be Smart.
be Secure.
Phone: 800-441-6612

Your Guide to a HIPAA-Compliant Website

The digitally savvy Internet user knows to check and see whether a website is secure before passing along any personal information like credit card numbers. TLS (SSL) certificates and encryption help keep hackers at bay by adding an extra layer of security to the typical website, preventing prying eyes from seeing information transmitted to and from the website. The need for website security also applies to HIPAA compliance when it comes to healthcare websites. Many doctors’ offices and healthcare companies want to keep up with the digital trend—and for good reason. Having a place online where individuals can apply for prescriptions, schedule appointments, and even get consultations is invaluable for both the patient and doctor. It saves everyone time, and it’s easier and more convenient than making a trip to the doctor’s office. But if there’s a breach of HIPAA regulations, even an unexpected or unintentional one, the cost and penalties can add up fast.

HIPAA-compliant website

Whether you’re building a new website for your healthcare company or seeking to make an existing site fully compliant with HIPAA standards, there are plenty of straightforward ways to ensure you have your bases covered. Here’s a quick overview of what makes a website HIPAA-compliant today, what to watch out for, and what best practices to maintain.

HIPAA-Compliant Website Requirements

For something like a basic e-commerce website, the threshold for when sites consider themselves as “secure” is pretty low, most simply add a TLS (SSL) certificate to protect the transmission of data and call it a day. This level of security nonchalance is a big reason why there are legal frameworks such as PCI (for collecting credit card-related information) and HIPAA (for healthcare) that really spell out what you need to protect and secure.

For a healthcare website, a simple padlock icon won’t cut it. The site needs to have proper encryption methods, access controls, and logging, as well as constant, necessary checks to ensure that everything is running in compliance with HIPAA.

These seven tenets keep Electronic Protected Health Information (ePHI) safe:

  • Transport Encryption: Encrypted during transmission over the Internet
  • Backup: Backed up in a way that it’s available for recovery
  • Authorization: Only accessible by authorized personnel using unique, audited access controls
  • Integrity: Not tampered with or altered
  • Storage Encryption: Encrypted when it’s stored or archived
  • Disposal: Permanently disposed of when it’s no longer needed
  • Omnibus/HITECH: Located on the web servers of a company you have a HIPAA Business Associate Agreement with (or hosted in-house with those properly secured servers according to the HIPAA security rule requirements).

(Note that we are not discussing non-technical HIPAA requirements such as employee training and having a physically well-secured location for your servers.)

It’s safe to say that any out-of-the-box website that you can build using a third-party provider probably isn’t HIPAA-compliant. Instead, you need to pay strict attention to transmission, ensuring that information stays encrypted and unaltered as it flows across the Internet; access, only allowing authorized personnel; logging, ensuring you record who has accessed ePHI, when and from where; storage, keeping sensitive data encrypted at rest if needed to ensure its privacy; and infrastructure, both making sure you have recoverable, encrypted backups, and that the servers running your website, holding your database, and performing these backups all have HIPAA-level security. There are a lot of steps to undertake as compared to the basic drag-and-drop website you can get for free, but handling the security process yourself, or via a third-party expert, is the only way to ensure that all the information follows HIPAA regulations.

Things to Watch Out For

As mentioned above, the two biggest concerns with healthcare websites are the storage of the data (where it’s located, how secure it is) and the transmission of the data (if it’s encrypted properly and/or if it’s available to third parties). Even if the website, and by extension the healthcare information, exists on what seems a secure domain (secured using a website link that starts with “https”), if you don’t know exactly where the data may end up being stored, then you could be leaving your company open to a HIPAA breach.

One big problem is the use of a shared web server to host a healthcare website. It may be a cheaper option than purchasing a dedicated server, but a shared one can lead to a whole mess of problems, with potential legal ramifications. The problem with a shared server, as opposed to a dedicated one, is that you don’t know who else with access to that server might gain access to your protected information, which could mean that the stored healthcare information has an unintended audience. All it takes is one break in security for files to become exposed, and that could be a problem with the server itself, an insecurity with your own site’s architecture or software, or an intrusion into the accounts of an unrelated company also using your server.

Speaking of storage, having a site on a shared web server could mean that protected information exists in files, which are incredibly easy to expose. Even if stored in a database, there’s still the potential for a hacker to gain access, especially if you also saved the username and password on the shared server, available to individuals with unauthorized access to your files.

Web forms are another area of concern. It’s common to use forms on a healthcare website to receive information from patients, e.g., signups, digital prescriptions, making appointments, and so on. But where does that information go when the patients click Send on the form? Can you guarantee that the contents of the form aren’t visible in transit to a third party? Even if the form’s contents travel via email, that raises even more concerns about ePHI transmission. You need to figure out solutions that will allow the form’s data to encrypt, send securely, and decrypt only by authorized email servers.

Finally, take care when selecting developers who create and implement your website for you. Developers who are not well versed in web security and who are unaware of the nuances of HIPAA requirements will almost certainly miss many things and leave you with a non-compliant time bomb of a site. Some examples of HIPAA requirements commonly neglected by developers include:

  • Not creating audit trails of logins and access to PHI and having those audit trails kept and archived for up to 10 years
  • Not providing a means for emergency access to PHI
  • Not ensuring that each individual uses a unique login to access the system
  • Not providing adequate protection for data in storage

Best Practices

In order to make sure you’re using forms that are HIPAA-compliant, LuxSci offers a service called SecureForm that provides TLS for secure transactions, automatic formatting and encryption of the submitted data, delivery of that data to you via email or many other storage or transmission modes, and secure web-browser-based form data access. It’s a good solution if you want to continue to host form-based healthcare communications on your website without having to devote a lot of time and resources to ensuring these items are HIPAA-compliant.

As for where to host your website, or where to move your current website, the best solution is to purchase a dedicated server from a vendor that offers HIPAA-compliant dedicated servers. It’s not as expensive as you might think, and it pays off to avoid legal ramifications for breaching HIPAA. Having a dedicated server is the best way to ensure you’re covered in terms of security.

If you can’t afford a dedicated server and you must use a shared one, check out our blog post focusing on best practices for HIPAA-compliant websites. We provide a list of steps you should take in order to keep your data as secure and encrypted as you possibly can on a shared server, including how to lock down any and all ePHI and set passwords and cookies, wherever possible. However, avoid shared HIPAA-compliant hosting if at all possible.

Keeping It Secure

Having a website is a huge bonus for both healthcare workers and patients, but this convenient technology can quickly go south if the security isn’t up to HIPAA standards. The best solution is to make sure your website’s hosting, storage, and data transmission are all encrypted and protected. Then, audit your site as part of your yearly HIPAA risk analysis. If that’s too big a task, call in third-party experts like LuxSci. There shouldn’t be any shortcuts when it comes to keeping healthcare information secure.

Comments are closed.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries