7 Steps to Make your Web Site HIPAA-Secure
Doctors and medical professionals are feeling increasing pressure to get their business online (e.g. use of electronic prescriptions, web appointments, and remote medicine are both trendy and critical for building and sustaining revenue streams in the tightening medical market). This push includes making available protected health information to patients via a web site and collecting similar private information from patients or would-be patients.
However, where the health information of an identifiable individual is involved, the Health Insurance Portability and Accountability Act (HIPAA) is the official compliance document. And with the Omnibus rule in place, all web sites, old and new, must be properly designed or their owners face potential financial liability into the millions of dollars.
So, what do these requirements mean and how can HIPAA be followed in the context of a website?
What are the HIPAA requirements for a web site?
HIPAA is an unusual law in that it makes a lot of recommendations (addressable items) and a few assertions (required items), but in the end it is up to each organization to determine for themselves what they need to do to be compliant. This creates a great deal of flexibility and also a great deal of uncertainty. In general, to be HIPAA-compliant, a web site must at a minimum ensure that all protected health information (ePHI):
- Transport Encryption: Is always encrypted as it is transmitted over the Internet
- Backup: Is never lost, i.e. should be backed up and can be recovered
- Authorization: Is only accessible by authorized personnel using unique, audited access controls
- Integrity: Is not tampered with or altered
- Storage Encryption: Should be encrypted when it is being stored or archived
- Disposal: Can be permanently disposed of when no longer needed
- Omnibus/HITECH: Is located on the web servers of a company with whom you have a HIPAA Business Associate Agreement (or it is hosted in house and those servers are properly secured per the HIPAA security rule requirements).
How does a “basic” web site stack up to these requirements?
By a “basic” web site, we refer to one setup at any old web hosting provider (e.g. GoDaddy) and written using off the shelf software or by someone without training in web site security best practices:
- Transport Encryption – Fail. Data is not encrypted during transmission
- Backups – Maybe. Most web hosts will backup and restore your data for you. However, this assumes that the data collected is in a location backed up by the host. If you have information emailed to you, you must be sure that your email record is complete and the backups are good.
- Authorization – Maybe. Depends on your implementation.
- Integrity – Fail. No way to be sure that data is not tampered with or to tell if it has been.
- Storage Encryption – Fail. Data is never encrypted
- Disposal – Maybe. Depends on your implementation. However, some web hosts and IT departments keep data backups indefinitely — and that is not “disposal”.
- Ombibus – Fail. Most of web hosting providers do not even know what a HIPAA BAA would require them to do…. and most of the rest know that they cannot both sign such an agreement and live up to its requirements without completely changing how their business works and their prices.
Overall grade — failing. If you have a basic web site that has never explicitly been updated for HIPAA and which has anything to do with protected patient data, you can be pretty sure that it is not compliant and needs attention. If you plan on expanding your site to include protected patient data, be sure that whoever does it for you is familiar with the requirements that you need to meet.
So, what can be done to guarantee compliance?
Obviously there are a large number of steps that can and should be taken to turn your basic web site into a HIPAA-compliant one. What works for you will depend upon exactly what you are trying to accomplish with your site and in what way protected health information is present and transmitted. Below, we discuss the seven most common cases that we encounter.
- Transmission Encryption: PHI is always encrypted as it is transmitted over the Internet.The first step is to ensure that you have a secure web site (i.e. one protected by SSL and which is accessed via https://…). Any page that collects or displays protected health information, or which is used for logging users in, which transmits authorization cookies, etc., must be protected by SSL and must not be accessible insecurely (i.e. there should not be an alternate insecure version of the same page that people can access).Use of SSL can meet HIPAA’s data transmission security requirement in terms of communications between the end user and your web site. However, your SSL configuration must be strong enough to prevent methods of encryption that are “too weak;” it is up to your web host to be sure that this is the case. See: What level or SSL or TLS is Required by HIPAA?Next, what if the end user submits PHI that is collected on your web site and then your web site transmits that data elsewhere, or stores it? This process must also be HIPAA compliant. We will discuss this below, as it is one of the hardest things to do and still be compliant.
