What are the requirements for a HIPAA compliant website? Here we list the important elements when setting up a website for use with ePHI.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules were established to protect the privacy of patients and ensure the confidentiality, integrity, and availability of protected health information (PHI). These rules apply to all forms of PHI, no matter where PHI is collected, stored, processed, or maintained. That means that websites may need to be HIPAA compliant.
Does Your Website Need to be HIPAA Compliant?
You will no doubt have a website, but your website may not need to comply with HIPAA. A HIPAA compliant website is only required if the website is used to collect, display, store, process, or transmit PHI. If your website simply showcases your company, provides contact information, and lists the services you provide, then there are no HIPAA requirements for your website.
Prior to using a website to collect, process, store, or transmit PHI, you must make the website HIPAA compliant. You must also comply with HIPAA if patient information is stored on a server that is connected to your website.
Examples of uses for a website that involve PHI include contact forms that collect and submit health-related information, patient portals, and live chat facilities. If patients can submit emails through your website or make appointments, the website needs to be HIPAA compliant.
Requirements for a HIPAA Compliant Website
One of the first steps to take is to secure the website with an SSL certificate. This will ensure the connection between the browser and the website is encrypted, so information entered on the site or web forms is protected against unauthorized access.
You must ensure your website is hosted with a HIPAA compliant hosting company – Atlantic.Net for example. Atlantic.Net specializes in providing HIPAA compliant hosting for covered entities and their business associates. A HIPAA compliant hosting company will ensure the appropriate safeguards are implemented to meet the requirements of the HIPAA Security Rule. You will need to enter into a business associate agreement with the hosting company.
You must then ensure that any information stored on a web server or transmitted from the site to a database or inbox is encrypted at rest and in transit. If email is used, then messages must have end to end encryption. The easiest way to collect information on a website is to use a HIPAA compliant form, such as JotForm. You will need to enter into a business associate agreement with the web form provider.
The HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of PHI, so you must backup your data to ensure it can be recovered in the event of disaster. You must have policies in place fore restoring PHI from backups.
You must implement access controls to make sure that only authorized individuals are able to access the website and those individuals must be trained on the requirements of HIPAA. You must follow cybersecurity best practices such as setting strong passwords, limiting administrative privileges, and regularly scan for malware. HIPAA also requires you to maintain access and change logs, regularly review those logs, and maintain an audit trail. You must also have policies and procedures covering the deletion of data when it is no longer required.
HIPAA Compliant Website Checklist
- Do you have a valid SSL certificate?
- Is the website hosted with a HIPAA compliant hosting company?
- Have you encrypted data at rest and in transit?
- Are you using HIPAA-compliant web forms?
- Have you set access controls?
- Are you recording and monitoring logs?
- Are you maintaining an audit trail?
- Have you got signed business associate agreements for all vendors?
- Are you backing up all PHI?
- Have you developed policies and procedures for restoring and deleting data?
- Have you obtained consent from patients before publishing testimonials on your website?
- Does your website include a notice of privacy practices?
- Does your website include your HIPAA policy?
Websites and HIPAA Compliance: FAQ
Do all websites related to healthcare need to be HIPAA compliant?
Unless a website is being used to store, manage, transfer, or otherwise handle PHI, it does not need to be HIPAA compliant. Websites, therefore, that contain details about medical treatments, health plans, medication, or other healthcare-related topics do not need to have the minimum safeguards specified by the HIPAA Security Rule. However, if a website has any connection to PHI – for example, it allows patients to access information on diagnoses, online prescriptions, make appointments etc. – it is subject to HIPAA, and the organization must ensure the website is HIPAA compliant.
Are business associate agreements required for a website to be HIPAA compliant?
If a website needs to be HIPAA compliant, the covered entity or business associate must ensure that they enter a business associate agreement (BAA) with the website’s host. The purpose of the BAA is to outline how PHI will be used, who can access it, what safeguards will be in place to ensure HIPAA compliance, and what will happen in the event of a breach. Not all website hosts will enter a BAA, and it is the responsibility of the CE and BA to ensure that one has been obtained before using the hosting service.
Can shared web servers be HIPAA compliant?
Though dedicated web servers are more secure, shared web servers can still be used in a HIPAA-compliant manner. The CE or BA must undertake extra checks to ensure that data will be adequately protected, and there are a number of dangers associated with using shared servers (hacking attempts on another website maintained on the server can threaten the integrity of PHI, for example).
What are the minimum standards for passwords to help safeguard PHI?
HIPAA does not specify the minimum standards for passwords to be compliant. This is largely to allow organizations to set their own policies in line with current best practices. Good passwords should be long, contain a mixture of upper- and lowercase characters, numbers, and special characters, and should not be shared between users. Two-factor authentication can also help with protecting data from unauthorized users.