For Your Practice To Thrive Now Is The Time For A HIPAA Compliant Website
If you are providing healthcare services, the past three months have probably provided you with challenges never experienced before. And as many healthcare providers are seeing, the key to surviving this pandemic is embracing Telehealth and website solutions. Yet, for many physicians, the new aspect of using the Internet for patient care can be a new horizon especially when needing HIPAA Compliant website development. To address this new journey in patient care, The Mauldin Group is offering some HIPAA guidance to help you on your new adventure into online healthcare. The information below is broken into four sections that we feel may give you a brief overview of what you are facing when looking at HIPAA Compliance for your website.
The Mauldin Group Guide To A HIPAA Compliant Website
SECTION 1 – Do You Need A HIPAA Compliant Website?
First off, it is important to know some of the HIPAA terminology as this can help you to access the functionality of your website and whether you must meet HIPAA compliancy standards. Here are a couple of the major hitters that can quickly help you understand where your services and website fit.
Covered Entities
If you are a healthcare provider, healthcare planner or clearing house you will most likely fit into this category. Covered Entities are required to meet HIPAA Compliance to operate within the daily transactions of their business.
These are:
Healthcare Providers: Doctors, dentists, chiropractors, clinics, pharmacies, psychologists, counselors and nursing homes.
Healthcare Plans: Health Insurance Companies, Government Programs (Medicare, Medicaid and the VA.), Company Health Plans, and HMOs.
Healthcare Clearinghouses: These include companies or community health systems that provide billing services, non-standard data processing or transactions services. Example: claims.
PHI and ePHI
PHI (Protected Health Information) and ePHI (electronic Protected Health Information), is the individual personal and medical information collected for your patients, clients or customers. If you are collecting, warehousing or transferring this information, you must have a HIPAA Compliant website.
PHI Examples:
- Name
- Address
- DOB (Date of Birth)
- Telephone Number
- Email Address
- Medical Records (information)
- Financial Information
Website Tasks Handling ePHI
Ultimately if you are a covered entity collecting, storing or transmitting ePHI, you must have a HIPAA Compliant website. These tasks can be performed through several ways on your website including:
- Contact Information Forms
- Patient Portals
- Live Chats-Messaging
- Online Fillable Patient Forms
- Pages for Patient Testimonials and Reviews
- Other website collection tools
SECTION 2 – How Do I Make My Website HIPAA Compliant?
A lot goes into HIPAA Compliance Website Development. First and foremost, you need to assure you are working with a website development team that understands the complexities of designing a website for HIPAA Compliance. There are thousands of very talented website designers and developers in the field. But, developing a website that is visually impactful, offers easy navigation, builds a trust with patients through messaging AND meets HIPAA Compliancy is a very tall order. Not many website development firms can meet this demand.
When it comes to starting the website development process for HIPAA Compliance you need to first start with a strong plan. There are elements that have to be implemented to assure compliance for security.
These include:
-
- A written and published HIPAA Policy that specifically covers all daily website and electronic activities, as well as disaster recovery.
- An Appointed HIPAA Compliance Officer for the practice or company.
- The Purchase and integration of an SSL (Secure Sockets Layer) Certificate for your website.
- The Secure Encryption of all web-forms for both “in motion” or “at rest”.
- End-to-End Data Encryption (E2EE) for the website.
- Webhosting with HIPAA Compliant Webhosting Companies.
- Proper full backup, restoration and deletion processes for all PHI/ePHI data.
- A Data Breach Protocol
- Use of an encrypted server for all emails.
- Implementation of secured storage for all PHI.
- Specific and restricted Access to PHI/ePHI data and the website.
*Only vetted, authorized personnel should have access.
SECTION 3 – What About Website Partners?
Special consideration should be give to those service providers outside the “Covered Entity” handling your website tasks, providing secondary services or using any ePHI for practice support. These providers are considered Business Associates as outlined by HIPAA. Business Associates (third-party contractors, sub-contractors, etc.) – anyone outside of the covered entity that will have access to PHI or ePHI must be required to sign a Business Associate Agreement (a contract outlining and agreeing to secure collection, handling, and storage of PHI and ePHI).
SECTION 4 – What About Collecting ePHI Through Web Forms?
Web Forms are tricky business when it comes to HIPAA. Many of the popular web-forms and WordPress plug-ins are not HIPAA compliant. In fact, finding forms that are is a challenge. But by implementing, using, and carefully following HIPAA practices with the use of online forms, you can make the use of these forms HIPAA compliant. Here are some steps to assure your Web Forms operate to HIPAA compliancy practices.
Good Website Form HIPAA Practices:
Encryption –Secure encryption of all data is critical to being HIPAA compliance. End-to-End encryption of data is the preferred standard.
Email Notifications – When setting up email notifications of web forms receipts, make sure no PHI is transmitted along with the notification.
Regular Archiving – It is important to include regular archiving of web form data to a secure internal storage server. Do not store data on the web-form server after downloads.
Strong Passwords – Having a strong password is a given. But too many times companies are guilty of keeping a password the same for too long or freely allowing access to the password in the first place.
MAKE SURE you have a system in place for the changing of passwords regularly (every 30 days) and use the guideline of a 15-characters password that uses meaningless words (upper and lower case) mixed with random symbols and numbers. Limit access to the administrator and critical staff only!
Always Log OUT – Last, make sure that you and your team LOG OUT of your web form when not in use.
*IMPORTANT NOTE – As with all HIPAA guidelines concerning your practice and website, web forms should have a securely planned protocol for use and maintenance to be followed. It is important to create and implement a written procedures document that outlines the proper usage, maintenance and storage of all ePHI/PHI data and web forms.
SECTION 4 – I Practice HIPAA Compliance In My Office, Is A HIPAA Compliant Website That Important?
YES! HIPAA Compliance is crucial for every aspect of your practice but for your website even more so. We are a technically driven society. For a healthcare provider to survive, they have to be able to provide services and products to patients and clients via smartphone, computer and tablet. But, remember your website is also doorway to the globe.
Hackers, spammers and viruses are constantly a threat to your website and more importantly, your ePHI data. HIPAA Compliance not only has strict guidelines concerning the protection of this data in your office and daily operations but also your online transactions. Failing to have a HIPAA Compliant Website can mean penalties that range from $119 to $59,522 per violation. Identical violations can amount up to $1,785,651!
The Mauldin Group Offers HIPAA Website Development You Can Trust
The Mauldin Group understands the critical and complex nature of HIPAA Compliant Website Development. We approach your website design with a customized, creative plan that incorporates your desires of visual impact and trust messaging with the armored-vault security needs to be HIPAA Compliant. Our strategy carefully surmises the tasks of PHI/ePHI communications, emails and web-forms along with website hosting and data storage to assure the highest security protocols are planned, implemented and followed.
Providing HIPAA Compliant Website Development and Digital Marketing Services, we have an in-house team that can offer a wide range of marketing tools to increase your patients, clients and customers. Now is the time to take your healthcare practice, services and products online with confidence. To find out more, Contact Us Now or Call (678) 846-2306.