- Backup: Is not lost, i.e. is backed up and can be recovered.You must be sure that all PHI stored with your web site or collected from your web site is backed up and can be recovered in case of an emergency or accidental deletion. Most web hosts provide this service for information stored on their servers. If your site sends information elsewhere (for example, to you via email), then those messages must also be backed up or archived and you must take care that those backups are robust, available, and accessible only by authorized people.Note that the PHI stored in backups must also be protected in a HIPAA-compliant way — with security, authorization controls, etc.
- Authorization: Is only accessible by authorized personnel using unique, audited access controlsWho can access the protected health information that resides on your web site or which is collected there? Your web hosting provider probably can. Are they a trusted HIPAA Business Associate with a privacy agreement? If the site collects health information and sends it to you or others, it is important to know who can access those messages. Anyone with access to your email or the messaging system? Are they all trusted and “in the loop”?If your web site stores or provides access to PHI, does your web site enforce unique, secure logins which ensure that only authorized / appropriate people can access that data? Are these logins and the data accesses audited? This will be up to your web site designers to setup properly for you.
- Integrity: PHI is not tampered with or altered.Unless the information that you collect and store is encrypted and/or digitally signed, there is no way to prevent it from being tampered with or to verify if tampering has happened. It is up to your organization to determine if tamper-proofing your data is needed and how to best accomplish that. Generally, using PGP, SSL, or AES encryption of stored data can accomplish this very nicely and also address the next point.
- Storage Encryption: Is encrypted if it is being stored or archived.It is up to your organization to determine if this is needed; though it is highly recommended. If storage encryption is necessary then you need to ensure that all collected and stored protected health information is encrypted and that it can only be accessed/decrypted by people with the appropriate keys. I.e., this makes backups secure, protects data from access by unauthorized people, and generally protects the data no matter what happens (unless your special keys are stolen).Storage encryption is especially important in any scenario where the data may be backed up or placed in locations out of your control, or where you may be sharing a web server with other customers of the same web host. Should something unfortunate happen and a server become compromised, your liability is significantly limited by having the data encrypted.
- Disposal. Can be permanently disposed of when needed.This sounds easy, but you have to consider all of the places where the data could be backed up and archived. You need to ensure that all of those backups will expire and disappear. Consider that every location that the information touches could be making backups and be saving copies of your data … indefinitely. It certainly helps if the data is encrypted in the backup … but if the backup is there and the keys to open the data exist, then it is not really “disposed of”. It is up to you to determine how far you need to go to ensure data disposal in order to be HIPAA compliant.It is up to the folks managing your servers to also ensure that the media (e.g. the hard drives) containing PHI are properly disposed of when you are no longer using them.
- Business Associate: You must have a HIPAA Business Associate Agreement with every vendor that touches your PHI.If your web site or data is located on the servers of a vendor, then HIPAA (first HITECH and then in Omnibus) requires that you have a signed Business Associate Agreement with them. This agreement ensures that the vendor will follow the HIPAA security rule requirements with respect to your data and its servers.Note that web sites are complex beasts and no web hosting provider will be policing your web site functionality and content — they can’t. Instead, they will be providing an “infrastructure” that meets HIPAA compliance requirements and they will require you to design and manage your web site so that its functionality is HIPAA compliant. Choosing a provider will not make your web site HIPAA compliant unless you and your designers ALSO take all of the steps to ensure that its design and functionality is complaint. This is universal unless you buy a web site that is pre-designed and fully under the control of the host.
So, there are many things to do and a lot is all “up to you”. Of course, just because you are on the “honor system” doesn’t mean that you can make whatever choice you feel like. If you make a poor choice and something bad happens or if you are audited, you will be found willfully negligent (ignorance is not an excuse here). You really have to carefully consider what is necessary and appropriate to suitably protect health information and the privacy of your users, based on your web site application and how the patient data is used and transmitted.
