As healthcare providers, you’re well versed in HIPAA compliance, but did you know that your practice’s website may also be required to have HIPAA safeguards in place to ensure you’re not exposing Protecting Health Information (PHI)? As technology advances, HIPAA rules stretch further and further beyond your office walls, requiring more diligence on your part to be compliant. Anywhere patient information is collected it must be kept safe and secure. If your website collects, stores or transmits PHI, it needs to be compliant with HIPAA regulations.
Some ways PHI might be collected on your website:
- Contact forms
- Patient Portals
- Online Patient Forms
- Live chats
- Patient reviews or testimonials
- Any information-collecting tools on your website
If your website is collecting PHI and you’re not taking the necessary measures to protect it, then you are in violation of HIPAA law. Read on to learn how to make your website HIPAA compliant, and avoid compromising your patient’s data and potentially damaging your business and reputation.
How to Make Your Website HIPAA Compliant
Whether PHI is traveling to or from your website or being stored on your server, you’re required to have safeguards in place for your website to be HIPAA compliant.
Start by following these steps.
Purchase and implement an SSL Certificate for your website:
SSL Certificates provide security for online communications by encrypting website data so only the intended recipient has access to it and can read it. This is important because data sent over the internet passes through several computers before it reaches its destination server, and you don’t want PHI to be seen by anyone other than the recipient.
Use HIPAA compliant web forms:
HIPAA compliant web forms use end-to-end encryption to protect against unauthorized access to PHI collected through website forms that is in transit or at rest. This ensures that only the intended recipient can access and view the data by entering their encryption key.
Store data on a HIPAA Compliant Server:
PHI must be stored securely and be encrypted to ensure that malicious parties won’t gain access to it. To do this you will need a HIPAA Compliant Server. There are many requirements for a HIPAA compliant server which include: having complete data encryption, proper encryption key management, user authentication, unique user IDs, audit logs, server backups, physical security controls, dedicated infrastructure, integrity controls, HIPAA-trained support personnel, automatic updates, permanent data disposal methods, and a Business Associates Agreement (BAA) – see more on this below.
Use a HIPAA compliant hosting company or host it internally:
Signed Business Associate Agreements (BAAs) are required if you’re working with outside hosting vendors. Not all hosting companies will sign a BAA because there is a lot more work, liability, and costs associated with hosting websites that need added security. HIPAA compliant hosting companies usually provide two main aspects of HIPAA compliance. They sign a BAA and they deploy many of the Physical Safeguard requirements of the HIPAA Security Rule.
Restrict Office Staff Access:
Make sure your website has access controls in place. Only administrators should have admin rights to your website. In addition, only authorized individuals should have access to patients’ PHI. This is important because even if a minor change is made, like a change to a user’s profile, it could result in a HIPAA violation.
Use an encrypted email server to send all emails containing PHI:
Sending emails that contain PHI without an encrypted email server leaves them vulnerable to be intercepted or viewed by unauthorized individuals. HIPAA compliant email servers ensure emailed PHI is secure, private, and only accessible by authorized individuals.
Keep a signed Business Associate Agreement on file for all third-party vendors that have access to your patients’ PHI:
If you choose to use vendors to make your website, have them sign a BAA and keep it on file. A BAA is required for all service providers that handle PHI. Partnering with other companies that also have processes for protecting PHI can help ensure that data isn’t being compromised due to ignorance or negligence.
Establish processes to back up and restore PHI as needed:
Any patient data collected by your website needs to be backed up along with your other data to avoid complete data loss. Your practice relies on data to operate, but accidents happen every day that could compromise your data, reputation and future business success. Risks like laptop theft or loss, a hard drive crash, a virus download, a ransomware attack or even an employee error could spell disaster for your business. Check out our Disaster Recovery Planning Checklist and 5-Step Guide to Create Your Own Disaster Recovery Plan to learn more about establishing processes to back up and restore PHI
Securely destroy PHI that is no longer needed:
HIPAA law requires that you permanently delete any data (not bound by state-regulated medical record retention periods) that’s no longer needed by your practice. If you have PHI from a patient that has left your practice, you must permanently delete (should be non-recoverable) their PHI from your servers, if you are not required by state law to retain it.
The Final Test
Once you have implemented the safeguards above ask yourself:
- Are we encrypting all our patient health information when it’s shared (with other providers, for example)?
- Do we have safeguards in place to ensure PHI can’t be tampered with, altered, or viewed by unauthorized individuals?
- Is all our patient health information backed up to a HIPAA compliant Server?
- Is all our patient health information retrievable?
- Is information that is no longer needed properly disposed of?
- Do we have signed BAAs with all our service providers and vendors who handled PHI?
If you answered “no” to any of these questions, you still have some work to do and may need to reference the tips listed above. If you answered “yes” to everything we commend you on your data diligence!
Partner with HIPAA Compliant Vendors
Your website is another location that might be collecting PHI that is directly associated with your practice. If it is, this data must be encrypted when it’s being transported and stored in order to be compliant with HIPAA law.
If you need help complying with HIPAA laws or have questions, leveraging HIPAA compliant vendors who are experts can be extremely beneficial, cost-effective, and time-efficient. At Central Data Storage, we offer a HIPAA compliant backup and recovery solution that ensures PHI is encrypted, securely stored, and retrievable. We are experts at ensuring our customer’s data is private and secure. If you want to learn more about our products and services visit www.centraldatastorage.com/opendental or give us a call at our toll-free number, 1-888-907-1227.