If your website collects, stores, or transfers Protected Health Information (PHI), then you must ensure it is compliant with the Health Insurance Portability and Accountability Act (HIPAA). This national US framework sets guidelines for PHI security, protecting it from unauthorized access, misuse, and making it accessible to clients.
If you own and host the website in-house, you must guarantee HIPAA compliance or risk lawful action and fines. There are also cases when healthcare-related websites are exempt from HIPAA compliance, and there's no need to spend resources on it.
What is HIPAA compliance?
HIPAA compliance means that your website or application ensures clients' healthcare information safety and accessibility. PHI consists of two elements: identifiers and health information.
The former are contact information, name, address, financial, and other kinds of personal data. The latter refers to the medical conditions, web forms, test results, appointment information, and other medical records.
The compliance consists of three major categories. Privacy rules govern access to PHI. Patients must have ownership rights over their medical data, which includes easy and continuous access. It also instructs when and how PHI can be disclosed to third parties and used internally.
Security rules protect electronic PHI integrity, confidentiality, and availability. It is specifically focused on digital information. It must ensure safe collection, storage, and transfer of ePHI, including physical device safety. Also, it establishes ePHI access rights protecting it from unauthorized third parties or internal misuse.
Last are the breach notification rules. If PHI is compromised in any way, the organization must inform affected parties of it in a timely manner. Failing to do so results in tiered significant civil monetary penalties.
The first tier applies when the organization was not aware of the data breach and could not have known about it. The second tier is when the organization could have known of a PHI breach, but there was no willful neglect involved. The third tier is when an organization knowingly neglects these duties, but corrects them within 30 days. The fourth tier is when a violation has an element of willful neglect and is not corrected.
It's worth noting that PHI data breaches usually incur severe reputational damage. Because PHI is extremely personal, failure to protect it is often at the center of attention, resulting in expensive settlements. For example, Elevance Health (formerly Anthem, Inc.) health insurance company, paid a $16 million settlement for violating HIPAA rules.
When does your website need HIPAA compliance?
Firstly, it's worth noting that HIPAA compliance applies to all parties that deal with PHI your organization manages. That is, if you transfer or share PHI with third parties, they must also adhere to HIPAA rules.
The only exemption is payment processors, but solely for the payment function. If the payment processor uses it in any other way, like printing an invoice, they must also submit to HIPAA compliance.
So, when does HIPAA apply to your website? Broadly, it applies if you deal with PHI in any way. That is, if you collect, store, analyze, and share PHI.
For example, patients can submit healthcare forms on your website and also schedule appointments. You must ensure that form filling is secure. If you use a third-party integration to schedule appointments, like Calendly, you must ensure the data is also protected at their end.
That is done, in part, by signing the Business Associate Agreement (BAA). BAA is an efficient way of verifying whether third parties take PHI security seriously. It also transfers liability from the organization if third-party tools, which they use but do not control, leak PHI data.
But not all healthcare-related websites require HIPAA compliance. Suppose you are running a dental hygiene business where you sell dental products. Your website advertises your commodities and lets users place orders.
However, it does not collect any PHI but only accepts payments. In this case, you don't deal with any personal health information, so HIPAA also does not apply.
How to make your website HIPAA compliant?
If you own, manage, and host your website and it deals with PHI in previously discussed ways, you must adhere to HIPAA rules. I recommend thoroughly reviewing the whole document on the official HIPAA website. For a summarized version, see HIPAA compliance instructions below.
At this stage, you assess risks, establish BAAs, perform required employee training, and set a breach notification plan. You must clearly define what PHI you collect and map the possible vulnerability points.
For example, if you run an AI-powered chatbot that deals with PHI, you must ensure it is safe to use. Establish a BAA with chatbot owners and review the security practices, like data encryption and access controls. Establish BAAs with all third parties that deal with PHI you collect in any way.
Your employees who interact with the website or PHI must undergo training. They should be able to access PHI securely, without exposing it to third parties. They should also be able to store it securely and share it within or outside of the company using data encryption.
Lastly, develop a clear and easy-to-follow breach notification plan. It usually involves hiring cybersecurity specialists to investigate the incident. Law specialists need to understand the severity of HIPAA violations. And public relations professionals for notifying affected parties and the public.
Technical implementations are paramount, as they are the first PHI security layer. But keep in mind that many businesses choose a HIPAA-compliant website hosting provider, which I will elaborate on shortly. However, if you host and manage the website yourself, here's what you should do.
