HIPAA is a unique regulation in that it offers numerous recommendations (addressable elements) and a few mandates (required elements), but ultimately, it is up to each organization to determine what steps are necessary to ensure compliance. This creates significant flexibility and also substantial uncertainty. Generally, to be HIPAA-compliant, a website must, at a minimum, ensure that all protected health information (ePHI) meets the following criteria:

  • Transport Encryption: ePHI is always encrypted during transmission over the internet.
  • Backup: ePHI is never lost; it must be backed up and retrievable.
  • Authorization: ePHI is only accessible by authorized personnel using unique, audited access controls.
  • Integrity: ePHI is not tampered with or altered.
  • Storage Encryption: ePHI should be encrypted when stored or archived.
  • Disposal: ePHI can be permanently deleted when no longer required.
  • Omnibus/HITECH: ePHI is hosted on servers of a company with whom you have a HIPAA Business Associate Agreement (or hosted in-house with servers secured per HIPAA security rule requirements).

How does a “basic” website measure up to these standards?

By a “basic” website, we refer to one hosted on a standard web hosting provider (e.g., GoDaddy) and developed using off-the-shelf software or by someone without training in website security best practices:

  • Transport Encryption – Fail. Data is not encrypted during transmission.
  • Backups – Maybe. Most web hosts provide backup and restore services. However, this assumes the data collected is in a location backed up by the host. If information is emailed to you, you must ensure that your email record is complete and the backups are reliable.
  • Authorization – Maybe. Depends on your implementation.
  • Integrity – Fail. No way to ensure data is not tampered with or to verify if it has been.
  • Storage Encryption – Fail. Data is never encrypted.
  • Disposal – Maybe. Depends on your implementation. Some web hosts and IT departments keep data backups indefinitely, which does not constitute “disposal.”
  • Omnibus – Fail. Most web hosting providers are unaware of what a HIPAA BAA requires them to do, and most know they cannot sign such an agreement and meet its requirements without completely changing their business model and pricing.

Overall grade — failing. If you have a basic website that has never been explicitly updated for HIPAA and involves protected patient data, it is likely not compliant and needs immediate attention. If you plan on expanding your site to include protected patient data, ensure that whoever handles it is familiar with the necessary requirements.

So, what can be done to guarantee compliance?

Obviously, numerous steps can and should be taken to make your basic website HIPAA-compliant. What works for you will depend on your site’s specific goals and how protected health information is involved. Below, we outline the seven most common scenarios we encounter:

Transmission Encryption:

PHI is always encrypted during transmission over the internet. The first step is to ensure your website is secure (i.e., protected by SSL and accessed via https://). Any page that collects or displays protected health information, or is used for logging in users, transmitting authorization cookies, etc., must be protected by SSL and not accessible via an insecure version. Using SSL can meet HIPAA’s data transmission security requirements for communications between the end user and your website. However, your SSL configuration must be robust enough to prevent using weak encryption methods. It is up to your web host to ensure this. Next, what if the end user submits PHI collected on your website, and then your website transmits or stores that data elsewhere? This process must also be HIPAA-compliant, which we will discuss further as it is one of the most challenging tasks to achieve compliance.

Backup:

PHI is not lost, i.e., it is backed up and recoverable. You must ensure that all PHI stored or collected on your website is backed up and can be recovered in an emergency or accidental deletion. Most web hosts provide this service for information stored on their servers. If your site sends information elsewhere (e.g., via email), those messages must also be backed up or archived, and you must ensure that those backups are robust, available, and accessible only by authorized personnel. The PHI stored in backups must also be protected in a HIPAA-compliant manner, including security and authorization controls.

Authorization:

PHI is only accessible by authorized personnel using unique, audited access controls. Who can access the protected health information on your website or collected there? Your web hosting provider likely can. Are they a trusted HIPAA Business Associate with a privacy agreement? If the site collects health information and sends it to you or others, it is essential to know who can access those messages. Anyone with access to your email or the messaging system? Are they all trusted and “in the loop”? If your website stores or provides access to PHI, does it enforce unique, secure logins to ensure that only authorized personnel can access that data? Are these logins and data accesses audited? It is up to your website designers to properly set this up for you.

Integrity:

PHI is not tampered with or altered. Unless the information you collect and store is encrypted and/or digitally signed, there is no way to prevent it from being tampered with or to verify if tampering has occurred. It is up to your organization to determine if tamper-proofing your data is necessary and how to best achieve that. Generally, using PGP, SSL, or AES encryption of stored data can accomplish this effectively and address the next point.

Storage Encryption:

PHI is encrypted if stored or archived. It is up to your organization to determine if this is necessary, though it is highly recommended. If storage encryption is required, you must ensure that all collected and stored protected health information is encrypted and can only be accessed/decrypted by authorized personnel with the appropriate keys. This makes backups secure, protects data from unauthorized access, and generally safeguards the data regardless of what happens (unless your special keys are stolen). Storage encryption is especially crucial in scenarios where data may be backed up or placed in locations out of your control, or where you may share a web server with other customers of the same host. Should something unfortunate occur and a server become compromised, your liability is significantly reduced if the data is encrypted.

Disposal:

PHI can be permanently deleted when no longer required. This sounds simple, but you must consider all the locations where the data could be backed up and archived. You need to ensure that all of those backups will eventually expire and disappear. Consider that every place the information touches could create backups and save copies of your data indefinitely. Certainly helps if the data is encrypted in the backup, but if the backup exists and the keys to decrypt the data exist, then it is not truly “disposed of.” It is up to you to determine how far you need to go to ensure data disposal to be HIPAA-compliant. It is also up to the individuals managing your servers to ensure that the media (e.g., hard drives) containing PHI are properly disposed of when no longer in use.

Business Associate:

You must have a HIPAA Business Associate Agreement with every vendor that interacts with your PHI. If your website or data is hosted on a vendor’s servers, HIPAA (first HITECH, then Omnibus) requires you to have a signed Business Associate Agreement with them. This agreement ensures that the vendor will follow HIPAA security rule requirements concerning your data and its servers. Note that websites are complex, and no web hosting provider will monitor your website’s functionality and content—they can’t. Instead, they provide an “infrastructure” that meets HIPAA compliance requirements, and they will require you to design and manage your website to ensure its functionality is HIPAA-compliant. Choosing a provider will not make your website HIPAA-compliant unless you and your designers also take all necessary steps to ensure its design and functionality meet compliance standards. This is true unless you purchase a pre-designed website fully controlled by the host.

There are many things to do, and much is “up to you.” However, just because you are on the “honor system” doesn’t mean you can make decisions at will. If you make a poor choice and something goes wrong, or if you are audited, you may be found willfully negligent (ignorance is not a valid excuse here). You must carefully consider what is necessary and appropriate to protect health information and your users’ privacy, based on your website’s application and how patient data is used and transmitted.

Collecting health information from individuals:

One of the first things that physicians and medical practices like to do when expanding online is to collect patient information on their website to:

  • Sign up new patients
  • Schedule appointments
  • Make diagnoses and recommendations about medical situations
  • Process digital prescriptions

Conclusion

Medical websites handling patient information must follow strict security rules (HIPAA). This includes protecting patient data from theft, misuse, and unauthorized access. Websites need strong security measures like encryption, limited access, and regular backups. Failing to comply can lead to serious penalties.

We specialize in Medical Billing and Coding and provide comprehensive support for your practice. For more information visit

For more details on billing softwares, visit