How to Make a HIPAA Compliant Website

Do you want to revamp your organization’s current website to make it more HIPAA compliant? The key to making a HIPAA compliant website involves your website’s handling of Protected Health Information or PHI. However, PHI isn’t all you’ll need to worry about. But also not everyone needs to make their website HIPAA compliant, so let’s start there. 

In this quick guide, we’ll break down how to find out if you need to be HIPAA compliant, and what you need to do in order to create a HIPAA compliant website if you fall under that requirement.  

A Quick Refresh on HIPAA Basics

Before we run down how to be a HIPAA compliant website, it will be helpful to brush up on the basics of HIPAA.

HIPAA (Health Insurance Portability and Accountability Act) is a federal statute that establishes privacy and security standards for medical data. The Department of Health and Human Services is the government department that enforces HIPAA and develops rules to execute it.

HIPAA is a medical privacy and security law that most people are familiar with, at least in name. HIPAA's original goal was to establish standards for exchanging electronic health data and to allow consumers to transfer and keep their health insurance after changing or losing jobs.

Under HIPAA, there are size main rules or acts The Privacy Rule, Security Rule, HIPAA Enforcement Rule, HITECH Act, Breach Notification Rule, and Omnibus Rule. Let’s recap each of those briefly. 

Individuals' PHI and medical data are protected under the Privacy Rule, which places restrictions on the kind of uses and disclosures that can and cannot be made without patient consent. Every patient has the right to see and get a copy of their records, as well as request corrections to their file, under this law.

The Security Rule establishes and governs the standards, methods, and processes for the storage, accessibility, and transmission of electronic PHI.

The HIPAA Enforcement Rule was instituted next once it was determined that many covered entities were still not complying with the Privacy and Security Rules. This rule gave the HHS the ability to investigate complaints made regarding potential non-compliance as well as the power to fine organizations that either had a breach or were out of compliance with any part of the regulation. 

Next, the Health Information Technology for Economic and Clinical Health Act, or the HITECH Act, was passed with the purpose of encouraging healthcare providers to begin the usage of Electronic Health Records (EHRs). Along with that, an HITECH Act Enforcement Rule was issued which created levels of financial penalties that were much higher than those in the past. The goal of this was to increase the cost of noncompliance, therefore emphasizing the importance of HIPAA Compliance. 

Within the same year as the HITECH Act and HITECH Enforcement Rule, the Breach Notification Rule was also passed. This simple rule mandated that any breach of ePHI that affects 500+ people must be reported directly to the OCR, in addition to notice being sent to all individuals that the breach may have affected. 

Finally, in 2013, the HIPAA Omnibus Rule became effective. In addition to making small edits to some of the preexisting rules or acts we have mentioned, it also made one large change. This change is that now not only Covered Entities, but also Business Associates had to comply with HIPAA or else they were liable for violations. More about this can be found here, but the Omnibus Rule massively expanded the breadth of HIPAA and the net of people that now have to comply with it - hence why Accountable was founded in 2012. 

Does Your Website Need to be HIPAA Compliant? 

Building a HIPAA-compliant website is beneficial, but it is not necessary for most organizations or websites in general. Only if the website is utilized to collect, display, store, process, or transfer PHI is it required to be HIPAA compliant. There are no HIPAA requirements for your website if it simply promotes your organization, offers contact information, and lists the services you offer.

For example, let’s say you run a blog that posts about recent advancements in medicine and summaries of recent medical studies. Because you’re not directly dealing with PHI, you do not need to have a HIPAA compliant website. If your website is a web portal for dental patients to set appointments and upload paperwork for a particular practice, then you would need to ensure that website is HIPAA compliant.

How to Make a HIPAA Compliant Website

To start building your HIPAA website, start by following these steps:

     1. Begin by using HIPAA-compliant web hosting.

The first line of defense against compromised patient information is your web host. Inquire about your existing host's HIPAA compliance standards. If they don't, it's time to look for a new host. HIPAA website hosting is an important first line of security for personal health information (PHI).

     2. Ensure that your website has an SSL certificate.

This is NOT optional. A secure connection is established between your website and its server using an SSL certificate. Consider this: if you seal a plastic bag containing liquid but the seal isn't secure, the liquid will leak. Similarly, an SSL certificate aids in the prevention of security breaches.

     3. Encrypt and Secure All web forms.

If your website allows patients to use contact forms, chatbots, or appointment services, ensure sure they are encrypted and safe.

     4. Insist on a contract with a business associate.

Third-party organizations must be HIPAA compliant in their procedures as well, according to a business associate contract. This means that a debt collector pursuing unpaid bills must adhere to the same standards respecting protected health information as a nursing assistant taking a patient's temperature.

     5. Restrict Access to PHI to only those permitted.

PHI access is not required for everyone in the office, and the same is true for online access. Just because someone is an employee of a medical group does not mean that they need access to all PHI in order to fulfill their job function. In order to lay this out more clearly, the Privacy Rule contains the HIPAA Minimum Necessary Standard. 

     6. Create and implement systems for accepting, storing, transferring, and destroying personal health information.

Take the effort to build protocols for managing PHI if your workplace lacks them, and make them the standard moving forward. This is a potential violation if doctors collect PHI on unsecured tablets and leave them in the office. PHI can be handled in a variety of ways. Finding a HIPAA-compliant solution that works for you and your team is the key.

     7. Provide HIPAA Compliance Training to everyone with access to PHI. 

This is a critical stage in achieving success. The importance of HIPAA training cannot be overstated. Without proper training, you can't expect your employees to comprehend and obey all aspects of HIPAA's sometimes-complex requirements. Ascertain that all personnel are aware of and understand how to complete duties properly. HIPAA regulations call for periodic training, which means you’ll need to provide annual refreshers for all employees.