How to Ensure Your Website is HIPAA Compliant
Telehealth. Electronic check-ins. Online scheduling. What’s next? Before you take on even more digital platforms and tools, do a health check on your existing technology and digital practices to make sure you are – and remain – HIPAA compliant.
Even simple, everyday digital interactions like those listed above can put you at risk for HIPAA violations. Here’s what you should do to ensure your practice’s or facility’s website and digital practices are HIPAA compliant.
Know the patient journey: Put yourself in the patient’s shoes by using the website as if you are a patient. Go through the journey of filling out forms, contacting the office, requesting appointments or other actions you want them to take. What happens once a patient fills out a form, submits information or requests an appointment? Where does that information go internally? This information will help you determine how compliant your site is and where issues may arise.
Secure any gaps: Like the example above, you should know where information goes once it gets submitted via your site. For example, if the data submitted is emailed before it’s stored securely in a database, that is going to be a compliance issue.
Make sure you have an SSL certificate: An SSL certificate gives your website a secure connection to its server. This can prevent security leaks and give website visitors peace of mind. Additionally, any place you house information needs to be secure. That’s because some forms may contain protected health information (PHI). If your site was built a long time ago, you may not have one.
Have compliant forms: To ensure the forms your patients are filling out are HIPAA compliant, they need to be encrypted. Your web team can help determine if the forms are compliant and ensure they are encrypted properly.
Consider other forms of PHI and PII: There are other forms of PHI and PII you may not have considered such as:
- Telephone numbers
- Geographic information
- Full face photos
- Email addresses
Have secure authorization: Not everyone in your practice needs access to PHI/PII. Consider who on your staff may need to access PHI/PII and make sure no one else has unnecessary access to this information.
Be aware of cybersecurity issues: Ransomware attacks have been on the rise since the beginning of the pandemic. You can help protect your practice by ensuring staff know about cybersecurity practices. If you’re part of a larger organization, your IT team can help ensure the security of your digital presence.
Whether your site regularly collects PHI or does so on occasion, it needs to be HIPAA compliant to protect patients and your practice. Trust is the most important ingredient in a patient-practitioner relationship, and any breach of trust – including a cybersecurity breach – could permanently damage it.