Healthcare data breaches have consistently trended upwards from 2012 to 2021. The regulations of running a website that is compliant with the Health Insurance Portability and Accountability Act (HIPAA) can be difficult to understand. But as you can see, you can’t afford to overlook them.
Unfortunately, many healthcare professionals are still a bit fuzzy on what HIPAA rules are necessary to follow when it comes to doing business online. To make it simple, the legislation demands that any website handling electronically protected health information must comply with the physical, technical, and administrative safeguards of HIPAA.
If you’re collecting protected health information (PHI), you need to prioritize having a compliant site and adhere to HIPAA-compliant website standards. Let’s take a look at what that means and the best ways to protect yourself from possible fines or even jail time.
Table of Contents
What is HIPAA?
HIPAA is a federal regulation that sets the standard for protecting and streamlining protected health information. To this day, this national standard holds everyone who works with this information accountable for its security. This not only includes healthcare workers who work directly in the field, but also third-party organizations, business associates, and the patients themselves.
How Do I Ensure My Website is HIPAA-Compliant?
Having a HIPAA-compliant website might sound easy to do, but there are a lot of moving parts! Anything involving HIPAA-compliance rules is not what I would say is “straightforward”, and if you work in the healthcare field, I’m sure you agree.
The easiest way to achieve HIPAA-compliance through your website is by outsourcing the responsibility to a hosting provider that specializes in healthcare services. Now, if you have a website and know that it is not up to compliance standards, there are steps you can take to secure your patients’ PHI. To create a HIPAA-compliant website, healthcare organizations and other businesses that work directly with PHI should consider the following points.
1. HIPAA-Compliant Web Hosting
When considering how to avoid compromised patient information, your web host should be on top of the list. This applies whether your organization is creating, transmitting, receiving, or maintaining ePHI. Your host should have HIPAA-compliant practices in place that have technical, administrative, and physical safeguards installed. If they don’t, it’s probably time to look for a different host!
A good web host should provide regular scans and updates to help prevent the compromise of PHI. Luckily if an issue does arise, HIPAA guidelines state that you have a time frame of 48 hours to resolve it… so it’s best to have a host that will quickly catch any security breaches!
2. Secure Sockets Layer (SSL) Certificate
Secure Sockets Layer (SSL) certification is essential for transferring data between internet channels, like your website and its server. Having an SSL certificate means that data stays encrypted and is not readable by third parties.
If your patients can use contact forms, appointment services, or chatbots through your site, having an SSL will protect that information. Making sure your web host can keep web forms secure will save you a lot of frustration and hassle in the future.
For reference, a web form is any information-collecting form that a patient or client fills out on your site. This usually includes forms that collect medical and health insurance information, which is then collected to create centralized medical records.
Any page that is on your website that allows patients to input information is a contact form. For example, we are talking about pre-visit health surveys, patient portals, live chat facilities, and so on.
An SSL is key when making sure that any data sent to your site by your patients is secure. Fun fact, the “s” in “https//” found in most websites indicates that any information transferred to that site will be secure.
3. Multi-Factor Authentication
Multi-factor authentication (MFA) access systems help to add another layer of security to your website. When going through your HIPAA-compliant audit checklist, this feature should be on top. MFAs use a multi-step account login action that requires more than just a password.
Cybercriminals regularly try to find passwords to access private information. If they discover one password, unauthorized access to multiple accounts will likely follow. MFAs disrupt criminal activity by adding another layer of security to the login process.
When looking for a web host, you want to make sure they offer a managed MFA access system. This system should also perform diagnostics on devices to ensure their health, blocking any infected devices that might be a risk.
4. Business Associate Agreements (BAA)
If you plan on working with other businesses or healthcare systems that involve ePHI, you need to sign a business associate agreement (BAA) with them. A BAA contract requires that outside businesses are HIPAA-compliant in their practice, saving you from liability if they leak your information.
Confirm that your website host or designer has BAAs with any third-party contractors. Failure to do so can end up being pretty costly, such as this case which led to a $1.5 million fine.
5. Restrict Access to PHI
This might not be website specific, but it is still important! Remember that not everyone in the office needs access to PHI. The same goes for online access. Restrict access to only those who need it to perform their job. Another example is PHI access to children’s records.
As your underaged patients get older, parents may have less access to their children’s records. Making sure you stay on top of these fine details by utilizing secure and up-to-date systems can save you from a potential lawsuit!
6. Develop and Implement Systems for Handling PHI
If your office or business does not have systems for directly handling PHI, it's time to develop them. At every step, you should make sure to protect this information. HIPAA-compliant services must be secure during internet transfer, which includes end-to-end encryption for any information sent between healthcare providers. These steps include:
Collecting PHI - collecting identifiable medical information such as symptoms, conditions, or requested healthcare services.
Storing PHI - storage on your own server or a third-party server.
Transmitting PHI - direct transfer between servers via email, text, or any other digital transference.
7. Offsite Backups
Having an offsite copy of daily backups for disaster recovery is very important, so let’s get into it. These backups of your business production system data are easily retrievable in case a restore is necessary.
While we are on the subject, having an onsite backup solution is also an option. The main difference is the geographical location of the stored data. Offsite backup uses an offsite server while onsite backup uses a local storage system and does not need internet access.
8. Provide HIPAA Compliance Training
While this might not be a service offered by your web host, it is still very important to remember when working with ePHI. Well, any PHI really. Providing HIPAA compliance training to your employees strengthens that first line of defense. Lack of knowledge of HIPAA protocols is one of the biggest risks when it comes to your daily office operations. This, unfortunately, is only complicated with the use of technology.
Make sure your employees understand how to stay HIPAA-compliant while interacting with ePHI by offering training. The good news is it doesn’t have to be boring! Offering online training that both properly educates your team and is also engaging is a balancing act, but isn’t impossible.
Just remember to look for these important HIPAA-specific topics in whatever training you do decide to use:
Privacy Rule
Security Rule
Enforcement Rule
Breach Notification Rule
Final Omnibus Rule
HITECH ACT
And remember that effective training comes with repetition. We suggest renewing your certification annually to stay up to date with these regulations.
9. Security of Data Center and Auditing
We recommend also looking beyond healthcare law certifications when judging a website host’s security stance. Also, make sure to take into consideration the audit aspect of protected information.
Refer to the American Institute for Certified Public Accountants (AICPA), Statement on Standards for Attestation Engagements 18, SOC 2 and SOC 3. This explains the audit report that is helpful when it comes to:
Security.
Availability of information.
Processing integrity.
Confidentiality.
Privacy of a system.
Having a system to produce these reports helps to ensure that your data is private while in storage. Also, it is available to you at any time. A SOC2 report will help you verify that the third party you work with has the ability to keep records online and the identity of your patients secure!
10. Managed Firewall
Protecting network traffic, including the flow of sensitive data, starts with a strong firewall. Firewall management is the process of monitoring a firewall (or even multiple firewalls) to maintain a safe network.
A managed firewall should include the following:
Prompt security responses.
Routine device health checks.
Log monitoring.
Authority over network ingress and egress points.
The system itself should include:
Load balancing.
Redundancy via a secondary firewall.
Global blacklisting.
Virtual private network (VPN) connectivity.
Stateful filtering.
Monitoring.
Reporting.
Conclusion
Every medical practice, healthcare provider, and business associate must adhere to HIPAA rules when they have an online presence that transfers PHI. Failing to do so can not only result in substantial fines but also tarnish the reputation of your company.
Clients trust their health to physicians and other healthcare professionals, and they want to feel their sensitive information is in good hands too!