HIPAA Compliant Website Requirements

HIPAA compliant website requirements - HIPAAGuide.net

The requirements for a HIPAA compliant website are that any forms, apps, or tracking technologies that are used to collect Protected Health Information (PHI) or track user activity are configured to comply with HIPAA and that any communication of PHI between the website and the servers running the website are encrypted to ensure the confidentiality and integrity of data. ย 

The HIPAA Privacy and Security Rules protect patient privacy and ensure the confidentiality, integrity, and availability of Protected Health Information (PHI). The Rules apply to all forms of PHI, no matter how or where PHI is created, received, maintained, or transmitted. This means websites that collect, display, store, process, or transmit PHI need to be HIPAA compliant.

Does Your Website Need to be HIPAA Compliant?

If your organization has a website, it may not need to comply with HIPAA. A HIPAA compliant website is only necessary if the website is used to collect, display, store, process, or transmit PHI. If your website simply showcases your organization, provides contact information, and lists the services you provide, then there are no HIPAA requirements for your website.

However, if your organization’s website is used to collect PHI via a contact form, communicate PHI via live chat facility, or transmit PHI via a patient portal, app, or tracking technology, the website and the applications used on it must be HIPAA compliant (*). If the website transmits PHI to a third party server, the third party server must also be HIPAA compliant.

(*) An exception to the HIPAA compliant website requirements is if an application is used to collect payments. Payment processors are exempt from HIPAA compliance – but only for payment processing activities. If a payment processing app is used for any other purposes (i.e., it produces an invoice), the payment processing app must also be HIPAA compliant.

Requirements for a HIPAA Compliant Website

The requirements for a HIPAA compliant website vary slightly depending on whether a website is hosted inhouse or by a third party vendor. The primary difference is that if third party hosting services, apps, or tracking technologies are used to support the website and its capabilities, a Business Associate Agreement must be in place with any vendor who has access to PHI.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

Thereafter, it is important that appropriate safeguards are implemented to meet the requirements of the HIPAA Security Rule and that connections between the website, users’ browsers, and servers are protected against unauthorized access by SSL/TLS encryption. Most HIPAA compliant hosting services and app vendors offer this level of encryption by default.

Appropriate safeguards include – but are not limited to – access controls, user login monitoring, audit trails, antivirus scanning, and backups. If a website is hosted onsite, it is also important that access to the hosting server(s) are also protected by the Physical Safeguards of the HIPAA Security Rule and that procedures exist for recovering PHI from servers in the event of an outage.

HIPAA Privacy Rule Considerations for Websites

HIPAA Privacy Rule considerations for website include that if a covered entity maintains a website that provides information about the covered entity’s customer services or benefits, the covered entity must prominently post its Notice of Privacy Practices on the website and make the Notice available electronically through the website (ยง164.520(c)(3)(i)).

If the website collects PHI, it is also necessary to have a clearly defined and accessible privacy policy that outlines how the website uses and protects PHI. The privacy policy should also detail how the covered entity handles data breaches and ensures ongoing compliance. In some states, an affirmative opt-in is also required before sensitive data is collected from users.

With regards to members of the workforce who have authorized access to the website or the PHI collected by the website, it is necessary they receive appropriate HIPAA training on uses and disclosures of PHI and security awareness. This not only applies to covered entities’ workforces, but also to business associates’ workforces with access to PHI collected by a website app.

HIPAA Compliant Website Checklist

  • Do you have a valid SSL certificate?
  • Is the website hosted with a HIPAA compliant hosting company?
  • Have you encrypted data at rest and in transit?
  • Are you using HIPAA-compliant web forms?
  • Have you set access controls?
  • Are you recording and monitoring logs?
  • Are you maintaining an audit trail?
  • Have you got signed business associate agreements for all vendors?
  • Are you backing up all PHI?
  • Have you developed policies and procedures for restoring and deleting data?
  • Have you obtained consent from patients before publishing testimonials on your website?
  • Does your website include a notice of privacy practices?

Websites and HIPAA Compliance: FAQ

Do all websites related to healthcare need to be HIPAA compliant?

Unless a website is being used to store, manage, transfer, or otherwise handle PHI, it does not need to be HIPAA compliant. Websites, therefore, that contain details about medical treatments, health plans, medication, or other healthcare-related topics do not need to have the minimum safeguards specified by the HIPAA Security Rule. However, if a website has any connection to PHI โ€“ for example, it allows patients to access information on diagnoses, online prescriptions, make appointments etc. โ€“ it is subject to HIPAA, and the organization must ensure the website is HIPAA compliant.

Are business associate agreements required for a website to be HIPAA compliant?

If a website needs to be HIPAA compliant, the covered entity or business associate must ensure that they enter a business associate agreement (BAA) with the websiteโ€™s host. The purpose of the BAA is to outline how PHI will be used, who can access it, what safeguards will be in place to ensure HIPAA compliance, and what will happen in the event of a breach. Not all website hosts will enter a BAA, and it is the responsibility of the CE and BA to ensure that one has been obtained before using the hosting service.

Can shared web servers be HIPAA compliant?

Though dedicated web servers are more secure, shared web servers can still be used in a HIPAA-compliant manner. The CE or BA must undertake extra checks to ensure that data will be adequately protected, and there are a number of dangers associated with using shared servers (hacking attempts on another website maintained on the server can threaten the integrity of PHI, for example).

What are the minimum standards for passwords to help safeguard PHI?

HIPAA does not specify the minimum standards for passwords to be compliant. This is largely to allow organizations to set their own policies in line with current best practices. Good passwords should be long, contain a mixture of upper- and lowercase characters, numbers, and special characters, and should not be shared between users. Two-factor authentication can also help with protecting data from unauthorized users.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/