For folks in the medical field, there is often a lot of uncertainty regarding which kinds of web forms need HIPAA compliance and which ones do not. We often have customers asking if this or that form really needs to be secure or not.
The short answer is that you should probably just make ALL of your forms secure, like like it is best to make all pages of your web site secure, no matter what is on the page. This instills more trust in your web visitors and as a result results in more business. It doesn’t take much work to secure your forms, so you might as well just do it for all of them in a clear and consistent way. Your user’s data will be protected, and they will know that you are looking to make the best choices for them, even in cases where it might not strictly be necessary. This is a good thing.
Back to the original question….
If you are a medical office, do some forms not need to be secure and HIPAA compliant, depending on what is collected?
Note: the following is suggested advice from LuxSci based on our understanding of HIPAA; however, this should not be taken as legal advice. We advise you to consult your lawyer for accurate legal advice pertaining to your particular situation.
HIPAA requires that all electronic Protected Health Information (ePHI) be secured to protect the privacy of the individuals identified in the ePHI. So, as long as either (a) HIPAA does not apply to you, or (b) your form does not collect ePHI, then you do not have to secure the web form.
Read the rest of this post »