Whether you are a pediatrician, an emergency room doctor, or a psychologist, collecting patient information through an online form is more efficient than using paper forms.
And amid the COVID-19 pandemic, it’s also a lot safer to have patients fill out forms through their phone or laptop instead of filling out paper forms using shared pens and clipboards that may have lingering germs.
However, online forms carry their own unique risks and challenges, mainly related to HIPAA compliance.
Congress passed The Health Insurance Portability and Accountability Act (HIPAA) in 1996 as a way to regulate and secure sensitive personal health information.
This means that both your online form as well as your hosting platform must be fully HIPAA compliant.
In this post, we’re sharing some tips to help you find the best hosting platform for your HIPAA-compliant forms.
What’s a HIPAA-Compliant Form?
Before you dive into the key considerations for choosing the right hosting platform, it’s important to define what a HIPAA-compliant form is.
You can create, collect, and store sensitive patient information through an online or mobile HIPAA-compliant form.
These forms range from new patient registrations, health consent forms, medical history forms, and online bill payments to prescription refill requests, medical record releases, incident reports, and patient feedback surveys.
HIPAA-compliant platforms, such as JotForm, make it easy to set up a new form (often in a matter of a few minutes) and collect this information.
For example, if you are a psychologist, you could use JotForm to create a contact form that allows new patients to book their first appointment right on your website. The confirmation screen could then take them to a new patient onboarding form that asks questions about their medical and mental health history.
This process is way more efficient for patients than having to call to schedule their first appointment and then spending 10–15 minutes of the appointment filling out countless forms.
What’s a HIPAA-Compliant Hosting Platform?
The other critical part of this process is your hosting provider. This is where your website and all electronic records are stored.
The key factors to consider when evaluating hosting platforms
You can never be too careful when choosing and vetting your hosting platform.
Here is a checklist of things to look for when evaluating providers.
- Does it have a secure private hosted environment? In order to be HIPAA compliant, you need to be on secure and private server. You need to have control over the server and ensure it has dedicated resources available and reserved for your exclusive use.
- Does the platform provide encrypted VPNs and firewalls? There are actually three types of firewalls: hardware, software, and web applications. Many companies have been fined for HIPAA violations because they have necessary firewalls in place for their software but forget about the one-off Chrome plug-in they built to handle a specific process six months ago. Most importantly, is the firewall configured properly? Atlantic.Net engineers can help not only choose the right firewall and encryption, but also set it up properly.
- Does the company have multifactor authentication (aka MFA) in place? This ultimately boils down to having at least two ways to verify someone’s identity, such as a code sent to a user’s phone or email address after they enter their username and password.
- Does the provider have all of the proper technical, physical, and administrative safeguards and protocols in place to prevent improper access to personal health records or sensitive data? Make sure the data is fully encrypted and secure. This means having secure, thoroughly documented processes in place with data logs available. Making sure your provider is HIPAA and HITECH audited will go a long way. SOC certifications are also a helpful way to ensure you are hosting on the right infrastructure.
- Does the company limit and enforce who has access to their physical offices and facilities? This relates to the point above. Does your hosting provider have processes in place to ensure that only authorized employees and personnel can enter their offices, including having to key in to get access? After all, what good are proper electronic protocols if anyone can enter the building and potentially access sensitive information?
- Does the provider have fast, friendly, and helpful customer support? If you have a question, or in the event something breaks, you’ll need help immediately. Do you have confidence that they will respond quickly and work with you to resolve the issue efficiently? For example, is customer service always available via phone or email?
- Does the company have an extensive disaster recovery plan, including off-site backups? There is the old adage “Hope for the best, but plan for the worst.” When dealing with sensitive patient information, you need to have mountains of contingency plans, including multiple, offsite backups. These contingency plans range from protecting any hackers to how to respond if a tornado levels one of your offices in Kansas.
- Will the provider sign a Business Associates Agreement (BAA)? This agreement clearly outlines the specific roles and responsibilities of the hosting platform for maintaining HIPAA compliance.
- How long has the platform been HIPAA compliant, and has it ever run into issues? A good starting point is to see if they’ve ever been fined for a HIPAA compliance violation.
There is one big caveat to all of this.
You can do your due diligence and thoroughly vet your HIPAA-compliant hosting provider and still run into compliance issues down the line.
Let’s look at an example.
HIPAA compliance is often compared to driving a car. If you have a valid driver’s license and insurance, the state says you are allowed to drive.
However, if you decide to have a few cocktails, get behind the wheel, and crash into a tree, you are no longer compliant and will likely end up with hefty medical and legal bills from your DUI and emergency room visit.
The same principles apply to your hosting provider. They could be fully compliant. However, if your dev-ops team makes a mistake and forgets to properly secure a Chrome plug-in (which is easy to do), you will no longer be compliant.
The consequences for a HIPAA compliance violation can be steep, ranging from a few thousand dollars to jail time for malicious or particularly egregious offenses.
There are a lot of factors to consider when it comes to proper HIPAA compliance. The consequences of getting it wrong can be dire. Make sure to do your due diligence upfront when choosing a hosting platform. It is always best practice to focus on your core business and let the experts take care of HIPAA compliance. If you’re in the market for fast compliance, consider trying Atlantic.Net with a free HIPAA trial or call one of our engineers to get a custom solution built for you.