HIPAA regulations for website
The internet is such a vast and ever-changing landscape, at times HIPAA regulations for websites may look vague. A HIPAA compliant website is only required if the website is used to collect, display, store, process, or transmit PHI. If your website simply showcases your company, provides contact information, and lists the services you provide, then there are no HIPAA requirements for your website. Before using a website to collect, process, store, or transmit PHI, you must make the website HIPAA compliant. You must also comply with HIPAA if patient information is stored on a server that is connected to your website. Hence take necessary steps to secure PHI, have control over who accesses it and also partner with HIPAA complaint organizations to protect your patient’s privacy and avoid violations and fines.
Four HIPAA Compliance Rules
Four HIPAA security rules further define how covered entities and business associates safeguard protected health information. The four rules are:
· HIPAA Privacy
· HIPAA Security
· HIPAA Enforcement
· HIPAA Breach Notification
HIPAA Security Checklist
The U.S. government mandates that certain precautions ensure the safety of sensitive data. If
your organization works with ePHI (electronically protected health information), it is important to comply with HIPAA. The penalties for not complying with HIPAA can be severe: criminal charges, up to $1.5 million in fines, and liability in civil suits. As such, it is of paramount importance that all entities covered by HIPAA’s stipulations and engage in periodic compliance checks.
HIPAA Security checklist:
1. HIPAA Administrative Safeguards Checklist
· Security Management
· Assigned Security Responsibility
· Workforce Security
· Information Access Management
· Security Awareness and Training
· Security Incident Procedures
· Contingency Plan
· Evaluation
· Business Associate Contracts
2. HIPAA Physical Safeguards Checklist
· Facility Access Controls
· Workstation Use
· Workstation Security
· Device and Media Controls
3. HIPAA Technical Safeguards Checklist
· Access Control
· Audit Control
· Integrity Control
· Person or Entity Authentication
· Transmission Security
As such, there are a few more considerations you should make to ensure your organization is
compliant with HIPAA
Check all vital assessments conducted by contractors/businesses with adequate security
expertise
· Keep Compliance documentation in place.
· Document all relevant compliance information (policies, procedures, assessment results,
security reports, audit reports, etc.)
· Reassess organization HIPAA compliance periodically.
· Get HIPAA lawyer assessed your organization’s compliance reports
Website Design
Major eCommerce companies usually employ a team of designers for their websites, stores, and online catalogues, and if the website is required to comply with HIPAA, these professionals should know this information and act accordingly. However, designers can overlook key elements, and unless the designer is familiar with HIPAA rules, it’s in the
company’s best interest to confirm compliance.
Design issues related to HIPAA compliance include:
· Ensuring that information being transmitted is always encrypted
· Implementing safeguards to prevent tampering
· Hosting websites on servers that are secured with HIPAA security rules or a HIPAA Business Associate Agreement
· Limiting access to PHI to authorized staff
· Backing up all PHI information in ways that ensure the data is recoverable
How to know your website needs to be HIPAA compliant?
If your website is collecting, storing, and transmitting Protected Health Information (PHI), your website needs to be HIPAA compliant.
One should understand how health information is stored or transmitted on the website. If the health information is stored and shared on the website, then it needs to comply with HIPAA regulations.
If your website collects any individually identifiable medical information, such as symptoms, conditions, or requested healthcare services, you are collecting PHI. There are ways in which you will be receiving PHI. It could be:
· Contact forms that ask about symptoms, medical services, medications, or other health- related information
· Online patient forms
· Live chat
· Patient Portals
· Patient reviews or testimonials
· Any other information-collecting tools on your website
Next comes the storing of PHI, how the collected PHI is stored on the website. If you keep the individually identifiable medical information on a server, that server must be encrypted and secure. HIPAA Privacy Rule requires that entities that store PHI take reasonable measures to protect it.
To stay HIPAA compliant when transmitting PHI, all emails, email servers and web forms involved should be encrypted and secured. Transmitting PHI includes sending information via email, web forms or other types of digital messaging.
What if your website is not HIPAA compliant?