All data transfers must be encrypted using SSL/TLS, or a no less efficient encryption standard. All data, from website forms to chatbots to emails, must be accessible only through the HTTPS protocol, which encrypts traffic by default.
You must also encrypt stored data. Typically, it is done using the AES-256 encryption algorithm, which is the current worldwide encryption standard. You must also take care of physical server security. Only authorized employees should be able to access it, and there should be multiple data backups in case of environmental server damage, like fire or flood.
Proceed by identifying all possible technical website vulnerability points. Every interactive element that can expose PHI must be verified for security, proceeding with new BAAs from the first stage. You should also perform audit logging, which verifies that established cybersecurity protection systems work as expected.
At the very end, you must establish a workflow to maintain HIPAA compliance in the future. Start by performing a regular risk assessment. Even if you do not change your website, there may be new hacking methods that introduce new vulnerabilities to secure systems previously.
Verify that all systems, including software, are updated as soon as updates launch. Keep in mind that PHI is highly sensitive, so leaking it due to a postponed update would likely have severe reputational and financial damage.
Lastly, review and update existing BAAs. Verify that business associates respect the agreement. Although BAAs oblige them to take care of PHI security and transfer liability, the data would still have negative consequences for whoever caused it.
HIPAA-compliant website hosting
Hosting websites is technically challenging, but adding HIPAA compliance adds even more complexity. In most cases, you will be working with a third-party website hosting companies that provide HIPAA compliance services.
I will use Liquid Web as an example due to its clearly defined HIPAA compliance practices. Firstly, you choose the required website hosting plan and sign the BAA with the chosen provider. Keep in mind that if the hosting company refuses to sign a BAA, it is highly likely that their HIPAA compliance is false or overstated.
Before legal agreements, review what cybersecurity features the hosting provider offers. Let's take a closer look at Liquid Web. They store their servers in data centers that guarantee physical security. The server room entrance is secured with an access card system, and the building is NFPA 13 compliant for fire protection. There are multiple generators to keep the servers up in case of a power outage.
Their network security includes a Cisco firewall, intrusion detection, and prevention, and incoming and outgoing data traffic filtering. Liquid Web uses triple DES or AES-256 encryption, which is sufficient to be HIPAA compliant. It offers a VPN for safe remote access and demilitarized zone network segmentation.
There is an elaborate data backup policy. Around-the-clock accessibility to PHI is critical because people must be able to check their health information at all times. This hosting service makes regular backups as well as lets clients schedule backups according to business demands.
As you can see, HIPAA-compliant hosting providers offer dozens of features to maintain compliance. Large enterprises and corporations have sufficient resources to develop in-house solutions. This way, they can tailor a HIPAA compliance system aligned with the broader business environment.
However, it is expensive and highly technologically challenging. For small-to-medium businesses, I recommend opting for a third-party web hosting solution. Make sure that your chosen provider offers real-time threat detection, automatic responses, continuous compliance monitoring, and HIPAA-related cybersecurity alerts.
Conclusions
Data security is essential for all businesses, but HIPAA compliance is especially crucial. Healthcare information is very sensitive as it can give away the most personal details. Also, maintaining uninterrupted access to PHI is paramount, as any kind of delay may have long-lasting negative consequences.
I outlined the essential workflow of preparing for HIPAA compliance. In most cases, I also advise using a HIPAA-compliant web hosting provider. Services like Liquid Web offer prepared features that are expensive and technologically challenging to develop. However, you should regularly take care of your employee training, review BAAs, and reassess possible risks.
FAQ
What is PHI, and how do I know if my website collects it?
PHI means Protected Health Information, which includes diagnosis, health history, doctor appointments, patient name, address, and other health-related details. If your website requires collecting and storing PHI for its function, then you must ensure HIPAA compliance.
Is using a HIPAA-compliant web hosting provider enough?
No, a HIPAA-compliant web hosting is only one of several compliance tasks. You must also establish business associate agreements, train your employees to work with PHI, and continuously reassess possible risks to identify new vulnerability points and fix them.
Who is liable if a business associate causes a data breach?
In most cases, a business associate agreement transfers liability from the organization to the business associate. However, the Department of Health and Human Services can issue fines for both if it identifies that the organization also failed to meet HIPAA standards and was at least partially responsible for the data breach.
What is the 'minimum necessary' rule for PHI?
Collecting only the data that you need is a highly advisable data security practice. Regarding PHI, it means only asking for clients' details that are directly related to your services. For example, online health form questionnaires must be topic-specific, instead of collecting unnecessary personal information.
Your email address will not be published. Required fields are markedmarked