Why would you want a website that is HIPAA compliant versus one that isn’t? And what’s the difference?
What is HIPAA and what does it mean for your website?
The Health Insurance Portability and Accountability Act (HIPAA) essentially requires that certain health information shall have its privacy and security regulated. From this came the HIPAA Privacy Rule and HIPAA Security Rule.
The Privacy Rule created standards of protecting certain health information and the Security Rule created standards for protecting this information that is held or transferred in electronic form. Once secured, the information would be known as “electronic protected health information” or e-PHI.
Keep in mind, you only need to be HIPAA compliant if you intend to hold or transfer these protected information through your website.
What falls under e-PHI?
According to page 4 of the HIPAA Privacy Rule, protected information, is any “information, including demographic data, that relates to:
The individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
That means patient names, addresses, phone numbers, social security, photographs, X-Rays, MRIs, medical records, payment information and insurance data, demographics, and lab tests are just some of the information that must be protected.
Is your website holding or transferring e-PHI?
If your website is indeed holding or transferring any e-PHI, then according to the Privacy Rule, you must take reasonable measures to protect it.
If you are storing patient information on your server, you must encrypt it through SSL.
If you are transferring health information through the use of website contact forms, those forms must be encrypted and secured.
And so on…
Sign a business associate contract with everyone who needs access or has a way of accessing your website. This includes: hosting providers, web developers/editors, digital marketing agencies, partners who may have access to your data. You can find a Business Associate Agreement template here. If your hosting provider does not offer Business Associate Agreements, then they are choosing not to comply with HIPAA. Maybe they don’t want to provide the extra security or they want to have access to your information. It’s not necessarily malicious that your hosting chooses not to comply. They can want access to information to provide a more user friendly experience, for example. Hosting with a HIPAA compliant provider is a must and is also the most foundational step.
Make sure that plugins are used from trustworthy sources. Random plugins that are downloaded and installed outside of WordPress may be malicious and steal data. Research the plugin and if possible get a BAA with the plugin’s developers.
Get an SSL encryption on your website.
Set strong passwords and account names. Have a maximum number of allowed login attempts. Essentially, you want safeguards to protect from brute force login attempts.
All forms or data transferring methods must be encrypted through its transfer.
Have a process of backing up, restoring, and permanently deleting e-PHI.