THE HIPAA WEBSITE DEVELOPMENT STEPS TO FOLLOW Understanding What HIPAA Means for Your Site Every medical practice, clinic, pharmacy, nursing home, and healthcare provider must adhere to the rules of HIPAA compliance when they have an online presence that transfers medical information. This Health Insurance Portability and Accountability Act of 1996 instituted laws defining the level of security necessary for protected health information transferred over the web. Failing to invest in a robust HIPAA compliant website could lead to substantial fines from the government. Even worse, you will lose the trust of your patients and ruin your good reputation. Customers trust their health to physicians and caregivers, and they want to feel just as confident that their health information is in good hands. WHAT IS YOUR RESPONSIBILITY WITH HIPAA? Duty of Care for HIPAA Compliance Companies subject to HIPAA regulations are referred to as covered entities. This encompasses doctors, pharmacies, and nursing homes that transfer medical information, often referred to as electronic medical records (EMR), electronic health records (EHR), or protected health information (PHI). Covered entities also include health insurance companies, HMOs, government agencies that subsidize health care (Medicare), and military and veterans’ organizations. Sharing this information has become an important part of modern healthcare, but HIPAA compliance also creates a burden for medical providers. We can’t stress this enough: Covered entities bear the final responsibility for their compliance with all HIPAA regulations and guidelines. We want you informed about the challenges you face, so we offer this HIPAA compliant website checklist to get you started. 1. Create a HIPAA Compliance Website Checklist The first step in a HIPAA compliant checklist is creating a checklist that serves needs specific to your company. Having a plan in place for HIPAA compliant website design and hosting is one of the most important business objectives you’ll ever pursue. Don’t approach this haphazardly; you need to have a personalized HIPAA compliance website checklist to ensure you meet every HIPAA standard. 2. Research Healthcare Industry Needs When considering the needs of your website, you must first consider the HIPAA laws in place that affect every healthcare provider and then personalize your plan to comply. Simple, unsecured websites are no longer an option, even if you just include a contact form for patients to fill out. Be sure to find trusted information so that you can find an IT partner familiar with HIPAA compliance. 3. Determine if HIPAA is Necessary HIPAA compliant websites are only necessary if it is used to collect, store, process, display, or transmit ERM/EHR/PHI. HIPAA does not cover physical health records or electronic records that are stored in a single location with no means of web transfer. But because HIPAA was designed to improve healthcare by providing easy access to information, there aren’t many computer systems that don’t require strict HIPAA compliance. Talk to an Expert 4. Learn HIPAA Website Basics Before you understand how to make your website HIPAA compliant, familiarize yourself with HIPAA regulations. HIPAA regulations stipulate healthcare websites must: Implement rules and safeguards to protect patient health information. Limit sharing of confidential data to authorized stakeholders who directly help patients in some way. Ensure any business associates or corporate partners also safeguard PHI and share information only when done so in each patient's best interests. Limit who can access PHI and train employees about security and confidentiality best practices. 5. Research and Follow HIPAA Rules HIPAA rules don’t stop with information protection; it’s also adamant about tracking information access. They also require covered entities to keep track of who has viewed PHI, why they are accessing it, what they are accessing, and if the information has been transferred in any way. Working with an eCommerce and HIPAA integration company that has experience protecting both is a must. 6. Encrypt HIPAA Compliant Web Forms A web form is any information-collecting form that is filled out by a patient or client. Common examples include desktop or mobile forms that collect medical and insurance information. This information is then collected to create long-term and centralized medical records. HIPAA compliant web forms ensure that the connection between the browser and the website is encrypted, so information entered on the site or web forms is protected against unauthorized access. You must make sure your website is hosted by a company that knows what it’s doing when transferring forms to the HIPAA compliant web server. Clarity is ready to make your forms HIPAA secure. Talk to an Expert 7. Use HIPAA Compliant Contact Forms Any page that allows patients to submit information can be considered a contact form. This includes pre-visit health surveys, patient portals, and live chat facilities. Even the simplest contact form has to be secure; a person contacting a doctor will not want anyone to have easy access to their inquiries regarding particular health problems. 8. Protect HIPAA Compliant Web Servers PHI must be protected at every step. HIPAA compliant servers must include the most secure protection available while PHI is in the Cloud, but it also must be secure during any sort of internet transfer. That includes end to end encryption for any information that is sent back to the or between healthcare providers. Collecting PHI If your website collects any individually identifiable medical information, such as symptoms, conditions, or requested healthcare services, you are collecting PHI. That information must be ferried securely to the web server. Storing PHI Whether you store the PHI on your own server or on a third-party server, you must ensure that the security of the information is HIPAA compliant and that regular maintenance is done to keep it so. Transmitting PHI PHI must also be secure and encrypted when it is transferred in any way. This includes direct transfer between servers, via email, or any other digital transference. 