What Makes a Web Site HIPAA-Secure?
Doctors and medical professionals are feeling a growing pressure to get their business online (i.e. even use of electronic prescriptions is being pushed). This includes making available protected health information to patients via a web site and collecting similar private information from patients or would-be patients. If doctors can show that they are using digital systems with their health care practices in a meaningful way by 2011, they may be eligible for some serious money (part of the proposed stimulus package — the Health Information Technology for Economic and Clinical Health Act (HITECH)).
However, where the health information of an identifiable individual is involved, the Health Insurance Portability and Accountability Act (HIPAA) is the official compliance document. So, what do these requirements mean and how can HIPAA be followed in the context of a website?
What are the HIPAA requirements for a web site?
HIPAA is an unusual law in that it makes a lot of recommendations (addressable items) and a few assertions (required items) and in the end, it is up to each organization to determine what they need to do to be compliant. This creates a great deal of flexibility and also a great deal of uncertainty. In general, to be HIPAA-compliant, a web site must at a minimum ensure that all protected health information:
- Is always encrypted as it is transmitted over the Internet
- Is not lost, i.e. should be backed up and can be recovered
- Is only accessible by authorized personnel
- Is not tampered with or altered
- Should be encrypted if it is being stored or archived
- Can be permanently disposed of when no longer needed
How does a “basic” web site stack up to these requirements?
- Fail. Data is not encrypted during transmission
- Maybe. Most web hosts will backup and restore your data for you. However, this assumes that the data collected is in a location backed up by the host. If you have information emailed to you, you must be sure that your email record is complete and the backups are good.
- Maybe. Depends on your implementation.
- Fail. No way to be sure that data is not tampered with or to tell if it has been.
- Fail. Data is never encrypted
- Maybe. Depends on your implementation. However, some web hosts and IT departments keep data backups indefinitely — and that is not “disposal”.
Overall grade — failing. If you have a basic web site that has never explicitly been updated for HIPAA and which has anything to do with protected patient data, you can be pretty sure that it is not compliant and needs attention. If you plan on expanding your site to include protected patient data, be sure that whoever does it for you is familiar with the requirements that you need to meet.
So, what can be done to guarantee compliance?
Obviously there are a large number of steps that can be taken to turn your basic web site into a HIPAA-compliant one. What works for you will depend upon exactly what you are trying to accomplish with your site and in what way protected health information is present and transmitted. Below, we discuss some of the common cases that we see all of the time.
- Is always encrypted as it is transmitted over the Internet.The first step is to ensure that you have a secure web site (i.e. one protected by SSL and which is accessed via https://…). Any page that collects or displays protected health information must be protected by SSL and must not be accessible insecurely (i.e. there should not be an alternate insecure version of the same page that people can access). Use of SSL meets HIPAA’s data transmission security requirement in terms of communications between the end user and your web site. Next, what if the end user submits protected data that is collected on your web site and then your web site transmits that elsewhere, or stores it? This process must also be HIPAA compliant. We will discuss this below, as it is one of the hardest things to do and still be compliant.
- Is not lost, i.e. is backed up and can be recovered. You must be sure that all protected information stored with your web site or collected from your web site is backed up and can be recovered in case of an emergency or accidental deletion. Most web hosts provide this service for information stored on their servers. If your site sends information elsewhere (for example, to you via email), then those messages must also be backed up and you must take care that those backups are robust and available and accessible only by authorized people.
- Is only accessible by authorized personnel. Who can access the protected health information that resides on your web site or which is collected there? Your web hosting provider probably can. Are they a trusted HIPAA Business Associate with a privacy agreement? If the site collects health information and sends it to you or others, it is important to know who can access those messages. Anyone with access to your email or the messaging system? Are they all trusted and “in the loop”?
- Is not tampered with or altered. Unless the information that you collect and store is encrypted and/or digitally signed, there is no way to prevent it from being tampered with or to verify if tampering has happened. It is up to your organization to determine if tamper-proofing your data is needed.
- Is encrypted if it is being stored. It is up to your organization to determine if this is needed. If storage is necessary then you need to know that all collected and stored protected health information is encrypted and that it can only be accessed by people with the appropriate keys. I.e., this makes backups secure, protects data from access by unauthorized people, and generally protects the data no matter what happens (unless your special keys are stolen).
- Can be permanently disposed of when needed This sounds easy, but you have to consider all of the places where the data could be backed up. You need to ensure that all of those backups will expire and disappear. Consider that every location that the information touches could be making backups and be saving copies of your data … indefinitely. It certainly helps if the data is encrypted in the backup … but if the backup is there and the keys to open the data exist, then it is not “disposed of”. It is up to you to determine how far you need to go to ensure disposal in order to be HIPAA compliant.
