7 Essential Steps to Creating a HIPAA Website
The recent focus on tracking pixels and analytics codes by enforcement agencies has many healthcare organizations reassessing their website security and compliance. As technology has evolved over the past thirty years, HIPAA rules have adapted to secure sensitive data. In this article, we review the requirements for HIPAA websites and what you need to do to ensure your website is compliant and secure.
What are the requirements for HIPAA websites?
HIPAA is an unusual law that makes many recommendations (addressable items) and a few assertions (required items). Ultimately, it is up to each organization to determine what they must do to be compliant. This creates a great deal of flexibility and also a great deal of uncertainty. To create a HIPAA website that meets standards, there are seven main areas to be examined:
- Transport Encryption: Data is always encrypted when transmitted over the internet.
- Backup: Protected health information is never lost. All collected PHI should be backed up and recoverable.
- Authorization: Data is only accessible by authorized personnel using unique credentials. Access to sensitive information is logged and available to be audited.
- Integrity: Prevent PHI from being tampered with or altered.
- Storage Encryption: Data should be encrypted when stored or archived.
- Disposal: PHI can be permanently disposed of when no longer needed.
- Business Associates: If you are engaging a third party to host your website, you must have a HIPAA Business Associate Agreement that outlines how PHI is collected, stored, transmitted, and protected.
How does a “basic” website stack up to HIPAA requirements?
By a “basic” website, we refer to a general setup at any web hosting provider (e.g., GoDaddy) that uses standard software or is developed by someone without training in website security best practices:
- Transport Encryption – Fail. Data is not encrypted during transmission.
- Backups – Maybe. Most web hosts will backup and restore your data for you. However, this assumes that the data collected is in a location backed up by the host. If you have information emailed to you, you must be sure that your email record is complete and the backups are good.
- Authorization – Maybe. It depends on the implementation.
- Integrity – Fail. There is no way to tell if data has been tampered with.
- Storage Encryption – Fail. Data is never encrypted.
- Disposal – Maybe. It depends on your implementation. Some web hosts and IT departments keep data backups indefinitely, and that is not “disposal.”
- Business Associates – Fail. Most web hosting providers do not know what a HIPAA BAA would require them to do. Many of the remaining web hosts know they cannot sign such an agreement and live up to its requirements without completely changing their business practices.
Suppose you have a simple website that is not a HIPAA website, and it contains protected patient data. In that case, you can be almost sure it is not compliant and needs attention. If you plan to expand your website to collect and store protected patient data, be sure that whoever does it for you is familiar with the requirements for HIPAA websites.
How to Meet the HIPAA Website Requirements
Creating a HIPAA-compliant website is a challenging task. The steps you must take will depend on precisely what you are trying to accomplish with your website and how protected health information is collected and transmitted. Below, we discuss the seven most common cases that we encounter.
1. Transmission Encryption: The first step is to ensure that you have a secure website (i.e., one protected by SSL and accessed via HTTPS://). Any page that collects or displays protected health information, logs users in, or transmits authorization cookies must be protected by SSL. It should not be accessible insecurely (i.e., there should not be an alternate insecure version of the same page that people can access). SSL meets HIPAA’s data transmission security requirement regarding communications between the end-user and your website. However, your SSL configuration must be strong enough to prevent methods of encryption that are “too weak,” and it is up to your web host to be sure that this is the case.
What happens if the end-user submits PHI on your website, and then your website transmits that data elsewhere or stores it? This process must also be HIPAA-compliant. We will discuss this below, as it is one of the hardest things to do and still be compliant.
2. Backup: You must be sure that all PHI stored or collected from your website is backed up and can be recovered in case of an emergency or accidental deletion. Most web hosts provide this service for information stored on their servers. If your website sends information elsewhere (for example, via email), those messages must also be backed up or archived. You must ensure those backups are robust, available, and accessible only by authorized people. Note that PHI stored in backups must be protected in a HIPAA-compliant way – with security, authorization controls, etc.
3. Authorization: If the website collects PHI and sends it to you or others, knowing who can access sensitive information is essential. Restricting access to only authorized users is critical. This is typically done by requiring users to have unique (not shared) logins and by keeping logs of who accessed data and when.
4. Integrity: Unless the information you collect and store is encrypted or digitally signed, there is no way to prevent it from being tampered with or verify if tampering has happened. It is up to your organization to tamper-proof your data. Usually, PGP, SSL, or AES encryption is used to protect the integrity of stored data and to address the next point
5. Storage Encryption: It is up to your organization to determine if storage encryption is needed, though it is highly recommended. If storage encryption is necessary, you must ensure that all collected and stored protected health information is encrypted and can only be accessed and decrypted by people with the appropriate keys. This makes backups secure, protects data from access by unauthorized people, and generally protects the data no matter what happens (unless your special keys are stolen).
