What You Need to Have a HIPAA-Compliant Website

Patients are looking online to find health-related information more than ever before. If you want those patients to find your practice, it is critical that you have an active web presence. However, it’s understandable that HIPAA laws are a concern.

It can be a challenge to have a HIPAA-compliant web presence, but it isn’t impossible. Ensure that your website has these critical elements to comply with HIPAA.

1. All patient data must be encrypted.

Information from contact and appointment request forms are the most vulnerable part of your site. If you also offer online check-in forms (rather than PDF versions), they are also at risk. Any forms that collect patient information are required to be encrypted. That means acquiring an SSL (secure sockets layer) certificate and using it on any area of your site where private information is accessed. If you have ever purchased anything or made a payment online, you have used a site with SSL-protected pages. You can also recognize SSL-protected pages by looking at the URL–it will begin with “https” instead of “http.” SSL complies with HIPAA’s standards of data encryption and security–it keeps private patient information safe much in the same way it keeps your credit card information safe.

2. Data must be stored on a HIPAA-compliant server.

At a minimum, your server should have a virtual or dedicated firewall, offsite backup, antivirus, and OS patch management to stay HIPAA-compliant. You should also make sure that data is encrypted when it is stored on the server. When you are looking for a hosting service for your website, make sure that your hosting company has these features to keep your practice protected.

3. HIPAA-protected information must be sent through a secure network.

When you start collecting patient information via contact and appointment request forms, you may wish to have the information sent to you by email. While it is possible, you should proceed with caution. HIPAA-protected information should never be sent through an unencrypted network to an insecure email account. If you want to receive this data by email, it must be encrypted end-to-end. You can work with a HIPAA-compliant email provider to be able to receive the form information via email. Another option would be to store the information on your HIPAA-compliant server, and set up email alerts any time new data is submitted by a user on your website. This way, you wouldn’t receive any information via an insecure connection. You would instead log into your server account to retrieve the information.

4. When disposing of data, do so properly.

Practices are required to retain patient records for a certain period of time, which can vary depending on the nature of the data and by state. After that time period, if the data is no longer needed, it is highly recommended that practices dispose of the information. All backups and archives of the information must be deleted, as well as any data stored on your server. The HIPAA laws do not recommend a method of disposal, but the U.S. Department of Health and Human Services has issued guidelines on the disposal of data. For electronic data, the guidelines recommend using software or hardware products to overwrite the information with non-sensitive data, purging the data (exposing it to a strong magnetic field to disrupt the recorded information), or destroying the data via disintegration, pulverization, melting, incinerating, or shredding.

You may hire an outside company to help you with this, but if you do, make sure you have a Business Associate Agreement (BAA) in place. This agreement will not absolve your practice of responsibility for HIPAA violations, but it will make clear what responsibilities fall on the outside company.

5. You must have a copy of your privacy policy on your website.

Your privacy policy must be regularly updated to keep up with any changes in the law or your practice’s privacy policy to stay HIPAA-compliant. Complete guidelines can be found on the U.S. Department of Health and Human Services website. HealthIT.gov is also a great resource in developing your privacy policy–they have sample privacy notices available to download.

Since practices are required to employ a HIPAA Privacy Officer, these responsibilities should be covered by that position. Make sure you hire a HIPAA Privacy Officer who can make sure your website stays up to date on all of the latest HIPAA standards.