Back to the Blog

Guide To HIPAA Compliant Web Development

Posted: April 21, 2021

Have you stopped to consider the HIPAA regulations that govern your website? HIPAA protects your patients and binds you to patient-provider confidentiality, except in special circumstances. This protection extends to your website— specifically, any and all patient information collected and stored on your website. In order to protect your practice from violating a HIPAA regulation, you need to know what falls under the category of “protected information,” how that information may be collected and stored on your website, and how to make your website HIPAA compliant.

Let’s take a closer look at these HIPAA regulations and how you can safeguard your website from violations.

What is Considered Protected Health Information?

This HIPAA term applies to all identifiable patient information related to their healthcare, including their payment information they use to pay for your services. If you have ever seen a patient for a medical condition, and you have collected payment via a credit or debit card, then you have collected “protected health information.” Your patient’s healthcare information is then recorded via your visit notes, and within your invoicing or payment system. Even if your patient paid via cash, you still collected HIPAA-protected information during the exam or procedure that you entered into your EMR.

Other ways to collect protected health information include patient surveys, online patient forms, and live chat features.

Case in point - if you are a healthcare provider, then you collect protected health information from your patients every day, and this information is stored within both your internal provider portal and your accounting portal. This means that you need to make sure that your website is HIPAA compliant through proper server encryption. Failure to do so can result in fines ranging from $100 to $50,000.

Transmission of Protected Health Information

Whenever you are storing protected health information, you are at risk of transmitting this information. Most of the time this is HIPAA-approved transmission via internal emails and web forms. However, the risk of unlawful transmission can occur when you grant third-party vendors access to your website. This can include payment merchants, as well as third-party tech support.

To safeguard your website and your practice from a HIPAA violation, you need to have all third-party vendors sign a business associate contract that details how to not unknowingly or unlawfully transmit protected health information as well as acknowledgment of these terms and conditions.

How to Make Your Website HIPAA Compliant

Worried your website might not be HIPAA compliant? Here are the first steps towards changing that and safeguarding your practice from a HIPAA violation.

Step 1 - Encryption

The first step is to make sure your website and all online tools within it are encrypted, including your email servers. An SSL certificate can help you do this. You will also want to source out a website hosting service that is HIPAA compliant. This will help protect your patient’s information from outside sources.

Step 2 - Vendor and User Access

The second step towards making sure your website is HIPAA compliant is to restrict access to protected health information to only those who need access to it for business or provider reasons. Have all of your third-party vendors sign a business associate agreement, and have all of your internal staff sign an agreement to never share protected health information unwillingly and unlawfully. Train your staff so that they know what these terms mean and how to avoid them.

Let’s Talk Interactive specializes in building HIPAA-compliant websites. Contact us today to start the process for your website.