If my web site is very simple, do I have to worry about HIPAA compliance?
We received this questions via Ask Erik from a Physicians’ Association:
“Our company website does not contain any patient information. As a healthcare group, do we need to worry about HIPAA compliance for our site? It contains forms, news and some company polices and procedures but no patient information whatsoever. Thank you.”
Thank you for your question! Here, we delve into how you can answer this for your site.
When does a web site need HIPAA compliance?
HIPAA compliance is specifically needed when electronic protected health information (ePHI — what is ePHI?) is stored in, transmitted through, or accessible through a web site. Common examples of these situations include:
- Electronic Health Record (EHR) web sites
- Patient portals
- Email systems for sending or receiving messages
- Any web site providing access to or collecting medical information
- Any web site form that could be collecting or producing ePHI
Let’s break the example given in the question down to see if it qualifies or not. This web site contains:
- Company policies and procedures. This is information about the company and not about specific patients. It would be public information, not ePHI, and thus would not trigger HIPAA.
- News. As long as this news does not identify any specific patients and thus does not include ePHI, it would not trigger HIPAA. For example, the notice of a 5k charity road race or of upcoming holiday hours is not ePHI. However, news consisting of a success story of how a particular patient did really well could be ePHI. It could be ok to publish anyway if the story is already public (e.g. due to the patient’s actions) or if the patient has given written consent. Otherwise, such a story may well include ePHI and would require all of the trappings of HIPAA to protect it from being viewed by unauthorized people.
- Some forms. Forms are the biggest HIPAA “gotchas” for small web sites. A form itself is not ePHI, but it may well be the case that when someone fills out the form and submits it, that data contains ePHI (or that data in context is ePHI). If the user can enter arbitrary information … s/he may put sensitive medical data in there even if you give instructions not to. Even filling out a simple request for consultation or information form may result in ePHI coming your way. Online forms must be HIPAA-compliant.
A simple web site generally does not ned HIPAA compliance. A simple web site that has online forms would do very well to protect those forms with the level or security and privacy required by HIPAA. This will certainly improve your HIPAA risk analysis! Fortunately, this is pretty easy to do. The simplest thing is to move the form itself to a HIPAA-compliant form processing provider, like LuxSci SecureForm. You can keep your web site “as is” and just upgrade your forms to achieve compliance and receive the form submissions as usual.
But … my forms are different!
As long as you allow people to enter free-form text in your forms, you have lost control over what they may send you. You know it … some people will find a way to squeeze in their whole life story into a little box in the hope that you will hear them and help.
You can make disclaimers such as “do not put any sensitive information here” or “by filling out this form you give consent that it may be delivered insecurely,” however, unless you take some pains to ensure that they really see and understand this consent and that they explicitly agree to it (note: tacit agreement though the action of filling out the form does not count, legally), then this may not be a good escape clause for you. Furthermore, HIPAA states that you should take reasonable precautions to protect ePHI if the burden is not onerous. As it is very simple and inexpensive to properly secure a form, not doing it and soliciting information that is, or could be, ePHI would be looked upon as somewhat negligent if there were to be a breach.
What if your forms are the kind that patients download and fill out and bring in?
In this case, the forms do not contain ePHI and you are not providing an avenue for patients to send you ePHI electronically, so HIPAA does not apply. However, would be very respectful of your patients/users to provide these forms through a secured site (e.g. over SSL/TLS).
If the connection is not secured, then the content of your web pages can be modified between your site and the end user without anyone knowing. You may think that this is far fetched, but it happens. It is a common way to infest users with malware and spyware.
The attack could be much more malicious and targeted. It could change the link to your form’s PDF file, causing the patient to download a different file with different content and different instructions. E.g., this new PDF could be an online form that requests that users fill it out and press “submit” …. and then the attacker captures their sensitive data. There are a multitude of possible scenarios: some obvious and some very subtle. In this day and age when medical information is of high value to attackers, proactively respecting patient privacy is of high business importance.
For more details, we recommend reading:
- HIPAA Compliant Emails Sent From your Web Site: Best Practices
- Do my online forms need to be HIPAA-Compliant if they don’t ask for medical information?
- HIPAA-Compliant Web Sites: Requirements and Best Practices
- Adding HIPAA Compliance to your Web Forms in 10 minutes
- Can You Send ePHI in Insecure Emails and Texts with Mutual Consent?