What are the requirements for a HIPAA compliant website? Here we list the important elements when setting up a website for use with ePHI.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules were established to protect the privacy of patients and ensure the confidentiality, integrity, and availability of protected health information (PHI). These rules apply to all forms of PHI, no matter where PHI is collected, stored, processed, or maintained. That means that websites may need to be HIPAA compliant.
Does Your Website Need to be HIPAA Compliant?
You will no doubt have a website, but your website may not need to comply with HIPAA. A HIPAA compliant website is only required if the website is used to collect, display, store, process, or transmit PHI. If your website simply showcases your company, provides contact information, and lists the services you provide, then there are no HIPAA requirements for your website.
Prior to using a website to collect, process, store, or transmit PHI, you must make the website HIPAA compliant. You must also comply with HIPAA if patient information is stored on a server that is connected to your website.
Examples of uses for a website that involve PHI include contact forms that collect and submit health-related information, patient portals, and live chat facilities. If patients can submit emails through your website or make appointments, the website needs to be HIPAA compliant.
Requirements for a HIPAA Compliant Website
One of the first steps to take is to secure the website with an SSL certificate. This will ensure the connection between the browser and the website is encrypted, so information entered on the site or web forms is protected against unauthorized access.
You must ensure your website is hosted with a HIPAA compliant hosting company – Atlantic.Net for example. Atlantic.Net specializes in providing HIPAA compliant hosting for covered entities and their business associates. A HIPAA compliant hosting company will ensure the appropriate safeguards are implemented to meet the requirements of the HIPAA Security Rule. You will need to enter into a business associate agreement with the hosting company.
You must then ensure that any information stored on a web server or transmitted from the site to a database or inbox is encrypted at rest and in transit. If email is used, then messages must have end to end encryption. The easiest way to collect information on a website is to use a HIPAA compliant form, such as JotForm. You will need to enter into a business associate agreement with the web form provider.
The HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of PHI, so you must backup your data to ensure it can be recovered in the event of disaster. You must have policies in place fore restoring PHI from backups.
You must implement access controls to make sure that only authorized individuals are able to access the website and those individuals must be trained on the requirements of HIPAA. You must follow cybersecurity best practices such as setting strong passwords, limiting administrative privileges, and regularly scan for malware. HIPAA also requires you to maintain access and change logs, regularly review those logs, and maintain an audit trail. You must also have policies and procedures covering the deletion of data when it is no longer required.
HIPAA Compliant Website Checklist
- Do you have a valid SSL certificate?
- Is the website hosted with a HIPAA compliant hosting company?
- Have you encrypted data at rest and in transit?
- Are you using HIPAA-compliant web forms?
- Have you set access controls?
- Are you recording and monitoring logs?
- Are you maintaining an audit trail?
- Have you got signed business associate agreements for all vendors?
- Are you backing up all PHI?
- Have you developed policies and procedures for restoring and deleting data?
- Have you obtained consent from patients before publishing testimonials on your website?
- Does your website include a notice of privacy practices?
- Does your website include your HIPAA policy?