PHI and HIPAA: Is your Website HIPAA Compliant?

By Stephen Trout

Chances are if you’re a healthcare provider (or even a business associate that works with one), you’re likely handling electronically protected health information (ePHI). But what is ePHI exactly, and is your website secure enough to collect or process it and ensure it remains confidential?

The HIPAA Security Rule was designed to ensure the privacy and confidentiality of ePHI, which is essentially any data that can be used to identify a patient. This includes:

• Patient names, addresses, phone or fax numbers, and email
• Photos, social security numbers, and biometric identifiers
• Website URL, IP addresses that can be linked to the patient
• Patient medical records, tests and lab results, X-Rays, MRIs
• Patient health plan numbers, medical record numbers
• Patient demographics (birth date, gender, race, marital status)
• Related dates, such as admission, discharge, or death

If your website collects, maintains, or transmits any of the above data, whether through a patient portal, live chat, scheduling form, or patient history/data intake form, you need to ensure your site (including all forms) is HIPAA compliant.

So, how can I know if my website meets the standards of the HIPAA Security Rule?

Here’s the checklist you need to determine if your site is compliant:

• My web host has met the requirements of HIPAA — with all technical, administrative, and physical safeguards installed — and is providing a secure, compliant infrastructure to host my site and data. This includes datacenter(s), firewalls, server hardening, patching, etc.*
• I have an SSL (Secure Sockets Layer) certificate in place to ensure data encryption. SSL is a secure, https protocol which assures all visitors that their connection to my site is secure. A visual cue of this is a lock icon or a green bar in the browser:

• I am ensuring that all data transmitted from my site via the internet (including email), as well as data in storage such as a database/server connected to my site, is encrypted.
• My website and data are governed by access controls; meaning, the site is accessible only by persons with approved permissions.
• I have further ensured that any business associates with site or ePHI access have a Business Associates Agreement (BAA) in place. Note: A managed service provider, web designer, or consultant who works with your site will also need to sign a BAA.
• Logs are maintained by a Log Administrator of all attempts to access my site. These logs will be kept for a minimum of six years (unless my particular state requirement is more stringent) for purposes of an audit trail. They can be searched and correlated to locate relevant data from various hosts.
• My site has regular offsite backups to a safe location. Better yet, I have a second data center where backups are synced each day. This ensures high availability and integrity of data. My HIPAA host also guarantees a disaster recovery plan.
• My website has notice of privacy practices and HIPAA policy.
• I have received consent from any patients who provide testimonials on my site.

*Note that an established HIPAA host — especially one with Managed Security Service expertise like HIPAA Vault — will ideally use a multi-layered security approach to keep your site and data safe. These additional services include Managed Firewall Rules, System Monitoring, Vulnerability Scans, 2-Factor Authentication, Host Intrusion Detection (HIDS), Web Application Firewall (WAF), Anti-Virus Protection, Security Information and Event Management (SIEM), Password Management, and 24/7 dedicated, live support.

We should also note that even sites that don’t specifically collect patient data can benefit from the added security of using a HIPAA compliant web host. Hackers will sometimes seek to install fake forms on websites, in an effort to steal ePHI such as social security and account numbers without your knowledge.

Finally, remember what is at stake. Ensuring your site is compliant will protect the well-being of your patients from malicious actors who seek to exploit their sensitive, personal data. Your business reputation will also be protected while saving you from potential HIPAA violations and penalties that may reach into the thousands or even hundreds of thousands of dollars.

HIPAA Vault is the leading provider of HIPAA compliant, managed cloud solutions, enabling healthcare providers to secure their sensitive, protected health information from data breaches and security vulnerabilities. For more information on HIPAA Managed Hosting and Cloud Solutions contact HIPAA Vault today!