Does my online form have to be HIPAA Compliant if it doesn’t ask for medical information?
For folks in the medical field, there is often a lot of uncertainty regarding which kinds of web forms need HIPAA compliance and which ones do not. We often have customers asking if this or that form really needs to be secure or not.
The short answer is that you should probably just make ALL of your forms secure, like like it is best to make all pages of your web site secure, no matter what is on the page. This instills more trust in your web visitors and as a result results in more business. It doesn’t take much work to secure your forms, so you might as well just do it for all of them in a clear and consistent way. Your user’s data will be protected, and they will know that you are looking to make the best choices for them, even in cases where it might not strictly be necessary. This is a good thing.
Back to the original question….
If you are a medical office, do some forms not need to be secure and HIPAA compliant, depending on what is collected?
Note: the following is suggested advice from LuxSci based on our understanding of HIPAA; however, this should not be taken as legal advice. We advise you to consult your lawyer for accurate legal advice pertaining to your particular situation.
HIPAA requires that all electronic Protected Health Information (ePHI) be secured to protect the privacy of the individuals identified in the ePHI. So, as long as either (a) HIPAA does not apply to you, or (b) your form does not collect ePHI, then you do not have to secure the web form.
Let’s look at each of the two criteria so that you can tell if either one may apply to you or your form.
1. Does HIPAA Apply to You?
HIPAA applies to you with respect to your web form if you are a “HIPAA Covered Entity” or if you are collecting data for someone that is a HIPAA Covered Entity (making you a “HIPAA Business Associate” of theirs).
Your are a HIPAA Covered Entity:
- Care: You provide services or supplies related to the physical or mental health care of an individual. This includes: (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
- Provider: A provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
- Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value added” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.
- Plan: With certain exceptions, an individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)). The law specifically includes many types of organizations and government programs as health plans.
You are a HIPAA Business Associate if someone who is a HIPAA Covered Entity has contracted you to collect data for them through the form. (You also have to sign a Business Associate Agreement and abide by many other restrictions if you are a Business Associate). A good example of a Business Associate in this case would be a web design company that handles the web sites and forms for their customers … some of whom are “HIPAA Covered Entities”. The web design company, if it is collecting ePHI through the web site for these customers must then be a Business Associate of that customer and do things in a secure way to meet HIPAA’s demands … or else their customer is out of compliance … a bad state of affairs.
2. Does the form collect ePHI?
Ok – so let’s say that HIPAA does apply to you and you still want to know if a particular web form needs to be compliant. This is determined by whether the form collects ePHI or not.
What is ePHI?
ePHI is a two part definition: “individually identifiable” … “protected health information” that is sent or stored electronically.
“Protected health information” can be information about any one of:
- An individual’s past, present, or future physical or mental health or condition
- The past, present, or future provisioning of health care to an individual
- The past, present, or future payment-related information for the provisioning of health care to an individual
“Individually identifiable” information includes any and all information that can be be used to determine which specific individual is involved. There are 18 types of identifiers for an individual (listed below). Any of these, together with any type of “protected health information” (e.g. an appointment with a particular doctor) constitutes ePHI.
- Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)
- All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Any vehicle or other device serial number
- Device identifiers or serial numbers
- Web URL
- Internet Protocol (IP) address numbers
- Finger or voice prints
- Photographic images
- Any other characteristic that could uniquely identify the individual
So, it is pretty easy for a web form to be collecting ePHI!
Here are some examples of web forms that would likely be collecting ePHI:
- Appointment Requests and Referral Requests: These will collect identifiable information about the person requesting the appointment and the request for the appointment should be considered information about “future provisioning of health care to an individual.” Furthermore, by context, requesting an appoint by itself may also imply information about “an individual’s past, present, or future physical or mental health or condition”.
- Patient Intake Forms: These forms usually allow the prospective patient to provide information about themselves for one purpose or another. This is both identifiable and information about “an individual’s past, present, or future physical or mental health or condition”.
Some examples that might not be considered the collection of ePHI (depending on the exact context of the site), because while they are individually identifiable, they do not include or imply health information for that individual, include:
- Contact Requests: Where the web site visitor is merely asking for a call or email with no reason specified.
- Requests for Information: Where the web site visitor requests a white paper, a pamphlet, or other information
- Purchases of products that do not require a prescription: Purchasing a product does not in and of itself imply who is to use it… unless that use of that product is restricted (e.g. via a prescription). Of course, this may also depend on if you try to collect health information as part of the purchase, e.g. for future marketing or upsell.
Getting the picture — anything that identifies the person in any way and relates in any way to that person’s health or healthcare should be considered ePHI and protected. In other cases, you could get away with not being secure. But — why would you? People are afraid and paranoid about identity theft and information leakage on all sites … not just ones related to medical information. Anything that a website can do to make its visitors more comfortable and “secure” will improve trust and sales conversions.
What About Consent for Insecure Transmission?
As a follow up question, we are often asked if there can be a checkbox on the form where patients can click to consent to the use of an insecure, non-compliant form. Presumably, if they do not click, they thus cannot submit the form at all. E.g. you are forcing them to either “go away” or submit securely with consent” to insecurity.
This is highly advised against and is almost certainly not HIPAA compliant in any circumstance. This is also a case where if you were going to do it anyway, you should really consult your lawyer to make sure it’s OK in your case.
To consider why this is a bad idea, lets consider “Mutual Consent” … e.g. a case where you can send insecure email messages to patients.
Under HIPAA, Mutual Consent to transmit ePHI insecurely seems to be allowed if:
- You and the patient agree that insecure transmission is OK,
- The patient has been properly advised of the security risks involved,
- The patient agrees in writing that insecure transmission is OK, and
- The option for HIPAA-compliant transmission is available, by implication.
By far the simplest thing to do is to simply have secure transmission and be done with it — no need to consent to insecure delivery … it doesn’t make things any easier for the person filling out the form if the form is insecure.
The only case where this could be considered possibly under the HIPAA radar (again … please consult your lawyer), is if:
- Your insecure form has a clear section where it advises the users of the risks of submitting their data via this form
- That warning is understandable to most lay people without further explanation
- They have to check a box (or maybe sign their name) to consent to submission of that form
- You may need to be able to show that they understood and agreed to the risks, and didn’t just click without reading.
- When you collect the form data, you save and archive all of these consent agreements in case there is a breach and you need to prove that insecure sending was OK’ed and the user was well informed of the risks.
- You have another option available to the user in case s/he does not accept the risks … e.g. submitting the form securely, calling you via a phone number, printing and mailing in a physical form, etc.
Essentially, you are placing a significant burden on the end user by adding warnings and consent to your form. This will turn most folks off. As always with the web, keep it as simple as possible for maximum results. In this case, that means no consent, no warning, just simple secure submission.