If you’re involved in the healthcare industry, you should be thinking about how HIPAA affects your website. This guide serves as a great starting point for learning about HIPAA guidelines in the online world.
In part 1, we will identify if your website is at risk for violating HIPAA. In part 2, we will discuss how to ensure your website is compliant. And in part 3, we include some further reading on HIPAA.
To answer that question, you must answer this one: does your website store or transmit protected health information? If so, your website needs to comply with HIPAA regulations. More details below.
Protected health information (PHI) is personally identifiable medical or payment information related to health services. That includes:
In December of 2022, the Department of Health & Human Services released new guidance indicating that they considered IP addresses and user or device ID a form of protected health information as well. While this new guidance is still being negotiated, conservative healthcare organizations are making shifts to also protect patients’ and potential patients’ IP addresses and user IDs
If your website collects any individually identifiable medical information, such as symptoms, conditions, or requested healthcare services, you are collecting PHI.
You might be receiving PHI through:
Once you understand what PHI is and whether you collect it through your website, you should consider how and if you are storing that information. The Privacy Rule of HIPAA requires that entities that store PHI take reasonable measures to protect it. If you keep individually identifiable medical information on a server, that server must be encrypted and secure to the unique standards of the HIPAA regulations.
Transmitting PHI includes sending information via email, web forms or other types of digital messaging. To stay HIPAA compliant when transmitting PHI, all emails, email servers and web forms involved should be encrypted and secured.
If vendors or service providers you work with store, transmit or have access to PHI, then you should sign a business associate contract with them to meet HIPAA guidelines (with some exceptions).
Depending on the data that is shared with third parties, you may need to a sign a BAA with any of the following:
A business associate contract is an agreement between an organization and its “business associate” that has access to PHI collected by the organization. The contract requires that business partners follow HIPAA guidelines to keep PHI secure. Learn more about the provisions of the business associate agreement here.
If your website collects, stores, or transmits PHI, and does not take reasonable measures to secure that data, you may be in violation of HIPAA. If you are, you run the risk of HIPAA penalty fines, which are not cheap. Depending on the scale of the violation, the number of patients affected, and the level of negligence, a fine can range from $100 to $50,000. Larger class action lawsuits have been filed, which is important to consider given that many websites and online tools transmit and store large amounts of data.
If your site is not compliant, you should establish new processes, starting with these essential steps:
Because the internet is such a vast, ever-changing landscape, the language around HIPAA regulations for websites are intentionally vague at times. This leads to a lot of uncertainty. However, if you take reasonable steps to secure PHI, control who accesses it and partner with HIPAA compliant organizations, you can protect your patient’s privacy and avoid violations and fines. Speaking with experienced attorneys, healthcare-focused digital vendors and assessing your organization’s own risk tolerance is important – this will ensure that you’ve done your homework and shown your steps to keep your patients’ data secure.
This guide is not comprehensive, so we have included some helpful resources and next steps to familiarize yourself with HIPAA and website compliance.
Full Media works with healthcare organizations of all sizes to grow their patients online through digital marketing, website development and analytics. We are a HIPAA-compliant agency that will sign a BAA with our clients, and we offer specialized consulting and solutions for clients looking to build a compliant website or make their digital analytics HIPAA-compliant.
This article is for general information only and is not formal legal advice.
Celebrating more than a decade with Full Media, Lauren has served in a wide variety of roles that have helped her gain a well-rounded understanding of digital marketing and website development.
Lauren began as an Internet Marketing Analyst with a specialty in paid search advertising, providing both SEO and PPC management to a diverse group of clients. After spending time as the department Director for Internet Marketing and subsequently Production (website development team), she was promoted to be the Director of Operations. In this role, Lauren is responsible for providing the infrastructure to Full Media team members that facilitate client success through a mix of leadership, process improvements, and growth in team capabilities. She also serves as the project manager for custom website projects, using her combined expertise in marketing and development to ensure the successful launch of complex website redesign projects.
Read Full Bio