Do You Have a HIPAA Compliant Website?

Online Marketing, Website Optimization

Marketing is necessary for the continued success of any business, and that includes medical care providers. However, medical professionals cannot market in the same way other industries can. Why? Because of HIPAA.

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records. It restricts the way that covered entities can use and share protected health information (PHI).

Thankfully, there are many marketing channels that you can use in a HIPAA compliant manner to help grow your brand and market your medical care practice.

Here is an overview of HIPAA compliant marketing channels and solutions you should try in 2020. But first, let’s discuss the challenges of healthcare marketing in general.

Why is healthcare marketing so difficult?

To excel in healthcare marketing is to comprehend HIPAA compliance. You must fully understand how HIPAA defines marketing and choose your strategies—and solutions—from there.

HIPAA outlines specific standards for healthcare industry communication. Providers must take extra precautions to secure and safeguard PHI and other confidential details about patients. That’s why HIPAA compliance should be the foundation of your marketing plan.

Ensure your website is HIPAA compliant

When considering a modern healthcare strategy, start with your website.

93% of all business decisions starts with an online search. This makes having a website vital for any business, including medical care providers. However, healthcare providers need to take extra precautions to be sure they have a HIPAA compliant website.

A good website can help providers be “found” in online searches, give them credibility, and provide a way for potential patients to contact you. For healthcare providers, a good website can also make operations more efficient.

Imagine having patient intake forms available to be filled out and submitted online. Labs can create secure portals for doctors to view results and upload needed documents. Patients can get access to results and prescriptions.

A quick note about HIPAA compliance and websites

It’s important to remember that HIPAA compliance for any covered entity means making sure reasonable steps are taken to ensure there are technical, physical and administrative safeguards in place to keep protected health information (PHI) safe.

For websites, this means that any time PHI is transmitted or stored, there’s proper procedures and policies in place to go along with the technical security we’re going to talk about in this article.

For example, you can have secure cloud storage to hold PHI, but not have policies in place when it comes to sharing that information with others. Someone could still accidentally share or leak that information when they weren’t supposed to, which can result in a HIPAA violation.

When does a website have to be HIPAA compliant?

The first thing to do is assess what things you want visitors to do when they visit your website. Do you want visitors to be able to send an email, do a live chat, fill out forms, upload documents, or access a patient portal?

Once you identify how a visitor will interact with your website, you can work on making sure those interactions result in a user-friendly, but secure, experience by considering the following:

  • Are you transmitting any PHI online?
  • Are you storing PHI on a server you are hosting?

If you are handling any PHI on or through your website, then you need to be sure it is HIPAA compliant. This includes even “simple” transactions like setting an appointment.

How do you make a HIPAA compliant website?

Remember the two things we’re going to consider? Are you transmitting any PHI, or storing PHI? Your answer to these questions will make the steps you need to take different.

Chances are, most healthcare providers will transmit PHI at some point through their website if they allow for any sort of communication. Remember, even appointment setting is an example of transmitting PHI because it has identifiable personal information that will be used in relation to the care of a patient.

The first step that should be taken is to use SSL to secure your website. This will make sure that the initial leg in the transmission of PHI from the patient to the web server is secure. From there data can be either:

  • Passed through to someone via email
  • Stored on your web server
  • Stored on someone else’s web server

If you pass through PHI

This is probably the easier method to use because it lowers the amount of additional work (and liability) needed to secure PHI.

If information is collected on a form and then passed through and emailed to an inbox, the data needs to be encrypted in transit and at rest.

If you store PHI on a server

Whether you choose to store data on your server or a third-party, it’s important to understand how to ensure that the hosting is HIPAA compliant.

Our friends at HIPAAHQ put together a great checklist that will assist you in ensuring the hosting provider you choose does incorporate needed systems, procedures and technologies needed.

Some of the items on that checklist include policies to address physical security of the servers, established policies for the disposal of data if needed, and logs and audits of software and hardware use and access.

Many hosting providers can be configured to become HIPAA compliant, but there are also hosting companies like Atlantic.Net who specialize in HIPAA compliant website hosting.

Let technology work for you

There’re far more benefits than risks when it comes to having a website that adds value to your business. Utilizing the right technology in securing your website can improve your workflows, increase business and let you focus on patients and clients, not checking off boxes and adding extra steps.