The Coffey Blog
HIPAA-compliant websites: What you need to know
The Coffey Team
If you've ever been tasked with managing a healthcare website, you know that security plays a crucial role in the lasting credibility of your site. But it's important to remember that your site's security measures shouldn't only protect your organization's best interests, they should also protect your patients.
In order to do that, your site needs to meet Health Insurance Portability and Accountability Act (HIPAA) requirements, especially those laid out in the HIPAA Security Rule.
What is the HIPAA Security Rule?
The HIPAA Security Rule enforces special requirements for collecting electronic protected health information (ePHI) from website visitors.
The Security Rule pertains to the implementation of specific security-related standards. These specifications are listed either as "required" or "addressable."
Addressable specifications should be implemented when "reasonable" and "appropriate." Some of the security measures mentioned in this blog post are addressable per the rule. It may be tempting to consider them optional. In our view, they're reasonable steps to take, and we consider them best practices.
The Security Rule is much too detailed to discuss in its entirety in a single blog post, but it is important that you are aware of the possibility of ePHI on your website and familiar with your responsibilities for safeguarding it.
How does ePHI end up on my website?
Modern healthcare websites are built to engage. You work hard to keep your readers on your site, and you give them opportunities to take next steps after their visit. Chances are some of the tools you use to connect with your readers give those readers an opportunity to share information that could be considered ePHI.
For example, if you use forms on your website, you might:
- Ask readers to register for a class or event that ties that reader to a specific medical condition (such as "Living with Diabetes").
- Provide a "Contact Us" form your readers can use to ask for more information—and some might use that opportunity to share details about a medical condition or a diagnosis.
- Suggest that visitors give feedback about recent visits.
- Require visitors to complete preregistration documents with forms.
Some of this work might take place outside of a secure patient portal.
As long as you have areas on your website that could possibly accept this kind of data, you must be sure your website is HIPAA-compliant. These are a few things we think about when we talk about HIPAA with our healthcare clients and their compliance officers.
Make your website HIPAA-compliant
The HIPAA Security Rule requires, in part, that you ensure the confidentiality and integrity of ePHI, and that you implement appropriate safeguards to protect ePHI. One important way you can protect your data is through encryption.
You can do that by ensuring that the file system on your web server is encrypted at rest. That means that if a drive is removed (if it's stolen, for example), the data on that drive is fully encrypted. You can also ensure that any databases you use to store data for your website are encrypted at rest.
And, you can ensure that traffic from your website to your server is protected with encryption, so the data stays safe as it moves from one location to another.
We call this "SSL" (Secure Socket Layer) in the industry, and there are many things to consider when you're setting it up. For example, you should make sure you use strong encryption with a high bit-length key and avoid deprecated SSL protocols like TLS1.0 (and TLS1.1 very soon). You also have to consider the various types of certificates available, including SAN (Subject Alternate Name) and Wildcard.
These terms are (clearly) technical, and they can be confusing for people who don't spend all day in information technology. As your project moves forward, you'll need to stay in close contact with your IT department and your compliance officer, to make sure you've covered everything properly.
The HIPAA Security Rule also calls for a variety of other safeguards. One such recommendation is for automatic timeouts on logins that have access to ePHI—so unauthorized users can't access sensitive data if you step away from your computer. That's another set of details your IT department can implement.
Get answers to your website questions
If you think all of this sounds very technical and confusing, you're not wrong. But there are things you can do to make compliance easier. For example, it pays to work with a development team that is conversant in HIPAA, so you won't have to explain your needs to keep information secure.
Coffey's website design and development team works exclusively in healthcare, so we are well-versed in all things HIPAA. Email or call us at 888.805.9101 and we'll be happy to discuss your website's needs.
And for a helpful primer on the Security Rule, check out this document from the U.S. Department of Health and Human Services.