Your Guide to a HIPAA-Compliant Website
The digitally savvy Internet user knows to check and see whether a website is secure before passing along any personal information like credit card numbers. TLS (SSL) certificates and encryption help keep hackers at bay by adding an extra layer of security to the typical website, preventing prying eyes from seeing information transmitted to and from the website. The need for website security also applies to HIPAA compliance when it comes to healthcare websites. Many doctors’ offices and healthcare companies want to keep up with the digital trend—and for good reason. Having a place online where individuals can apply for prescriptions, schedule appointments, and even get consultations is invaluable for both the patient and doctor. It saves everyone time, and it’s easier and more convenient than making a trip to the doctor’s office. But if there’s a breach of HIPAA regulations, even an unexpected or unintentional one, the cost and penalties can add up fast.
Whether you’re building a new website for your healthcare company or seeking to make an existing site fully compliant with HIPAA standards, there are plenty of straightforward ways to ensure you have your bases covered. Here’s a quick overview of what makes a website HIPAA-compliant today, what to watch out for, and what best practices to maintain.
HIPAA-Compliant Website Requirements
For something like a basic e-commerce website, the threshold for when sites consider themselves as “secure” is pretty low, most simply add a TLS (SSL) certificate to protect the transmission of data and call it a day. This level of security nonchalance is a big reason why there are legal frameworks such as PCI (for collecting credit card-related information) and HIPAA (for healthcare) that really spell out what you need to protect and secure.
For a healthcare website, a simple padlock icon won’t cut it. The site needs to have proper encryption methods, access controls, and logging, as well as constant, necessary checks to ensure that everything is running in compliance with HIPAA.
These seven tenets keep Electronic Protected Health Information (ePHI) safe:
- Transport Encryption: Encrypted during transmission over the Internet
- Backup: Backed up in a way that it’s available for recovery
- Authorization: Only accessible by authorized personnel using unique, audited access controls
- Integrity: Not tampered with or altered
- Storage Encryption: Encrypted when it’s stored or archived
- Disposal: Permanently disposed of when it’s no longer needed
- Omnibus/HITECH: Located on the web servers of a company you have a HIPAA Business Associate Agreement with (or hosted in-house with those properly secured servers according to the HIPAA security rule requirements).
(Note that we are not discussing non-technical HIPAA requirements such as employee training and having a physically well-secured location for your servers.)
It’s safe to say that any out-of-the-box website that you can build using a third-party provider probably isn’t HIPAA-compliant. Instead, you need to pay strict attention to transmission, ensuring that information stays encrypted and unaltered as it flows across the Internet; access, only allowing authorized personnel; logging, ensuring you record who has accessed ePHI, when and from where; storage, keeping sensitive data encrypted at rest if needed to ensure its privacy; and infrastructure, both making sure you have recoverable, encrypted backups, and that the servers running your website, holding your database, and performing these backups all have HIPAA-level security. There are a lot of steps to undertake as compared to the basic drag-and-drop website you can get for free, but handling the security process yourself, or via a third-party expert, is the only way to ensure that all the information follows HIPAA regulations.
Things to Watch Out For
As mentioned above, the two biggest concerns with healthcare websites are the storage of the data (where it’s located, how secure it is) and the transmission of the data (if it’s encrypted properly and/or if it’s available to third parties). Even if the website, and by extension the healthcare information, exists on what seems a secure domain (secured using a website link that starts with “https”), if you don’t know exactly where the data may end up being stored, then you could be leaving your company open to a HIPAA breach.
One big problem is the use of a shared web server to host a healthcare website. It may be a cheaper option than purchasing a dedicated server, but a shared one can lead to a whole mess of problems, with potential legal ramifications. The problem with a shared server, as opposed to a dedicated one, is that you don’t know who else with access to that server might gain access to your protected information, which could mean that the stored healthcare information has an unintended audience. All it takes is one break in security for files to become exposed, and that could be a problem with the server itself, an insecurity with your own site’s architecture or software, or an intrusion into the accounts of an unrelated company also using your server.
Speaking of storage, having a site on a shared web server could mean that protected information exists in files, which are incredibly easy to expose. Even if stored in a database, there’s still the potential for a hacker to gain access, especially if you also saved the username and password on the shared server, available to individuals with unauthorized access to your files.
Web forms are another area of concern. It’s common to use forms on a healthcare website to receive information from patients, e.g., signups, digital prescriptions, making appointments, and so on. But where does that information go when the patients click Send on the form? Can you guarantee that the contents of the form aren’t visible in transit to a third party? Even if the form’s contents travel via email, that raises even more concerns about ePHI transmission. You need to figure out solutions that will allow the form’s data to encrypt, send securely, and decrypt only by authorized email servers.
Finally, take care when selecting developers who create and implement your website for you. Developers who are not well versed in web security and who are unaware of the nuances of HIPAA requirements will almost certainly miss many things and leave you with a non-compliant time bomb of a site. Some examples of HIPAA requirements commonly neglected by developers include:
- Not creating audit trails of logins and access to PHI and having those audit trails kept and archived for up to 10 years
- Not providing a means for emergency access to PHI
- Not ensuring that each individual uses a unique login to access the system
- Not providing adequate protection for data in storage
In order to make sure you’re using forms that are HIPAA-compliant, LuxSci offers a service called SecureForm that provides TLS for secure transactions, automatic formatting and encryption of the submitted data, delivery of that data to you via email or many other storage or transmission modes, and secure web-browser-based form data access. It’s a good solution if you want to continue to host form-based healthcare communications on your website without having to devote a lot of time and resources to ensuring these items are HIPAA-compliant.
As for where to host your website, or where to move your current website, the best solution is to purchase a dedicated server from a vendor that offers HIPAA-compliant dedicated servers. It’s not as expensive as you might think, and it pays off to avoid legal ramifications for breaching HIPAA. Having a dedicated server is the best way to ensure you’re covered in terms of security.
If you can’t afford a dedicated server and you must use a shared one, check out our blog post focusing on best practices for HIPAA-compliant websites. We provide a list of steps you should take in order to keep your data as secure and encrypted as you possibly can on a shared server, including how to lock down any and all ePHI and set passwords and cookies, wherever possible. However, avoid shared HIPAA-compliant hosting if at all possible.
Keeping It Secure
Having a website is a huge bonus for both healthcare workers and patients, but this convenient technology can quickly go south if the security isn’t up to HIPAA standards. The best solution is to make sure your website’s hosting, storage, and data transmission are all encrypted and protected. Then, audit your site as part of your yearly HIPAA risk analysis. If that’s too big a task, call in third-party experts like LuxSci. There shouldn’t be any shortcuts when it comes to keeping healthcare information secure.