So, there are many things to do and a lot is all “up to you”. Of course, just because you are on the “honor system” doesn’t mean that you can make whatever choice you feel like. If you make a poor choice and something bad happens or if you are audited, you may be found negligent. You really have to carefully consider what is necessary and appropriate to suitably protect health information and the privacy of your users, based on your web site application and how the patient data is used and transmitted.
Collecting health information from people
One of the first things that doctors and medical practices like to do when they expand online is to collect patient information on their web site so that they can:
- Sign up new patients
- Schedule appointments
- Make diagnoses and recommendations about medical situations
- Get into digital prescriptions
Securing the transmission of the information from the patient to the web site is pretty easy (it’s #1 — use web site secured with SSL). However, what do you do with that information? Common solutions include:
- Store it in files on the web server to download later
- Store it in a database for download or remote access
- Email it to someone
The third option, email it to someone, is the most popular choice because it is the easiest and requires the least additional software or infrastructure. It also opens a whole can of worms in terms of “how do you make the email component meet HIPAA?”
1. Storing the data in files requires that
- The web site encrypt the files
- Someone downloads the files over a secure channel (i.e. Secure FTP)
- The web site owner gets notified via an email that a new file is waiting
- Backup and disposal are taken care of
2. Storing the data a database allows you to write software for remote access and management of that information, however
- Transmission to and from the database needs to be secure
- The software that provides management access must be secure and meet all sorts of HIPAA requirements in terms of access control and auditing
- Issues regarding encryption keys and their secure storage must be addressed
So, option 1 is easy, but requires a bit more technical knowledge on the part of the users and puts the onus of backup and disposal on them. Option 2 is better and allows more usability and control and a centralization of the data into one place. However, Option 2 requires a lot of cost and effort to implement properly. Option 3 is easy, but how do you make the email HIPAA compliant?
Securing data emailed from your web site forms
The ideal procedure for securing your emailed data is basically as follows:
- Your secure web site encrypts the submitted data (using PGP or S/MIME) such that only one or a few of your employees can open it.
- This data is emailed to those recipients and “forgotten” by the web site (or an encrypted copy is stored on the site if you prefer).
- The recipients receive the data and it is stored on their email server (still encrypted).
- The recipients can access these messages securely (over SSL) and decrypt the data either in their email program or on a Web-based interface that supports decryption.
- The email provider takes care of backups.
- Deleted messages will expire from backups after a while (get a signed statement saying this from them, if you like).
- Keep copies of all of the encrypted messages on the server instead of downloading them all, so that you are responsible for backups and so that they are all stored in a central location.
LuxSci specializes in Security and makes HIPAA compliance very easy
- We can get and install SSL for your web site so that transmissions are secured.
- We can integrate your web forms with special scripts that will encrypt your submitted form data (using PGP or S/MIME) and email it to you.
- We provide daily and weekly backups of your email data that permanently expire after 1 month.
- We can optionally provide immutable archives of all of your inbound and outbound email so that none of it can get lost or deleted or edited and so that you have a secure backup available for 1, 3, 5, or even 7 years.
- Our web browser-based email access allows you to decrypt and view all of your secure messages, over a secure channel, from anywhere.
- Use any of your favorite email clients, like Thunderbird, Outlook, or Eudora, to securely access, unlock, and read the secure email messages over IMAP (or POP).
- Users can HIPAA-securely reply, via our WebMail interface (or even from their email programs) back to the web site user … so that the web site user can get a secure message via our SecureLine Escrow service. The web site users can even reply back to the medical worker securely!
- You can have back-and forth conversations, initiated from your web site, that are fully HIPAA compliant.
So how do I become HIPAA compliant with LuxSci?
Use our specialized SecureForm Service
- HIPAA 2010: HITECH Impact on Email and Web Outsourcing
- A Technical Discussion of Secure Web Forms to Encrypted Email
- HIPAA Email Security Management in Email Communications
- Medical Privacy: Addendum to LuxSci’s Master Services Agreement
- Receive Secure Web Form Submissions in a Secure Email
- Receive Secure Web Form Submissions in a Secure Email
- HIPAA-Compliant Web Sites: Requirements and Best Practices
- Is a FAX document HIPAA-Secure?
- Recipe: Completely Secure Collection of Web Form Data using SSL and PGP or S/MIME
- HIPAA Compliance Seal for your Web Site or Email