What Will It Take To Make Your Website HIPAA Secure?
Medical professionals are feeling increasing pressure to get their business online using, electronic prescriptions, web appointments, remote medicine and billing. This push means making protected health information available to patients via a website, while collecting similar private information from patients or would-be patients.
When dealing with health information of an individual we must comply with the Health Insurance Portability and Accountability Act (HIPAA). In addition to the official HIPAA document, the law has in place the Omnibus Rule, which requires that all of your Business Associates to be fully HIPAA compliant themselves and that they establish Business Associate Agreements (BAA) with all of their vendors/partners that are involved in PHI.
Number 1: Your organization has signed HIPAA Business Associate Agreements with all vendors who may access your Patient Health Information (PHI).
*Let’s use Skype or Google Hangout as an example. Google and Microsoft will not enter into a BAA with your organization. Doesn’t it seem less debatable to use Skype or Google Hangout with TeleHealth in place for 16 states, where the use of secure video conferencing is reimbursed by private insurance, Medicare and Medicade?
Number 2: Understand the HIPAA requirements for a website, which are as follows:
- Transport Encryption: PHI is always encrypted as it is transmitted over the Internet. It is important to ensure that you have a secure website, one protected by SSL and which is accessed via https://
- Backup: Most webhosts will back up and restore data for you. However, this is assuming the data collected is in a location backed up by the host.
- Authorization: Is only accessed by authorized personnel using unique, audited access controls. Who can access the protected health information that resides on your website or which is collected there? Your webhosting provider probably can. Are they are trusted HIPAA Business Associate with a privacy agreement? Again, it is important to know who can access the website information.
- Integrity: Unless the information you collect and store is encrypted and/or digitally signed, there is no way to prevent it from being tampered with or to verify if tampering has happened.
- Storage Encryption: If your organization collects and stores protected health information, then it will be necessary to ensure that it can only be accessed/decrypted by people with the appropriate keys.
- Disposal: This sounds easy, but we have to consider all the places where data could be backed up and archived. HIPAA requires that information be permanently disposed of when needed.
- Business Associate: You must have a HIPAA Business Associate Agreement with every vendor that touches your PHI.
So, there are many things to do and a lot of it is “all up to you”. In these times we have to carefully consider what is necessary and appropriate to suitably protect health information and the privacy of an organizations users. I’m here to help (firstname.lastname@example.org) if you have any questions about bringing your website up-to the next level in security.