Does Your Medical Practice or Healthcare Organization Require HIPAA Compliant Web Hosting?

           The benefits of a website to healthcare organization are numerous. A website for a healthcare organization can allow patients to schedule appointments, access test results, chat with a provider, fill out forms, etc. These services can be extremely convenient and efficient for both the patient and the healthcare provider. However, since a patient’s personal medical information is gathered, transmitted, and stored by using these services, the site/website hosting must be HIPPA compliant to protect this information.

           The acronym HIPPA stands for the Health Insurance Portability and Accountability Act of 1996. The act was created to prevent healthcare fraud and abuse, set administrative standards, and reform medical liability. The HIPPA laws sets rules for the privacy and security of an individual’s Protected Health Information (PHI) and electronic Protected Health Information (ePHI). PHI is any information, medical or personal) that can be used to identify a patient, such as, name, telephone number, payment information, test results, etc. HIPPA rules and regulations apply to Covered Entities, or anyone who provides treatment, processes payment, or runs operations in healthcare, such as, hospitals, insurance companies, medical services facilities, etc. and Business Associates, which is anyone who has access to patient information and provides support to Covered Entities. Business Associates can include website hosting companies, medical billing agencies, document shredding companies, medical transcription companies, etc. The HIPPA law does not directly state the methods or processes for which Covered Entities or Business Associates comply with the privacy and security rules and regulations, but leaves the decision up to the Covered Entities and Business Associates. The Department of Health and Human Services (DHHS) Office of Civil Rights is in charge of enforcing HIPPA rules and regulations through audits and investigations into the policies and procedures of Covered Entities and Business Associates.  Any organization found to be in violation of HIPPA rules and regulations can be fined.

             In general, website hosting is a service that allows a website to be accessible via the World Wide Web; however, hosting can mean different things to different people in the web development/IT industry; domain name registration, DNS hosting, website hosting, email hosting, and hosting backups are all different forms of hosting. Jon Weindruch, President of Websults, discusses more about the different forms of hosting here. Depending on your needs, you may need your various forms of hosting to be HIPPA compliant. It is recommended to talk with an experienced web development agency, like Websults, to ensure you are compliant across the various forms of hosting you use.

             It is important that if you are an organization that gathers, transmits, or stores an individual’s PHI via your website, that you need to ensure that information is adequately protected based on HIPPA standards. HIPPA standards require data collected by a website be private and secure throughout its use, storage, and transmission. In other words, the data must remain private and secure both “in motion” and “at rest”. A breech in PHI through your website can mean costly fines for your organization. Below are some steps you can take to ensure that your website and its features are HIPPA compliant.

Steps to Ensure Your Website/Website Hosting is HIPPA Compliant

  1. Make sure an SSL certificate is enabled on your website – an SSL (Secure Sockets Layer) certificate is an encryption tool to make sure information submitted via a website is transmitted to a website securely by converting the information into an otherwise unrecognizable code.
  2. Use a VPN – a VPN is a Virtual Private Network, or a connection method that can be used to conceal your real IP address and encrypts data transferred over a network.
  3. Make sure info is stored on a secure encrypted server
  4. Make sure you are using an encrypted email server
  5. Make sure to use Firewalls and Antivirus software – Firewalls and antivirus software can be implemented to detect and protect from outside or inside threats, malicious viruses or software.
  6. Make sure to use secure web-forms on your website – Make sure your web-forms are encrypted and that email notifications from your web-forms provider do not contain PHI.
  7. Make sure data is routinely backed up offsite – meaning routinely securing data to an outside means of storage like a disk, USB, or external hard drive.
  8. Make sure to sign a Business Associate agreement (BAA) with your web hosting company – A Business Associate agreement is a contract between a Covered Entity, the organization that works with the patient and gathers the PHI and its business partners that have access to that information for one purpose or another. The contract requires the business associates follow HIPPA standards to ensure PHI is private and secure. More info about the specifics of what should be included in a BAA and a sample agreement can be found here.

Websults Web Development and Digital Marketing Firm

Websults is an experienced (over 12 years) web development and digital marketing firm that serves a variety of clients from all over the world. Websults is a 5-star Google rated agency that seeks to provide clients with the services they need to have a competitive advantage in their industry. Websults has several web hosting options available to help you ensure that your organization is meeting the HIPPA standards, contact Websults to discuss your hosting needs.

Web Site Design & Development Portfolio

prevnext