7 Steps to Make your Webste HIPAA-Compliant

March 2nd, 2021

Telehealth is the new standard thanks to the Covid-19 pandemic. Many medical providers are finding that telehealth is a safer option during the pandemic, and it can also help increase patient access to healthcare and improve outcomes. Along with video appointments, the virtual medicine push includes making protected health information available to patients via a website and collecting similar private information from patients or would-be patients online.

However, where the health information of an identifiable individual is involved, the Health Insurance Portability and Accountability Act (HIPAA) is the official compliance document. The Omnibus rule requires all websites, old and new, to be appropriately designed, or their owners can face potential financial liability into the millions of dollars.

So, what do these requirements mean, and how can HIPAA be followed in the context of a website?

What are the HIPAA compliance requirements for a website?

HIPAA is an unusual law in that it makes a lot of recommendations (addressable items) and a few assertions (required items). Still, in the end, it is up to each organization to determine for themselves what they need to do to be compliant. This creates a great deal of flexibility and also a great deal of uncertainty. In general, seven main areas deal with protected health information (ePHI) and need to be examined to ensure HIPAA compliance:

  1. Transport Encryption: Data is always encrypted when transmitted over the internet.
  2. Backup: Protected health information is never lost, i.e., it should be backed up and can be recovered.
  3. Authorization: Data is only accessible by authorized personnel using unique, audited access controls.
  4. Integrity: ePHI is not tampered with or altered.
  5. Storage Encryption: Data should be encrypted when stored or archived.
  6. Disposal: ePHI can be permanently disposed of when no longer needed.
  7. Omnibus/HITECH: Protected health information is located on the web servers of a company with whom you have a HIPAA Business Associate Agreement (or it is hosted in-house, and those servers are adequately secured per the HIPAA security rule requirements).

How does a “basic” website stack up to HIPAA requirements?

By a “basic” website, we refer to one setup at any old web hosting provider (e.g., GoDaddy) and written using off the shelf software or by someone without training in website security best practices:

  1. Transport Encryption – Fail. Data is not encrypted during transmission.
  2. Backups – Maybe. Most web hosts will backup and restore your data for you. However, this assumes that the data collected is in a location backed up by the host. If you have information emailed to you, you must be sure that your email record is complete and the backups are good.
  3. Authorization – Maybe. It depends on the implementation.
  4. Integrity – Fail. There is no way to tell if data has been tampered with.
  5. Storage Encryption – Fail. Data is never encrypted.
  6. Disposal – Maybe. It depends on your implementation. Some web hosts and IT departments keep data backups indefinitely, and that is not “disposal.”
  7. Omnibus – Fail. Most web hosting providers do not even know what a HIPAA BAA would require them to do. Many of the remaining web hosts know that they cannot both sign such an agreement and live up to its requirements without completely changing how their business works and their prices.

Suppose you have a basic website that has never explicitly been updated for HIPAA and contains protected patient data. In that case, you can be almost sure that it is not compliant and needs attention. If you plan to expand your site to include protected patient data, be sure that whoever does it for you is familiar with the requirements you need to meet.

So, how do I make sure my website is HIPAA-compliant?

Many steps can and should be taken to turn your basic website into a HIPAA-compliant one. What works for you will depend upon precisely what you are trying to accomplish with your site and how protected health information is present and transmitted. Below, we discuss the seven most common cases that we encounter.

