Atlantic.Net Blog

How to Make a HIPAA-Compliant Website: 2023 Guide

September 11, 2023 by ( 162 ) under HIPAA Compliant Hosting

0 Comments

The rules and requirements of HIPAA-compliant website hosting are far-reaching and often difficult to understand. One of the most common questions we are asked by healthcare providers and clients is if their websites, web forms, and web hosts are HIPAA-compliant.

In This Article

When Does a Website Need to Meet HIPAA (Health Insurance Portability and Accountability Act) Standards?

Any website that handles electronic patient information must adhere to the healthcare industry’s HIPAA-compliant website standards to prevent data breaches.

Legislation demands that any website handling electronic patient data via a web server must comply with the physical, technical, and administrative safeguards of HIPAA.

Many organizations and healthcare providers are still unsure what rules in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are necessary to follow when it comes to HIPAA-compliant websites.

Our healthcare team has put together this Q&A to help you determine what controls need to be considered as part of your website design.

The bottom line is that you need a compliant site if you are collecting PHI (protected health information), and that means any individually identifiable healthcare information collected during the provision of healthcare.

Is It Possible To Have a HIPAA-Compliant Website?

If you are handling electronic protected health information, you must ensure that your website is HIPAA compliant.

By implementing the necessary administrative, physical, and technical safeguards under HIPAA rules, it is possible to produce a website that complies fully with HIPAA guidelines.

How Do I Ensure My Website Meets the Department of Health and Human Services’ HIPAA Regulations?

When a website is used to store or transmit PHI, it must comply fully with HIPAA regulations. To create a HIPAA-compliant website design, healthcare organizations should consider the following HIPAA website basics:

  • Securing the website using an SSL certificate
  • Encrypting all web forms
  • Using HIPAA-compliant email encryption
  • Ensuring that third-party service providers sign a HIPAA business associate agreement (BAA)
  • Working with HIPAA-compliant web hosting providers for security needs
  • Implementing secure user authentication with multi-factor authentication
  • Ensuring the backup, restoration, and deletion of PHI

So you want a HIPAA-compliant website? It may sound easy to do, but as with most things that involve HIPAA compliance rules, it is a lot harder than it might seem at first.

The easiest way is to outsource this responsibility to a hosting provider that specializes in HIPAA-Compliant web hosting. Atlantic.Net’s engineers are the experts at this.

You may wish to choose a dedicated web server running Apache, Nginx, or Microsoft IIS, or you may opt for our one-click WordPress cloud solutions. Below, we explore the key considerations for your website in our HIPAA-compliant website checklist.

HIPAA Compliant Website Checklist & Guide

Here are key HIPAA compliance concerns that should guide your efforts:

  1. Privacy Rule
  2. Security Rule
  3. SSL encryption
  4. HIPAA-compliant website platform
  5. Business associate agreements
  6. Healthcare focus of infrastructure
  7. Security of data center & auditing
  8. Offsite CDP backups
  9. Managed multi-factor authentication
  10. Managed firewall

1. Adhere to the Privacy Rule

You must know the Privacy Rule well as it is a cornerstone of HIPAA website compliance. The Privacy Rule applies to all healthcare providers, plans, and clearinghouses, as well as to their business associates (any organizations handling health information on their behalf).

What Is the Privacy Rule?

The Privacy Rule mandates that there should be protections in place to safeguard the privacy of health information. The rule also establishes rights that patients have related to their information, such as the right to get a copy of health information and to review it, as well as to ask for corrections.

What Is Protected Health Information (PHI)?

PHI is any personally identifiable material that directly relates to patients’ healthcare. Any statistics collected on contact forms that are anonymized are out of HIPAA compliance scope and not considered PHI. Here are some examples of information collected for physician medical records where HIPAA regulations apply and HIPAA-compliant web forms/contact forms would be necessary:

  • Any part of a name;
  • Any location information that is more specific than the state, such as a street address, town, or county (however, there is an exception: you can use the first three numbers within a ZIP Code if “[t]he geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people” or if you replace the first three digits with 000);
  • The months and days of any patient services or events (birthdate, date of treatment, etc.), although the year is unprotected. Specifically, any data showing that someone is 90 years or older is considered an identifier unless it is brought together under the single heading of 90 and above;
  • Any telephone numbers belonging to the patient;
  • Any patient fax numbers;
  • Email addresses;
  • Social Security numbers;
  • The number identifying the record;
  • Numbers associated with health insurance or plans;
  • The ID number for the account;
  • Numbers associated with state registrations or licenses;
  • Car tags or vehicle identification numbers;
  • Any data related to particular computers, including serial numbers;
  • URLs specific to individual patients;
  • IP’s of patient devices;
  • Anything classifiable as biometric and that identifies the individual, such as a fingerprint;
  • Photographs in which the person’s face is visible; and
  • Any other features or numbers that directly relate to the patient.

2. Adhere to the Security Rule

Understand the Security Rule. The HIPAA Security Rule is an implementation of the Privacy Rule.

What Is the Security Rule?

The HIPAA Security Rule creates national standards to safeguard health information in electronic form, whether an organization is producing, receiving, sending, or storing it.

