Designing HIPAA Compliant Websites

A well-designed and user-friendly website is a necessity for any business or organization today. This includes hospitals, healthcare providers, and any other companies that deal with medical data and PHI (protected health information). Along with all the best practices for designing and developing a website, these organizations also have another, very important guideline - HIPAA compliance.

HIPAA was created to protect PHI, regulating how it is managed and secured. There are numerous boxes that need to be checked in order to be considered HIPAA compliant, which we will review momentarily.

This PHI data can include anything from names and addresses to full medical records. Companies that are required to be HIPAA compliant include any health service provider or any other business that uses medical records in their work (lawyers, accountants, insurance, etc.). Failing to comply with HIPAA will likely lead to a tarnished reputation, hefty fines, and even possible jail time.

Before you design and develop a HIPAA compliant website, you need to know the website’s purpose and how patients will use it. For example, it could be to update their medical information on file, fill out a survey, submit documents, or view medical records such as x-rays or lab tests.

Here are 3 questions to ask yourself:

• Are you collecting PHI via your website?
• Are you transmitting PHI through your website?
• Are you storing PHI on a server on your website?

If you happen to answer yes to any of these questions, your website needs to comply with HIPAA standards.

Here are 5 guidelines to follow when building a HIPAA compliant website:

1. Be certain your website is protected by an SSL certificate - An SSL certificate stands for Secure Sockets Layer Certificate. Basically, the SSL certificate creates a secure connection or link between your website and the browser the user is on. This ensures that any information passed back and forth remains private.
2. Ensure the servers hosting your website and managing data are HIPAA compliant - Not all web hosting servers are the same, and certainly they are not all HIPAA compliant. Some web hosting companies have options that include “shared” servers, and others offer dedicated servers. Shared servers have a more difficult time being HIPAA compliant. Whatever hosting option you choose needs to properly comply with HIPAA standards, conduct regular scans, and consistently update their system. This is especially true for documentation storing and management.
3. Any forms that submit information need to be encrypted - Forms are commonly used to collect information from patients, so anything collected and submitted needs to be encrypted / secured. This greatly reduces the risk of PHI getting into the wrong hands via a data breach.
4. All data collected digitally needs to be encrypted - There is no guarantee against a possible data breach. However, encrypting any collected data will make it impossible to read or use if a data breach were to occur. This includes any data passed through email (which is not recommended).
5. Educate employees about HIPAA - Employees need to understand what HIPAA is, why it was created, standard practices, and especially what can happen when a business does not comply with HIPAA standards. This is especially true for any employees managing or using PHI.

There is a lot to think about when it comes to designing and developing a HIPAA compliant website. Most developers are not familiar with the standards and best practices, which could lead to issues in the future. It’s always best to work with a company that has experience working with healthcare organizations.