9. Install a Robust SSL Certificate Secure Sockets Layer (SSL) is the industry standard for transferring data over internet channels, usually between a web server and a browser. SSL certificates make sure that data is encrypted from end-to-end and is not readable by third parties. The “s” in https// that is found on most websites indicates that any information transferred on that site will be secure. Some of the best low-cost — or even free — SSL Certificate providers are: Comodo SSL For Free Cloudflare Let’s Encrypt Instant SSL Be careful; free SSL certificates often don’t offer the most stringent security and aren’t always HIPAA compliant. Properly installing an SSL can be tricky business as well. Since it’s one of the most important parts of this HIPAA compliant website checklist, you’ll probably want to trust this step to a company familiar with HIPAA compliant database design. We’ll take care of it for you. 10. Choosing Your HIPAA Compliant Solution Who you work with can determine whether or not you truly have a HIPAA compliant website. As you saw from the previous points, the website must be secure from many angles. Clarity provides HIPAA compliant solutions to seamlessly secure PHI that's transmitted to and from your website, all the while adhering to HIPAA compliant server requirements. Let us show you how. We Can Help 11. Finding a Hosting Provider Don’t trust just anyone with your web hosting. HIPAA compliant web hosting requires some of the most robust security available. Since security is so important to your business, make sure you find one that specializes in HIPAA compliant web hosting. 12. Securely Back Up Data Backing up patients’ PHI — perhaps a lifetime’s worth of data — is a must. But backups usually mean that data is being duplicated from server to another. Protection must be just as protected during the backup as when it’s on the original server. BONUS: Healthcare Organization Tips Ensure that third-party service providers sign a business associate agreement (BAA) stating that they accept some responsibility for the security of the PHI Ensure HIPAA compliant website hosting Implement secure user authentication with a hosting provider Work with HIPAA-compliant web hosting providers for security needs Secure the website using an SSL certificate Encrypt all web forms Using HIPAA-compliant email encryption If you don’t want to deal with all of this yourself — or hire multiple companies to complete each task individually — you’ll want to seek out someone with experience in HIPAA integration. Click here to make it easy on yourself. Talk to an Expert What Rules Do HIPAA Compliant Websites Need to Follow? Four HIPAA Compliance Rules There are four HIPAA security rules that further define how covered entities and business associates safeguard protected health information. The four rules are: HIPAA Privacy HIPAA Security HIPAA Enforcement HIPAA Breach Notification In the normal course of business operations, only the first three rules apply to covered entities and their business associates. The last rule comes into play only when websites are breached and there's a risk that protected health information has been compromised. HIPAA projects come in many shapes and sizes. From a simple online pharmacy to a complex doctor-patient portal to a mobile application, they all have the same regulations regarding PHI. Clarity has built many of these projects, and we are comfortable helping you navigate the HIPAA compliance waters. RULE 1 Privacy Rule Considerations In addition to all of the privacy protection mentioned above, healthcare providers must consider other patient privacy concerns. For instance, they can share information with family members in certain circumstances.[1] An example is if the patient is mentally incapacitated or if the patient is a minor. Generally, HIPAA regulations prevent sharing or exposing confidential information in electronic, written, and oral forms. This means that websites have a duty even when discussing health records over the phone where they could be overheard by unauthorized people. In some cases, outside service providers may need access to information to provide medical services, so these cases are exempted from the privacy restrictions. The privacy rule applies to computer information about patients, conversations between doctors and medical staff, billing information, medical charts, and prescription information. RULE 2 Security Rule Considerations National standards of security protect information in medical private practice databases, eCommerce customer lists where medical records are part of the database, medical clearinghouses, pharmacies, insurance companies, and other covered entities and business associates. The HIPAA security rule has three components: technical safeguards, administrative safeguards, and physical safeguards. Some of the major highlights of security-rule regulations include — but aren't limited to — the following points: Performing periodic risk analysis to determine physical and digital vulnerabilities Reducing risks to acceptable levels Regularly reviewing system activities, digital logs, and audit trails Authorizing and supervising the employees who have access to PHI Protecting PHI from unauthorized parent companies, subcontractors, and partner organizations Sending regular updates to staff members about security issues and training employees to recognize malware, malicious software, and other virtual and real-world threats Implementing a system of access controls Providing encryption and decryption tools