It requires the adoption of “reasonable and appropriate” technical, physical, and administrative safeguards, so organizations can protect the security, integrity, and confidentiality of ePHI in a HIPAA-compliant manner. The easiest way for covered entities with a website to achieve compliance with the security rule is to research HIPAA-compliant website hosting providers.

3. Implement SSL Certificate Encryption (TLS)

Yes, you must implement a secure sockets layer (SSL) [TLS] encryption certificate for your website, transitioning from HTTP to the secure HTTPS protocol. This protocol encrypts all data that is in motion between the client device and the server.

Web designers should know how to install SSL certificates, but you can always work with your service providers on SSL-encrypting your site since it involves a (relatively simple) server installation.

 4. Use a HIPAA-Compliant Platform and HIPAA-Compliant Web Forms

To make sure your website is HIPAA-compliant, you must utilize a compliant platform and HIPAA-compliant web forms. No platform is inherently HIPAA-compliant, but some platforms have the capability of being HIPAA-compliant when the proper procedures and safeguards are in place.

For a compliant environment, think about how people will use your site. The ways that patients can use HIPAA-compliant websites informs the types of security measures needed. The concern is specifically related to ePHI – whether your organization is creating, transmitting, receiving, or maintaining it.

If you are collecting information through forms on your site, you will need to ensure all that data is protected per HIPAA regulations. Any form collecting health data should protect the information under HIPAA regulations for safeguarding ePHI; the form must defend any individually identifiable health information against unauthorized access and potential data breaches. Read our list of the top HIPAA-compliant form tools here.

5. Sign a Business Associate Agreement

If you are going to work with any outside providers or businesses on any aspect of your site that involves the handling of ePHI, you need to sign a business associate agreement (BAA) with them. To meet HIPAA compliance rules, you must verify all health data that you store and that it is sent through your site securely (whether at rest or transmitting PHI in transit).

Be aware that your website designer is a direct business associate, but they will in turn have subcontractor business associates who independently perform services for them. Confirm that the website designer has BAAs with each of its third-party subcontractors – so that all applicable parties are included within HIPAA compliance upfront. Push your business associates, but it is also in their best interests. Failure to identify business associates is no defense and in one case led to a $1.5 million HHS fine.

6. Select a Healthcare-Specific Infrastructure or Host

Finding a strong hosting plan for your site is challenging for any business. For organizations that handle individually identifiable medical information, choosing the right host for your ePHI is an important first step. You need one that is as dedicated to following the Privacy Rule and Security Rule as you are – and that has technical, administrative, and physical safeguards installed that prove its commitment to safeguarding protected health information.

To get started, ask yourself the question: Can my hosting provider offer a HIPAA-compliant website that is certified to meet the necessary safeguards of HIPAA and the Health Information for Economic and Clinical Health Act (HITECH) of 2009?

7. Select a Regularly Audited Secure HIPAA Data Center

Determine whether your host is secure and audited according to the appropriate HIPAA guidelines. One thing you can do to get a better sense of a host’s security stance is to look beyond those healthcare law certifications to an audit based on the insight of the American Institute for Certified Public Accountants (AICPA), Statement on Standards for Attestation Engagements 18 (SSAE 18; formerly SSAE 16), SOC 2 and SOC 3.

8. Set Regular Off-Site Backups

It is best practice to have a replicated offsite copy of your daily backups of your IT infrastructure for business continuity and disaster recovery capabilities, and this is also true for HIPAA-compliant websites. We can copy your backup data to any of our seven data center locations. Replicated offsite backups are easily retrievable and if a restore is needed, the process is incredibly quick and can be completed in any of our hosting locations.  Custom retention periods and backup frequency are available such as 5 minutes, 15 minutes, and hourly backups.

What About Onsite Backups?

Onsite backups using the ACP Onsite Backup solution create daily backups of your required servers and stores the data geographically local in a protected secured area. These backups are easily retrievable and if a restore is needed, the process is incredibly quick.  Custom retention periods and backup frequency are available such as 5 minutes, 15 minutes, and hourly backups.

9. Implement Multi-Factor Authentication

You want a managed multi-factor authentication access system that is available through one sign-on. The system should perform diagnostics on devices to ensure their health. Infected and high-risk devices can be blocked via scanning for outdated applications and enforcing security controls.

10. Implement a Managed Firewall

A strong managed firewall will include powerful security response, routine device health checks, log monitoring, and control of network ingress and egress points. The system should include load balancing, redundancy via a secondary firewall, global blacklisting, virtual private network (VPN) connectivity, stateful filtering, monitoring, and reporting.

 

Your HIPAA-Compliant Website

Many organizations work with third parties on their data systems, particularly if they are in rigorously controlled sectors such as healthcare. Contracting with outside organizations is not simply a way to push away off-focus work; it is also a way to tap expertise that is not present in-house. When you need a healthcare website, work with organizations that are HIPAA and HITECH certified, as well as SOC 2 and SOC 3 audited, so that they are prepared to meet their obligations to the Department of Health and Human Services. See our HIPAA-compliant web hosting solutions.

Read More About HIPAA Compliant Hosting

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for a Hosting Solution?

We Provide Cloud, Dedicated, & Colocation.

  • Seven Global Data Center Locations.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

Get a Free-to-Use Cloud VPS