by Rick Kuwahara COO of Paubox
Article filed in
How to make sure you have a HIPAA compliant website
by Rick Kuwahara COO of Paubox
93% of all business decisions starts with an online search. This makes having a website vital for any business, including healthcare providers. However, healthcare providers need to take extra precautions to be sure they have a HIPAA compliant website.
A good website can help providers be “found” in online searches, give them credibility, and provide a way for potential patients to contact you. For healthcare providers, a good website can also make operations more efficient.
Imagine having patient intake forms available to be filled out and submitted online. Labs can create secure portals for doctors to view results and upload needed documents. Patients can get access to results and prescriptions.
However, a bad website can hurt credibility and even worse, as a physical therapy practice found out the hard way to the tune of a $25,000 HIPAA fine.
A quick note about HIPAA compliance and websites
It’s important to remember that HIPAA compliance for any covered entity means making sure reasonable steps are taken to ensure there are technical, physical and administrative safeguards in place to keep protected health information (PHI) safe.
For websites, this means that any time PHI is transmitted or stored, there’s proper procedures and policies in place to go along with the technical security we’re going to talk about in this article.
For example, you can have secure cloud storage to hold PHI, but not have policies in place when it comes to sharing that information with others. Someone could still accidentally share or leak that information when they weren’t supposed to, which can result in a HIPAA violation.
Think about how many violations occur because a laptop was stolen. If policies and procedures weren’t in place to encrypt and secure the laptop, no amount of technology would help.
When does a website have to be HIPAA compliant?
The first thing to do is assess what things you want visitors to do when they visit your website. Do you want visitors to be able to send an email, do a live chat, fill out forms, upload documents, or access a patient portal?
Once you identify how a visitor will interact with your website, you can work on making sure those interactions result in a user-friendly, but secure, experience by considering the following:
- Are you transmitting any PHI online?
- Are you storing PHI on a server you are hosting?
If you are handling any PHI on or through your website, then you need to be sure it is HIPAA compliant. This includes even “simple” transactions like setting an appointment.
How do you make a HIPAA compliant website?
Remember the two things we’re going to consider? Are you transmitting any PHI, or storing PHI? Your answer to these questions will make the steps you need to take different.
Chances are, most healthcare providers will transmit PHI at some point through their website if they allow for any sort of communication. Remember, even appointment setting is an example of transmitting PHI because it has identifiable personal information that will be used in relation to the care of a patient.
The first step that should be taken is to use SSL to secure your website. This will make sure that the initial leg in the transmission of PHI from the patient to the web server is secure. From there data can be either:
- Passed through to someone via email
- Stored on your web server
- Stored on someone else’s web server
If you pass through PHI
This is probably the easier method to use because it lowers the amount of additional work (and liability) needed to secure PHI.
If information is collected on a form and then passed through and emailed to an inbox, the data needs to be encrypted in transit and at rest.
Thankfully there are lots of vendors that can send secure email and secure online web forms, including Paubox which has a solution that eliminates portals and can work with most email platforms like Google Apps and Microsoft 365, along with hosting email.
If you store PHI on a server
Whether you choose to store data on your server or a third-party, it’s important to understand how to ensure that the hosting is HIPAA compliant.
Our friends at HIPAAHQ put together a great checklist that will assist you in ensuring the hosting provider you choose does incorporate needed systems, procedures and technologies needed.
Some of the items on that checklist include policies to address physical security of the servers, established policies for the disposal of data if needed, and logs and audits of software and hardware use and access.
Many hosting providers can be configured to become HIPAA compliant, but there are also hosting companies like Atlantic.Net who specialize in HIPAA compliant website hosting.
Make sure to get a Business Associate Agreement
Regardless of what method you choose to make your website HIPAA compliant, if you are going to use a vendor, be sure they sign a Business Associate Agreement (BAA) with you. This is required by service providers who manage and handle PHI.
Let technology work for you
There’s far more benefits than risks when it comes to having a website that adds value to your business. Although the growing number of HIPAA violations take up the headlines, there are far more successes than failures when it comes to integrating technology with your practice.
Utilizing the right technology in securing your website can improve your workflows, increase business and let you focus on patients and clients, not checking off boxes and adding extra steps.
Paubox provides HIPAA compliant solutions that can seamlessly secure PHI that’s transmitted from your website. Paubox focuses on delivering user-friendly encryption, eliminating extra steps and portals whenever possible.
Looking for HIPPA Compliant Website?
People often get confused between HIPAA and HIPPA. HIPAA is commonly misspelled as HIPPA and it’s easy to mistakenly google for “HIPPA compliant websites” or “HIPPA website.” Google however, is smart enough to know the correct spelling and will point you to the right pages by default. In a nutshell, “HIPPA compliant website” or “HIPPA website” are not correct. “HIPAA compliant website” or “HIPAA website” are the correct search terms.