  1. Transmission Encryption: PHI is always encrypted when transmitted over the internet. The first step is to ensure that you have a secure website (i.e., one protected by SSL and accessed via HTTPS://). Any page that collects or displays protected health information, logs users in, transmits authorization cookies, etc., must be protected by SSL. It should not be accessible insecurely (i.e., there should not be an alternate insecure version of the same page that people can access). SSL can meet HIPAA’s data transmission security requirement in terms of communications between the end-user and your website. However, your SSL configuration must be strong enough to prevent methods of encryption that are “too weak;” it is up to your web host to be sure that this is the case. (See: What level of SSL or TLS is Required by HIPAA?) Next, what if the end-user submits PHI collected on your website, and then your website transmits that data elsewhere or stores it? This process must also be HIPAA-compliant. We will discuss this below, as it is one of the hardest things to do and still be compliant.
  2. Backup: Data is not lost; it is backed up and can be recovered. You must be sure that all PHI stored with your website or collected from your website is backed up and can be recovered in case of an emergency or accidental deletion. Most web hosts provide this service for information stored on their servers. If your site sends information elsewhere (for example, via email), those messages must also be backed up or archived. You must ensure that those backups are robust, available, and accessible only by authorized people. Note that the PHI stored in backups must also be protected in a HIPAA-compliant way — with security, authorization controls, etc.
  3. Authorization: Data is only accessible by authorized personnel using unique, audited access controls. Who can access the protected health information on your website? Your web hosting provider probably can. Are they a trusted HIPAA Business Associate with a privacy agreement? If the site collects health information and sends it to you or others, knowing who can access those messages is essential. Anyone with access to your email or the messaging system? Are they all trusted and “in the loop”? If your website stores or provides access to PHI, does your website enforce unique, secure logins which ensure that only authorized / appropriate people can access that data? Are these logins and the data accesses audited? This will be up to your website designers to set up correctly for you.
  4. Integrity: PHI is not tampered with or altered. Unless the information you collect and store is encrypted or digitally signed, there is no way to prevent it from being tampered with or verify if tampering has happened. It is up to your organization to tamper-proofing your data and how to accomplish that. Generally, PGP, SSL, or AES encryption of stored data can accomplish this and address the next point.
  5. Storage Encryption: Data is encrypted if it is being stored or archived. It is up to your organization to determine if this is needed, though highly recommended. If storage encryption is necessary, you need to ensure that all collected and stored protected health information is encrypted and that it can only be accessed/decrypted by people with the appropriate keys. This makes backups secure, protects data from access by unauthorized people, and generally protects the data no matter what happens (unless your special keys are stolen). Storage encryption is essential in any scenario where the data may be backed up or placed in locations out of your control or where you may be sharing a web server with other customers of the same web host. Should something unfortunate happen and a server becomes compromised, your liability is significantly limited by having the data encrypted.
  6. Disposal. Information can be permanently disposed of when needed. This sounds easy, but you have to consider all places where the data could be backed up and archived. You need to ensure that all of those backups will expire and disappear. Consider that every location that the information touches could be making backups and be saving copies of your data. It certainly helps if the data is encrypted in the backup, but if the backup is there and the keys to open the data exist, it is not really “disposed of.” You must determine how far you need to go to ensure data disposal is HIPAA-compliant. It is up to the folks managing your servers to ensure that the media (e.g., the hard drives) containing PHI are appropriately disposed of when you are no longer using them.
  7. Business Associates: You must have a HIPAA Business Associate Agreement with every vendor that touches your PHI. If your website or data is located on a vendor’s servers, then HIPAA (first HITECH and then in Omnibus) requires that you have a signed Business Associate Agreement with them. This agreement ensures that the vendor will follow the HIPAA security rule requirements concerning your data and its servers. Note that websites are complex beasts, and no web hosting provider will be policing your website functionality and content — they can’t. Instead, they will be providing an “infrastructure” that meets HIPAA compliance requirements, and they will require you to design and manage your website so that its functionality is HIPAA-compliant. Choosing a provider will not make your website HIPAA-compliant unless you and your designers ALSO take all of the steps to ensure that its design and functionality are compliant. This is universal unless you buy a pre-designed website and entirely under the host’s control.

So, there are many things to do, and a lot is all “up to you.” Of course, just because you are on the “honor system” doesn’t mean that you can make whatever choice you feel like. If you make a poor choice and something terrible happens, or if you are audited, you will be found willfully negligent (ignorance is not an excuse here). You have to carefully consider what is necessary and appropriate to suitably protect health information and the privacy of your users, based on your website application and how the patient data is used and transmitted.

Collecting health information from people

Many doctors and medical practices like to use online tools to collect patient information on their websites so that they can:

  • Sign up new patients
  • Schedule appointments
  • Make diagnoses and recommendations about medical situations
  • Get into digital prescriptions

Securing the transmission of the information from the patient to the website is pretty straightforward (it’s #1 — use a website secured with SSL). However, what do you do with that information? Common solutions include:

  1. Store it in files on the web server to download later
  2. Store it in a database for download or remote access
  3. Email it to someone

The third option is the most popular choice because it is the easiest and requires the least additional software or infrastructure. Everyone already uses email. It also opens a whole can of worms in “how do you make the email component HIPAA-compliant?”

1. Storing the data in files requires that:

  • The website encrypts the files
  • Someone downloads the files over a secure channel (i.e., Secure FTP)
  • The website owner gets notified via an email that a new file is waiting
  • Backup and disposal are taken care of

2. Storing the data in a database allows you to write software for remote access and management of that information, however:

  • Transmission to and from the database needs to be secure.
  • The software that provides management access must be secure and meet all sorts of HIPAA requirements regarding access control and auditing.
  • Issues regarding encryption keys and database secure storage must be addressed.

So, Option 1 is easy but requires more technical knowledge from the users and puts the onus of backup and disposal on them. Option 2 is better and allows more flexibility, usability, control, and centralization of the data into one place. However, Option 2 is more technically complex and requires more cost and effort to implement correctly. Option 3 is easy, but how do you make the email HIPAA-compliant?

Securing data emailed from your website forms

The ideal procedure for securing your emailed data is basically as follows:

  • Your secure website encrypts the submitted data (using PGP or S/MIME, TLS, or a secure web-based email pickup solution) such that only one or a few of your employees can open it.
  • This data is emailed to recipients and “forgotten” by the website (or an encrypted copy is stored on the site if you prefer).
  • The recipients receive the data and store it on their email server (still encrypted unless TLS was used for delivery).
  • The recipients can access these messages securely (over SSL) and decrypt the data either in their email program or on a Web-based interface that supports decryption.
  • The email provider takes care of backups.
  • Deleted messages will expire from backups after a while (get a signed statement saying this from them, if you like).
  • Keep copies of encrypted messages on the server instead of downloading them, so you are responsible for backups and storing them in a central location.

Make your Web Forms HIPAA-compliant Quickly

LuxSci’s Secure Form service allows users to collect data from web (and PDF) forms and deliver it to you via email, secure FTP, or database automatically HIPAA-compliant and does not require any programming on your part.

Further Reading: