HIPAA Compliant Website Requirements

HIPAA compliant website requirements - HIPAAGuide.net

The requirements for a HIPAA compliant website are that any forms, apps, or tracking technologies that are used to collect PHI or track user activity are configured to comply with HIPAA and that any communication of PHI between the website and the servers running the website are encrypted to ensure the confidentiality and integrity of data.  

The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules were established to protect the privacy of patients and ensure the confidentiality, integrity, and availability of Protected Health Information (PHI). The Rules apply to all forms of PHI, no matter where PHI is collected, stored, processed, or maintained. That means websites may need to be HIPAA compliant.

Does Your Website Need to be HIPAA Compliant?

If your organization has a website, it may not need to comply with HIPAA. A HIPAA compliant website is only necessary if the website is used to collect, display, store, process, or transmit PHI. If your website simply showcases your company, provides contact information, and lists the services you provide, then there are no HIPAA requirements for your website.

Prior to using a website to collect, process, store, or transmit PHI, you must make the website HIPAA compliant. You must also comply with HIPAA if patient information is stored on a server connected to the website.

Examples of uses for a website that involve PHI include contact forms that collect and submit health-related information, patient portals, and live chat facilities. If patients can submit emails through your website or make appointments, the website needs to be HIPAA compliant.

Requirements for a HIPAA Compliant Website

One of the first steps to take is to secure the website with an SSL certificate. This will ensure the connection between the browser and the website is encrypted, so information entered on the site or web forms is protected against unauthorized access.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

You must ensure your website is hosted with a HIPAA compliant hosting company – Atlantic.Net for example. Atlantic.Net specializes in providing HIPAA compliant hosting for covered entities and their business associates. A HIPAA compliant hosting company will ensure the appropriate safeguards are implemented to meet the requirements of the HIPAA Security Rule. You will need to enter into a Business Associate Agreement with the hosting company.

You must then ensure that any information stored on a web server or transmitted from the site to a database or inbox is encrypted at rest and in transit. If email is used, then messages must have end to end encryption. The easiest way to collect information on a website is to use a HIPAA compliant form, such as JotForm. You will need to enter into a Business Associate Agreement with the web form provider.

The HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of PHI, so you must backup your data to ensure it can be recovered in the event of disaster. You must have policies in place for restoring PHI from backups.

You must implement access controls to make sure that only authorized individuals are able to access the website and those individuals must be trained on the requirements of HIPAA. You must follow cybersecurity best practices such as setting strong passwords, limiting administrative privileges, and regularly scan for malware. HIPAA also requires you to maintain access and change logs, regularly review those logs, and maintain an audit trail. You must also have policies and procedures covering the deletion of data when it is no longer required.

HIPAA Compliant Website Checklist

  • Do you have a valid SSL certificate?
  • Is the website hosted with a HIPAA compliant hosting company?
  • Have you encrypted data at rest and in transit?
  • Are you using HIPAA-compliant web forms?
  • Have you set access controls?
  • Are you recording and monitoring logs?
  • Are you maintaining an audit trail?
  • Have you got signed business associate agreements for all vendors?
  • Are you backing up all PHI?
  • Have you developed policies and procedures for restoring and deleting data?
  • Have you obtained consent from patients before publishing testimonials on your website?
  • Does your website include a notice of privacy practices?
  • Does your website include your HIPAA policy?

Websites and HIPAA Compliance: FAQ

Do all websites related to healthcare need to be HIPAA compliant?

Unless a website is being used to store, manage, transfer, or otherwise handle PHI, it does not need to be HIPAA compliant. Websites, therefore, that contain details about medical treatments, health plans, medication, or other healthcare-related topics do not need to have the minimum safeguards specified by the HIPAA Security Rule. However, if a website has any connection to PHI – for example, it allows patients to access information on diagnoses, online prescriptions, make appointments etc. – it is subject to HIPAA, and the organization must ensure the website is HIPAA compliant.

Are business associate agreements required for a website to be HIPAA compliant?

If a website needs to be HIPAA compliant, the covered entity or business associate must ensure that they enter a business associate agreement (BAA) with the website’s host. The purpose of the BAA is to outline how PHI will be used, who can access it, what safeguards will be in place to ensure HIPAA compliance, and what will happen in the event of a breach. Not all website hosts will enter a BAA, and it is the responsibility of the CE and BA to ensure that one has been obtained before using the hosting service.

Can shared web servers be HIPAA compliant?

Though dedicated web servers are more secure, shared web servers can still be used in a HIPAA-compliant manner. The CE or BA must undertake extra checks to ensure that data will be adequately protected, and there are a number of dangers associated with using shared servers (hacking attempts on another website maintained on the server can threaten the integrity of PHI, for example).

What are the minimum standards for passwords to help safeguard PHI?

HIPAA does not specify the minimum standards for passwords to be compliant. This is largely to allow organizations to set their own policies in line with current best practices. Good passwords should be long, contain a mixture of upper- and lowercase characters, numbers, and special characters, and should not be shared between users. Two-factor authentication can also help with protecting data from unauthorized users.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/