Facilitating safeguards like automatic logoffs Establishing mandatory policies for using workstations and mobile devices Rule 3. Enforcement Rule Considerations The HIPAA Enforcement Rule mostly concerns penalties and investigations when companies are found to be noncompliant, but eCommerce companies do have some enforcement responsibilities through the administrative section of the security rule. These include getting authorization forms for disclosing information to third-party sources, providing customers with a Notice of Privacy Practices, and drawing up Business Associate Agreements for partners to acknowledge their responsibilities under HIPAA. Know the Rules RULE 4 Breach Notification Rule Considerations Breaches occur when unauthorized people gain access to protected health information in some manner that's not permitted under the HIPAA Privacy Rule. These breaches include unauthorized access to physical areas, inadvertent disclosures, stolen or misplaced documents, and digital hacks. If any of these situations occur, covered entities must: Determine if PHI is compromised Assess the type and amount of data involved Find out who used the PHI illegally or to whom information was disclosed Chronicle steps taken to mitigate the breach Ascertain if the breach was closed or information returned before being used If the breach occurred inadvertently under a covered associate’s or entity’s authority Send notices of breach incidents to each patient's last known address by First Class mail or email if electronic notifications are authorized Write notices in easy-to-understand language and include a summary of how the situation occurred, the date of exposure, and other relevant details HEALTHCARE PROVIDERS RESPONSIBILITY Specific Concerns for Covered Entities & Business Associates Covered entities and associates must consider not only whether their websites are compliant with HIPAA regulations but also whether all forms of their digital presence online are compliant. Technology advances often result in web pages in social media that act as customer service extensions. Any transmission of data or storage of protected information offsite or in the Cloud must be compliant. Fortunately, eCommerce companies don't need to be overwhelmed by restrictions and compliance issues because they can hire third-party consultants like Clarity. We specialize in HIPAA compliance and secure portals to transfer PHI. Are All Webforms Required to be HIPAA? Even simple opt-in forms on websites must comply with HIPAA regulations if the forms collect any kind of personal health information. For example, if website forms only ask for names, email addresses, phone numbers, and physical addresses (i.e., information readily available on the internet), then the forms don't need to be HIPAA compliant. However, if any medical, insurance, social security, or other information is required, the form must comply with HIPAA regulations, and the storage and transmission of the data collected must adhere as well. Are You Secured? COMPLIANCE STARTS WITH DESIGN Website Design Major eCommerce companies usually employ a team of designers for their websites, stores, and online catalogs, and if the website is required to comply with HIPAA, these professionals should know this information and act accordingly. However, that's not the way things always work. Designers can overlook key elements, and unless your designer is familiar with HIPAA rules, it's in the company's best interest to confirm compliance. Design issues related to HIPAA compliance include: Ensuring that information being transmitted is always encrypted Implementing safeguards to prevent tampering Hosting websites on servers that are secured with HIPAA security rules or a HIPAA Business Associate Agreement Limiting access to PHI to authorized staff Backing up all PHI information in ways that ensure the data is recoverable THE ADVANTAGE OF INTEGRATED ECOMMERCE Integrate HIPAA with eCommerce It’s important to remember that a website isn’t just about protecting HIPAA-protected information. The medical field is a business, after all, and the eCommerce side has to be considered as well. It’s especially critical to choose the right eCommerce and HIPAA development partner to create the most secure portals and websites possible. Clarity has been designing and building HIPAA compliant portals that incorporate eCommerce platforms for more than 15 years. We understand the challenges that come with our clients' projects and the need to secure private information, whether health-related or financial. Tell us what you need protected and we’ll protect it. Contact The Proven HIPAA Integration Experts Does all of the above sound like a lot? It is, and it gets more complicated by the day. Clarity Ventures specializes in secure customizations for eCommerce, so our team has an edge when it comes to building HIPAA compliant websites. You won't run the risks of noncompliance or be subject to penalties, fines, or a ruined reputation with customers. You face unique challenges when you offer healthcare services, but we love addressing these challenges and can help you design, build, and maintain a compliant website. You have lots of questions; contact Clarity for answers to your questions, a free consultation, or a no-obligation price quote. Clarity Can Help References: [1] HHS.gov: HIPAA Privacy Rule and Sharing Information Related to Mental Health www.hhs.gov
1. Create a HIPAA Compliance Website Checklist The first step in a HIPAA compliant checklist is creating a checklist that serves needs specific to your company. Having a plan in place for HIPAA compliant website design and hosting is one of the most important business objectives you’ll ever pursue. Don’t approach this haphazardly; you need to have a personalized HIPAA compliance website checklist to ensure you meet every HIPAA standard.
