For folks in the medical field, there is often a lot of uncertainty regarding which kinds of web forms need HIPAA compliance and which ones do not. We often have customers ask if their online forms need to be HIPAA-compliant.
The short answer is that you should probably make ALL of your forms secure, like it is best to make all pages of your website secure, no matter what is on the page. This instills more trust in your web visitors and results in more business. It doesn’t take much work to secure your forms, so you might as well do it for all of them. Your user’s data will be protected, and they will know that you are looking to make the best choices for them, even in cases where it might not strictly be necessary. This is a good thing.
Back to the original question-
If you are a medical office, do your online forms need to be HIPAA-Compliant, depending on what is collected?
Note: the following is suggested advice from LuxSci based on our understanding of HIPAA; however, this should not be taken as legal advice. We advise you to consult your lawyer for accurate legal advice on your particular situation.
HIPAA requires that all electronic Protected Health Information (ePHI) be secured to protect the privacy of the individuals identified in the ePHI. So, as long as either (a) HIPAA does not apply to you or (b) your form does not collect ePHI, then you do not have to secure the web form.
Let’s look at each of the two criteria to tell if either one may apply to you or your form.
1. Does HIPAA Apply to You?
HIPAA applies to your web form if you are a “HIPAA Covered Entity” or if you are collecting data for someone that is a HIPAA Covered Entity (making you a “HIPAA Business Associate” of theirs).
HIPAA Covered Entities Include:
- Care: You provide services or supplies related to an individual’s physical or mental health care. This includes: (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure concerning the physical or mental condition or functional status of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other items in accordance with a prescription.
- Provider: A provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the ordinary course of business.
- Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.
- Plan: With certain exceptions, an individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)). The law specifically includes many organizations and government programs as health plans.
You are a HIPAA Business Associate if someone who is a HIPAA Covered Entity has contracted you to collect data for them through the form. (You also have to sign a Business Associate Agreement and abide by many other restrictions if you are a Business Associate). A good example of a Business Associate would be a web design company that handles the websites and forms for their customers, some of whom are “HIPAA Covered Entities.” If the website uses web forms to collect ePHI, the web design company must then be a Business Associate of that customer and abide by HIPAA regulations. Without a BAA, their customer is non-compliant and putting patient data at risk.
2. Does the online form collect ePHI?
So let’s say that HIPAA does apply to you, and you still want to know if a particular web form needs to be compliant. This is determined by whether the form collects ePHI or not.
What is ePHI?
ePHI is individually identifiable, protected health information sent or stored electronically. “Protected health information” can include information about an individual’s:
- Past, present, or future physical or mental health or conditions
- Past, present, or future provisioning of health care
- Past, present, or future payment-related information for the provisioning of health care
“Individually identifiable” information includes all information used to determine which specific individual is involved. There are 18 types of identifiers for an individual (listed below), together with any “protected health information” (e.g., an appointment with a particular doctor), that constitutes ePHI.
- Name
- Address (all geographic subdivisions smaller than the state, including street address, city, county, zip code)
- All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Any vehicle or other device serial number
- Device identifiers or serial numbers
- Web URL
- Internet Protocol (IP) address numbers
- Finger or voiceprints
- Photographic images
- Any other characteristic that could uniquely identify the individual
So, it is pretty easy for a web form to be collecting ePHI!
Web Forms and ePHI need to be HIPAA-Compliant
Here are some examples of web forms that would likely be collecting ePHI:
- Appointment Requests and Referral Requests: These will collect identifiable information about the person requesting the appointment. The request for the appointment should be considered information about “future provisioning of health care to an individual.” Furthermore, by context, requesting an appointment may also imply information about “an individual’s past, present, or future physical or mental health or condition.”
- Patient Intake Forms: These forms usually enable prospective patients to provide information about themselves for one purpose or another. This is both identifiable and information about “an individual’s past, present, or future physical or mental health or condition.”
Some examples that might not be considered in the collection of ePHI (depending on the exact context of the site) because while they are individually identifiable, they do not include or imply health information for that individual:
- Contact Requests: The website visitor is merely asking for a call or email with no specified reason.
- Requests for Information: Where the website visitor requests a white paper, a pamphlet, or other information
- Purchases of products that do not require a prescription: Purchasing a product does not in and of itself imply who is to use it unless that use of that product is restricted (e.g., via a prescription). Of course, this may also depend on if you try to collect health information as part of the purchase, e.g., for future marketing or upsell.
Getting the picture — anything that identifies the person and relates to that person’s health or healthcare should be considered ePHI and protected. In other cases, you could get away with not being secure. But — why would you? People are afraid and paranoid about identity theft and information leakage on all sites, not just ones related to medical information. Anything that a website can do to make its visitors more comfortable and “secure” will improve trust and sales conversions.
What About Consent for Insecure Transmission?
As a follow-up question, we are often asked if there can be a checkbox on the form where patients can click to consent to the use of an insecure, non-compliant form. Presumably, if they do not click, they thus cannot submit the form at all. E.g., you are forcing them to either “go away” or submit securely with consent” to insecurity.
This is highly advised against and is almost certainly not HIPAA-compliant. This is also a case where you should consult with a lawyer to make sure it’s okay for your case if you were going to do it anyway.
To understand why this is a bad idea, consider “Mutual Consent.”
Under HIPAA, Mutual Consent to transmit ePHI insecurely seems to be allowed if:
- You and the patient agree that insecure transmission is okay,
- The patient has been appropriately advised of the security risks involved,
- The patient agrees in writing that insecure transmission is okay, and
- The option for HIPAA-compliant transmission is available by implication.
The simplest thing to do is have secure transmission and be done with it — no need to consent to insecure delivery. It doesn’t make things any easier for the person filling out the form if it is insecure.
The only case where this could be considered possibly under the HIPAA radar (again, please consult your lawyer) is if:
- Your insecure form has a clear section where it advises the users of the risks of submitting their data via this form
- That warning is understandable to most laypeople without further explanation
- They have to check a box (or maybe sign their name) to consent to the submission of that form
- You may need to show that they understood and agreed to the risks and didn’t just click without reading.
- When you collect the form data, you save and archive all of these consent agreements in case of a breach, and you need to prove that insecure sending was allowed and the user was well informed of the risks.
- You have another option available to the user if they do not accept the risks, e.g., Submitting the form securely, calling you via a phone number, printing and mailing in a physical form, etc.
You place a significant burden on the end-user by adding warnings and consent to your form. This will turn most folks off. As always with the web, keep it as simple as possible for maximum results. In this case, that means no consent, no warning, just simple, secure submission.
Frequently, we are asked to verify if a sent or received email was encrypted using SMTP TLS during transmission. For example, banks, healthcare organizations under HIPAA, and other security-aware institutions require that emails be secured by TLS encryption.
