The Basics of Building a HIPAA-Compliant Website
Any business defined as a “covered entity” or a “business associate” by the Health Insurance Portability and Accountability Act (HIPAA) must ensure its website is compliant with the act's security standards.
But what does it take to build a HIPAA-compliant site?
A Brief History of HIPAA
The U.S. government introduced HIPAA back in 1996. Central to the act were provisions for American workers to transfer healthcare coverage, standards for electronic billing and steps for the secure handling of any protected health information (PHI). In 2009, as part of the American Recovery and Reinvestment Act (ARRA), the Health Information Technology for Economic and Clinical Health (HITECH) Act was introduced. This act provided incentives for health companies to become “meaningful users of certified Electronic Health Records (EHRs),” according to HealthIT.gov. To ensure that HIPAA standards kept pace, the HIPAA omnibus rule was released in January 2013.
Under HIPAA, any company considered a covered entity — which includes healthcare providers, health plans and healthcare clearinghouses — must comply with the act's Security Rule. This rule includes a section on technical safeguards, such as access control for electronic personal health information (e-PHI), integrity controls to ensure no data is improperly stored and transmission security controls to encrypt transferred data.
The HIPPA omnibus rule, also called HIPAA 2.0 by the American Medical Association, expanded the security rule to include direct liability for business associates of covered entities — which means your website must comply with HIPAA security standards if your company has contracts with any healthcare provider or health plan.
HIPAA Compliance by Design
Building a HIPAA-compliant website means making e-PHI security a top priority. This starts with technologies like secure socket layer (SSL) protection. Many websites use SSL on only some of their pages to save time and improve performance. But if the site undergoes a redesign, and patient-information portals are moved to a non-SSL page, this may be considered a breach of HIPAA standards. Access to admin-level information must also be restricted to necessary personnel, and passwords must be regularly changed, since government audits are common.
In addition, any email containing e-PHI must be encrypted at both ends. If an email leaves the company network properly secured but is accessed using an insecure account, a HIPAA breach is possible. Ideally, any email accounts attached to a website should send patients a notification only, prompting them to log in and access their e-PHI via a secure server. Data archiving is also critical. Many reputable web hosting companies offer access to compliant archiving services, such as secure Microsoft Exchange Email servers.
Experts point to several key areas prone to accidental violation. Marion Jenkins of healthcare IT services company 3t Systems notes in a Physicians Practice article that many companies violate the security rule by downloading information from secure websites onto local computers for day-to-day use. Always keep this information encrypted and off local desktops. And Adam H. Greene of law firm Davis Wright Tremaine notes that mobile is also an issue; companies often forget to encrypt data before sending it to a mobile app or have not properly vetted their application to ensure it meets HIPAA standards for detecting potential security breaches.
HIPPA-Compliant Security Starting Points
Looking for compliant websites as a reference point? Try Johns Hopkins Medicine. Their HIPAA information page gives some idea of the steps they've taken to ensure compliance. Or consider this document from leading health-insurance provider Kaiser Permanente, which compares meeting new HIPAA requirements with changing the tire on a moving car.
It's also worth taking a close look at your own business to determine whether compliance is necessary. The healthcare.gov site, for example, seems like a shoe-in for HIPAA standards but doesn't actually fall under the definition of covered entity or business associate; therefore it isn't required to comply.
The new HIPAA omnibus rule increases patient access to e-PHI and casts a wider liability net for companies. Start smart: Build a website with compliance in mind.