Storage encryption is essential in any scenario where the data may be backed up or placed in locations out of your control or where you may be sharing a web server with other customers of the same web host. Should something unfortunate happen and a server becomes compromised, your liability is significantly limited by having the data encrypted.
6. Disposal: Ensure that information can be permanently disposed of when needed. This sounds easy, but you must consider every location where the data could be backed up and archived. It certainly helps if the data is encrypted in the backup, but if the backup is there and the keys to open the data exist, it is not really “disposed of.” You must determine how far you need to go to ensure data disposal is HIPAA-compliant. Whoever manages your servers must ensure that hard drives containing PHI are appropriately disposed of when you are no longer using them.
7. Business Associates: You must have a HIPAA Business Associate Agreement with every vendor that touches your PHI. If your website or data is located on a vendor’s servers, then HIPAA requires that you have a signed Business Associate Agreement with them. This agreement ensures that the vendor will follow the HIPAA security rule requirements concerning your data and its servers. Note that websites are complex, and no web hosting provider will be policing your website functionality and content – they can’t. Instead, they will provide a secure infrastructure that meets HIPAA compliance requirements. Choosing a compliant hosting provider does not automatically make your website HIPAA-compliant. Your design and development team must ensure its design and functionality meet HIPAA website requirements.
Collecting Data on HIPAA-Compliant Websites
The point of creating a website is to provide information and to enable communication between patients and their providers. Many doctors and medical practices like to use online tools to collect patient information on their websites so that they can:
- Sign up new patients
- Schedule appointments
- Make diagnoses and recommendations about medical situations
- Get into digital prescriptions
Typically, the best way to collect this information is with a secure online form. HIPAA websites also need HIPAA-compliant contact forms and landing pages, and there are additional steps to take to ensure that information is secure. LuxSci’s HIPAA-compliant Secure Form solution enables the secure collection and transmission of patient information.
Transmitting Data From HIPAA Websites
Securing the transmission of the information from the patient to the website is straightforward- use a website secured with SSL. However, what do you do with that information, and how is it protected?
Common solutions include:
- Store it in files on the web server to download later
- Store it in a database for download or remote access
- Email it to someone
The third option is the most popular choice because it is the easiest and does not require additional software or infrastructure. Everyone already uses email. However, not all email providers are HIPAA-compliant.
1. Storing the data in files requires that:
- The website encrypts the files
- Someone downloads the files over a secure channel (i.e., Secure FTP)
- The website owner gets notified via an email that a new file is waiting
- Backup and disposal are taken care of
2. Storing the data in a database allows you to write software for remote access and management of that information, however:
- Transmission to and from the database needs to be secure.
- The software that provides management access must be secure and meet all sorts of HIPAA requirements regarding access control and auditing.
- Issues regarding encryption keys and secure database storage must be addressed.
So, Option 1 is easy but requires more technical knowledge from the users and puts the onus of backup and disposal on them. Option 2 is better and allows more flexibility, usability, control, and data centralization. However, Option 2 is more technically complex and requires more cost and effort to implement correctly. Option 3 is easy, but how do you make the email HIPAA-compliant? LuxSci can help with that.
Securing data emailed from your website forms
The ideal procedure for securing emailed data is as follows:
- Your secure website encrypts the submitted data (using PGP or S/MIME, TLS, or a secure web-based email pickup solution) so that only the intended employees can open it.
- This data is emailed to recipients and “forgotten” by the website (or an encrypted copy is stored on the site if you prefer).
- The recipients receive the data and store it on their email server (still encrypted unless TLS was used for delivery).
- The recipients can access these messages securely (over SSL) and decrypt the data in their email program or on a Web-based interface that supports decryption.
- The email provider takes care of backups.
- Deleted messages will expire from backups after a predetermined period.
- Copies of encrypted messages are kept on the server instead of downloaded, so you are responsible for backups and storing them in a central location.
HIPAA Websites and the Use of Tracking Codes
The above covers information submitted by users on your website, but what about using tracking and analytics codes to collect information about website visitors for marketing and advertising purposes? Recent guidance from the Department of Health and Human Services has many organizations rethinking the use of online tracking technologies. Using pixels like those from Google and Meta to gather health information from website users is not allowed because these organizations do not sign BAAs that ensure they will protect sensitive information.
You should only install third-party tracking tags on your website if you have a BAA that ensures the secure transmission, storage, and usage of patient information. It’s essential to proceed with caution when implementing any new technology on your website.
Conclusion
LuxSci’s Secure Web Hosting, Email, and Form solutions enable the secure collection and transmission of patient information throughout your organization. Contact us today to learn more about how you can operationalize your data to improve workflows.