It may be a violation of HIPAA, if your website collects, stores, or transmits PHI, and does not take reasonable measures to secure that data. If you violate, you may run into the risk of HIPAA penalty fines. Depending on the scale of the violation, the number of patients affected, and the level of negligence, a fine can range from $100 to $50,000.
Steps to follow to make website HIPAA-Complaint
HIPAA makes a lot of recommendations to be addressed and the organization should determine for themselves what need to do be compliant. To simplify seven main areas dealing with protected health information are listed
« Transport Encryption: Data should be encrypted as it transmitted over the internet.
1. The first step is to ensure that you have a secure website (i.e. one protected by SSL and which is accessed via HTTPS://…).
2. Any page that collects or displays protected health information, or which is used for logging users in, which transmits authorization cookies, etc., must be protected by SSL and must not be accessible insecurely (i.e., there should not be an alternate insecure version of the same page that people can access).
3. Make sure SSL configuration is strong enough to prevent methods of encryption that are “too weak;” Be sure of what level of SSL or TLS is Required by HIPAA for your website.
« Backup: Data related to health should not be lost. It should always have a backup and
should be recovered with ease.
1. Be sure that all PHI stored with your website or collected from your website is backed up and can be recovered in case of an emergency or accidental deletion.
2. Most web hosts provide this service for information stored on their servers. If your site sends information elsewhere (for example, to you via email), then those messages must also be backed up or archived and you must take care that those backups are robust, available, and accessible only by authorized people.
3. Note that the PHI stored in backups must also be protected in a HIPAA-compliant way — with security, authorization controls, etc.
« Authorization: Critical and personal health information should be accessed by authorised personnel.
1. Data is only accessible by authorized personnel using unique, audited access controls. Who can access the protected health information that resides on your website, or which is collected
there? Your web hosting provider probably can.
2. Check Web Hosting provider is in HIPAA Business Associate with a privacy agreement.
3. If web site stores or provides access to PHI, make sure your website enforces unique, secure logins which ensure that only authorized / appropriate people can access that data
4. The logins and the data accesses should be audited and get it set by your website designer.
properly for you.
« Integrity: No information should be altered or tampered with.
1. PHI should not be tampered with or altered.
2. Determine the need for data tamper-proofing and the best method to accomplish that. Generally, using PGP, SSL, or AES encryption of stored data can accomplish this and also address the storage issues.
« Storage Encryption: Data should be encrypted when it is stored or accessed.
1. First, determine whether storage encryption is needed for the website.
2. Ensure that all collected and stored protected health information is encrypted and that it can only be accessed/decrypted by people with the appropriate keys. This makes backup secure, protects data from access by unauthorized people, and generally protects the data no matter what happens (unless your special keys are stolen).
3. Storage encryption is especially important when data may be backed up or placed in locations out of your control or sharing a web server with other customers of the same web
host.
4. Data encryption reduces liability significantly when a server become compromised.
« Disposal: When data is no longer needed it must be disposed of permanently.
1. Ensure all the backups will expire and disappear.
2. It is up to you to determine how far you need to go to ensure data disposal to be HIPAA compliant. It is up to the folks managing your servers to also ensure that the media (e.g. the
hard drives) containing PHI are properly disposed of when you are no longer using them.
« Omnibus/HITECH: Make sure protected health information located on the web servers of a company with whom you have business association have HIPAA Business Associate Agreement as per HIPAA security rule requirements.
1. Sign a Business Associate Agreement with vendors/businesses. This agreement ensures that the vendor will follow the HIPAA security rule requirements concerning your data and its servers.
2. No web hosting provider will be policing your website functionality and content. Instead, they will be providing an “infrastructure” that meets HIPAA compliance requirements and they will require you to design and manage your website so that its functionality is HIPAA-compliant.
3. Choosing a provider will not make your website HIPAA-compliant unless you and your designers ALSO take all the steps to ensure that its design and functionality is compliant. This is universal unless you buy a website that is pre-designed and fully under the control of the host.
This article is for general information only and is not formal legal advice.
References:
1. https://www.fullmedia.com/a-beginners-guide-to-hipaa-compliant-websites
2. https://www.cdc.gov/phlp/publications/topic/hipaa.html#four
3. https://www.hhs.gov/hipaa/filing-a-complaint/index.html
4. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html