2. Research Healthcare Industry Needs When considering the needs of your website, you must first consider the HIPAA laws in place that affect every healthcare provider and then personalize your plan to comply. Simple, unsecured websites are no longer an option, even if you just include a contact form for patients to fill out. Be sure to find trusted information so that you can find an IT partner familiar with HIPAA compliance.
4. Learn HIPAA Website Basics Before you understand how to make your website HIPAA compliant, familiarize yourself with HIPAA regulations. HIPAA regulations stipulate healthcare websites must: Implement rules and safeguards to protect patient health information. Limit sharing of confidential data to authorized stakeholders who directly help patients in some way. Ensure any business associates or corporate partners also safeguard PHI and share information only when done so in each patient's best interests. Limit who can access PHI and train employees about security and confidentiality best practices.
5. Research and Follow HIPAA Rules HIPAA rules don’t stop with information protection; it’s also adamant about tracking information access. They also require covered entities to keep track of who has viewed PHI, why they are accessing it, what they are accessing, and if the information has been transferred in any way. Working with an eCommerce and HIPAA integration company that has experience protecting both is a must.
7. Use HIPAA Compliant Contact Forms Any page that allows patients to submit information can be considered a contact form. This includes pre-visit health surveys, patient portals, and live chat facilities. Even the simplest contact form has to be secure; a person contacting a doctor will not want anyone to have easy access to their inquiries regarding particular health problems.
8. Protect HIPAA Compliant Web Servers PHI must be protected at every step. HIPAA compliant servers must include the most secure protection available while PHI is in the Cloud, but it also must be secure during any sort of internet transfer. That includes end to end encryption for any information that is sent back to the or between healthcare providers. Collecting PHI If your website collects any individually identifiable medical information, such as symptoms, conditions, or requested healthcare services, you are collecting PHI. That information must be ferried securely to the web server. Storing PHI Whether you store the PHI on your own server or on a third-party server, you must ensure that the security of the information is HIPAA compliant and that regular maintenance is done to keep it so. Transmitting PHI PHI must also be secure and encrypted when it is transferred in any way. This includes direct transfer between servers, via email, or any other digital transference.
9. Install a Robust SSL Certificate Secure Sockets Layer (SSL) is the industry standard for transferring data over internet channels, usually between a web server and a browser. SSL certificates make sure that data is encrypted from end-to-end and is not readable by third parties. The “s” in https// that is found on most websites indicates that any information transferred on that site will be secure. Some of the best low-cost — or even free — SSL Certificate providers are: Comodo SSL For Free Cloudflare Let’s Encrypt Instant SSL Be careful; free SSL certificates often don’t offer the most stringent security and aren’t always HIPAA compliant. Properly installing an SSL can be tricky business as well. Since it’s one of the most important parts of this HIPAA compliant website checklist, you’ll probably want to trust this step to a company familiar with HIPAA compliant database design. We’ll take care of it for you.
11. Finding a Hosting Provider Don’t trust just anyone with your web hosting. HIPAA compliant web hosting requires some of the most robust security available. Since security is so important to your business, make sure you find one that specializes in HIPAA compliant web hosting.
12. Securely Back Up Data Backing up patients’ PHI — perhaps a lifetime’s worth of data — is a must. But backups usually mean that data is being duplicated from server to another. Protection must be just as protected during the backup as when it’s on the original server.
Clarity HIPAA Guidelines & Resources Additional Features & Capabilities 12 Step HIPAA Compliant Website Checklist HIPAA Guidelines Overview HIPAA Compliance and Your eCommerce Project HIPAA Compliant eCommerce Integration HIPAA Compliance Challenges HIPAA Web Development Services Selecting a HIPAA eCommerce Dev Team Access Restriction & Role-Based Security Sensitive Data Email Standards & Best Practices Business Risks of HIPAA Data on Unsecured Websites Compliance Requirements & Best Practices Handling Patient Specific Prescription Information Integrating Healthcare Insurance and HIPAA eCommerce Handling PHI Complaint Prescription Data Protect Your HIPAA Data with Tokenization HIPAA Security Rule and eCommerce HIPAA Privacy Rule and eCommerce Auditing Software & Security Testing Website Security Monitoring for HIPAA Compliance Best Practices for Securing HIPAA for eCommerce
