users. This means someone would need both the token and key to access any information, serving as a two-fold process requirement to access data.

How Can Clarity Help

Clarity Marketplace Experts

In regard to eCommerce HIPAA compliance, the privacy and security rule, alongside HIPAA in general, must be followed across the board. As such, it is typically best to work with a team who has completed these types of projects successfully and gone through the validation process, ensuring they are compliant with the industry’s best practices.

Please feel free to look into the resources below in order to better understand HIPAA's different components in order to ensure you and your team are following the best practices in keeping data secure. If you have any questions or would like a complimentary consultation with our team, please feel free to reach out to us here at Clarity- we would be happy to review with you in more detail!

Back to top
Request a Quote
Please feel free to send any associated files to us at:
Privacy Statement | Terms of Use
Click anywhere outside this form to close.
Request a Demo
Please feel free to send any associated files to us at:
Privacy Statement | Terms of Use
Click anywhere outside this form to close.
Ask an Expert
Please feel free to send any associated files to us at:
Privacy Statement | Terms of Use
Click anywhere outside this form to close.
Please feel free to send any associated files to us at:
Privacy Statement | Terms of Use
Click anywhere outside this form to close.