Collecting health information from people
One of the first things that doctors and medical practices like to do when they expand online is to collect patient information on their web site so that they can:
- Sign up new patients
- Schedule appointments
- Make diagnoses and recommendations about medical situations
- Get into digital prescriptions
Securing the transmission of the information from the patient to the web site is pretty easy (it’s #1 — use web site secured with SSL). However, what do you do with that information? Common solutions include:
- Store it in files on the web server to download later
- Store it in a database for download or remote access
- Email it to someone
The third option, email it to someone, is the most popular choice because it is the easiest and requires the least additional software or infrastructure… everyone is already checking their email. It also opens a whole can of worms in terms of “how do you make the email component meet HIPAA?”
1. Storing the data in files requires that
- The web site encrypt the files
- Someone downloads the files over a secure channel (i.e. Secure FTP)
- The web site owner gets notified via an email that a new file is waiting
- Backup and disposal are taken care of
2. Storing the data in a database allows you to write software for remote access and management of that information, however
- Transmission to and from the database needs to be secure
- The software that provides management access must be secure and meet all sorts of HIPAA requirements in terms of access control and auditing
- Issues regarding encryption keys and database secure storage must be addressed
So, option 1 is easy, but requires a bit more technical knowledge on the part of the users and puts the onus of backup and disposal on them. Option 2 is better and allows more flexibility, usability, and control and a centralization of the data into one place. However, Option 2 is more technically complex requires more cost and effort to implement properly. Option 3 is easy, but how do you make the email HIPAA compliant?
Securing data emailed from your web site forms
The ideal procedure for securing your emailed data is basically as follows:
- Your secure web site encrypts the submitted data (using PGP or S/MIME, TLS, or a secure web-based email pickup solution) such that only one or a few of your employees can open it.
- This data is emailed to those recipients and “forgotten” by the web site (or an encrypted copy is stored on the site if you prefer).
- The recipients receive the data and it is stored on their email server (still encrypted unless TLS was used for delivery).
- The recipients can access these messages securely (over SSL) and decrypt the data either in their email program or on a Web-based interface that supports decryption.
- The email provider takes care of backups.
- Deleted messages will expire from backups after a while (get a signed statement saying this from them, if you like).
- Keep copies of all of the encrypted messages on the server instead of downloading them all, so that you are responsible for backups and so that they are all stored in a central location.
Make your Web Forms HIPAA compliant Quickly
LuxSci’s SecureForm service allows you to collect data from your web (and PDF) forms and deliver it to you via email, secure FTP, or database in a way that is both automatically HIPAA compliant and does not require any programming on your part:
- We can get and install SSL for your web site so that transmissions are secured.
- We can integrate your web forms with special scripts that will encrypt your submitted form data (using PGP, S/MIME, TLS, or SecureLine Escrow) and email it to you.
- We provide daily and weekly backups of your email data that permanently expire after 1 month.
- We can optionally provide immutable archives of all of your inbound and outbound email so that none of it can get lost or deleted or edited and so that you have a secure backup available for 1, 3, 5, or even 7 years.
- Our web browser-based email access allows you to decrypt and view all of your secure messages, over a secure channel, from anywhere.
- Use any of your favorite email clients, like Thunderbird, Outlook, or Eudora, to securely access, unlock, and read the secure email messages over IMAP (or POP) or from your iPhone or Android or Tablet.
- Users can HIPAA-securely reply, via our WebMail interface (or even from their email programs) back to the web site user … so that the web site user can get a secure message via our SecureLine Escrow service. The web site users can even reply back to the medical worker securely!
- You can have back-and forth conversations, initiated from your web site, that are fully HIPAA compliant.
Update your web forms for HIPAA compliance before there is a breach
Use LuxSci specialized SecureForm Service
- What Level of SSL or TLS is Required by HIPAA?
- Encryption and Auditing for MySQL Databases under HIPAA
- How the HIPAA Omnibus Rule Affects Email, Web, FAX, and Skype
- A Technical Discussion of Secure Web Forms to Encrypted Email
- HIPAA Email Security Management in Email Communications
- Medical Privacy: Addendum to LuxSci’s Master Services Agreement
- Receive Secure Web Form Submissions in a Secure Email