Understanding What HIPAA Means for Your Site
Any medical practice or eCommerce company selling medical equipment could face issues of HIPAA compliance. Businesses bear an increased duty of care to their customers when they handle confidential, protected health information or PHI. These companies need to comply with HIPAA regulations, and for eCommerce companies, each company's software and eCommerce platform ends up handling most of these issues. It’s especially critical for these companies to choose the right eCommerce partner, or they risk security breaches, noncompliance fines and penalties and situations where they lose credibility with customers because clients’ medical information is exposed or customers can’t get advanced functionality based on their electronic medical or health records.
Duty of Care for HIPAA Compliance
Companies that are subject to HIPAA regulations are referred to as covered entities, and these include organizations like companies that sell healthcare products, pharmacies, nursing homes, and doctor, dentist and psychologist practices that transmit information as electronic medical or health records. Covered entities include health insurance companies, HMOs, government agencies that subsidize health care, military and veterans organizations and even eCommerce companies that sell products like wearable devices that access and monitor people's health.
HIPAA regulations can be extensive, complex and subject to change and interpretation as to the specifics and best practices, so this resource page is only meant as an outline and guide and not a complete checklist. Covered entities bear the final responsibility for their own compliance with all of HIPAA’s regulations and guidelines. The rules are meant to protect privacy and confidential health information while creating a framework for sharing information that provides patient benefits like making faster diagnoses, matching patients with medical technology and collaborating on health care issues. HIPAA regulations, in a simplified version, ask companies to do the following four things:
- Implement rules and safeguards to protect patient health information.
- Limit sharing of confidential data to authorized stakeholders who directly help patients in some way.
- Ensure that any business associates or corporate partners also safeguard PHI and share information only when done so in each patient's best interests.
- Limit who can access PHI and train employees about security and confidentiality best practices.
Four HIPAA Compliance Rules
There are four HIPAA security rules that further define how covered entities and business associates safeguard protected health information. The four rules are:
- HIPAA Privacy
- HIPAA Security
- HIPAA Enforcement
- HIPAA Breach Notification
In the normal course of business operations, only the first three rules apply to covered entities and their business associates. The last rule comes into play only when websites or physical-access points are breached and there's a risk that protected health information has been compromised. /span>
1. Privacy Rule Considerations
Most people believe that their medical information is 100-percent protected, but according to the rules of the Health Insurance Portability and Accountability Act or HIPAA, health care providers can share information with family members in certain circumstances of reduced mental or physical capacity in adults or share data with parents or guardians in the cases of minors. Generally, HIPAA regulations prevent sharing or exposing confidential information in electronic, written and oral forms. This means that websites have a duty even when discussing health records over the phone where they could be overheard by unauthorized people. In many cases, outside service providers may need access to information in order to provide medical services, so these cases are exempted from the privacy restrictions. The privacy rule applies to computer information about patients, conversations between doctors and medical staff, billing information, medical charts and prescription information.
2. Security Rule Considerations
National standards of security protect information in medical private practice databases, eCommerce customer lists where medical records are part of the database, medical clearinghouses, pharmacies, insurance companies and other covered entities and business associates. The HIPAA security rule has three components: technical safeguards, administrative safeguards and physical safeguards. Some of the major highlights of security-rule regulations include -- but aren't limited to -- the following points:
- Performing periodic risk analyses to determine physical and digital vulnerabilities
- Reducing risks to acceptable levels
- Regularly reviewing system activities, digital logs and audit trails
- Authorizing and supervising the employees who have access to PHI
- Protecting PHI from unauthorized parent companies, subcontractors and partner organizations
- Sending regular updates to staff members about security issues and training employees to recognize malware, malicious software and other virtual and real-world threats
- Implementing a system of access controls
- Providing encryption and decryption tools
- Facilitating safeguards like automatic logoffs
- Establishing mandatory policies for using work stations and mobile devices
3. Enforcement Rule Considerations
The HIPAA Enforcement Rule mostly concerns penalties and investigations when companies are found to be noncompliant, but eCommerce companies do have some enforcement responsibilities through the administrative section of the security rule. These include getting authorization forms for disclosing information to third-party sources, providing customers with a Notice of Privacy Practices and drawing up Business Associate Agreements for partners to acknowledge their responsibilities under HIPAA.
4. Breach Notification Rule Considerations
Many eCommerce companies will never deal with breach notifications, but many will. Breaches occur when unauthorized people gain access to protected health information is some manner that's not permitted under the HIPAA Privacy Rule. These breaches include unauthorized access to physical areas, inadvertent disclosures, stolen or misplaced documents and digital hacks. If any of these situations occur, covered entities must:
- Determine if PHI is compromised.
- Assess the type and amount of data involved.
- Find out who used the PHI illegally or to whom information was disclosed.
- Chronicle steps taken to mitigate the breach.
- Ascertain if the breach was closed or information returned before being used or if the breach occurred inadvertently under a covered associate’s or entity’s authority.
- Send notices of incidents that are determined to be breaches to each patient's last known address by first class mail or email if electronic notifications are authorized.
- The notice must be written in easy-to-understand language and include a summary of how the situation occurred, the date of exposure and other relevant details.
Specific Concerns for Covered Entities and Their Business Associates
Covered entities and associates must consider not only whether their websites are compliant with HIPAA regulations but also whether all forms of their digital presence online are compliant. Technology advances often result in Web pages in social media that act as customer service extensions. Any transmission of data or storage of protected information offsite or in the cloud must be compliant. Fortunately eCommerce companies don't need to be overwhelmed by restrictions and compliance issues because they can hire third-party consultants that specialize in HIPAA compliance and supply specialized HIPAA-compliant components like secure online forms.
Even simple opt-in forms on websites must comply with HIPAA regulations if the forms collect any kind of health information. For example, if website forms only ask for names, email addresses, phone numbers and physical addresses, then the forms don't need to be HIPAA compliant. However, if any medical, insurance, social security or other information is required, the form must comply with HIPAA.
Major eCommerce companies usually employ a team of designers for their websites, stores and online catalogs, and if the website is required to comply with HIPAA, these professionals should know this information and act accordingly. However, that's not the way things always work. Designers can overlook key elements, and unless your designer is HIPAA-certified, it's in the company's best interest to confirm compliance. Design issues related to compliance include:
- Ensuring that information being transmitted is always encrypted
- Implementing safeguards to prevent tampering
- Hosting websites on servers that are secured with HIPAA security rules or a HIPAA Business Associate Agreement
- Limiting access to PHI to authorized staff
- Backing up all PHI information in ways that ensure the data is recoverable
How Clarity Can Help
At Clarity, we specialize in customizations for eCommerce, so our team has an edge when it comes to building websites that comply with HIPAA regulations. You won't need to worry that your healthcare clients will run the risks of noncompliance or be subject to penalties, fines or even more undesirable damages to their reputations with customers. You face unique challenges when you sell healthcare products and services, but we love addressing these kinds of challenges and can help you design, build and maintain a compliant website. You have lots of questions, so call or contact us at Clarity today for answers to these questions, a consultation or free, no-obligation price quote.
 HHS.gov: HIPAA Privacy Rule and Sharing Information Related to Mental Health www.hhs.gov