What Is a HIPAA-Compliant Website?

A HIPAA-compliant website protects Protected Health Information (PHI) from unauthorized access through security and privacy controls. This includes websites that collect, store, or transfer PHI, such as patient portals or logins.

Any website that handles electronic patient information must adhere to the Health Insurance Portability and Accountability Act (HIPAA) standards to prevent data breaches. Websites that are only used to promote a business, such as providing contact information or hours, do not fall under HIPAA regulations.

The HIPAA legislation demands that any website handling electronic patient data via a web server must comply with the physical, technical, and administrative safeguards of HIPAA.

The bottom line is that you need a compliant site if you are collecting PHI (protected health information), and that means any individually identifiable healthcare information collected during the provision of healthcare.

Does Your Website Need to Comply with HIPAA?

Definition of Protected Health Information (PHI)

According to the HIPAA regulation, Protected Health Information (PHI) includes any information that can be used to identify a patient and is related to their health condition, healthcare provision, or payment for healthcare. This includes data that healthcare providers, health plans, healthcare clearinghouses, or any business associates collect or manage during the course of healthcare operations.

Under HIPAA, PHI is classified into 18 distinct identifiers, such as names, geographic data smaller than a state, elements of dates (except year) related to an individual, phone numbers, and email addresses. Additionally, any unique identifying number, characteristic, or code is considered PHI when linked with an individual’s health information.

Any website or web application that collects, stores, or transmits PHI could be covered by the HIPAA regulation.

Which Organizations and Websites are Covered by the HIPAA Regulation

It’s important to consult a legal expert to determine if your organization and its website are covered by HIPAA. Generally speaking, the following organizations are subject to the regulation:

  • Healthcare providers: This includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies that transmit any health information in electronic form in connection with a HIPAA transaction.
  • Health plans: This includes health insurance companies, HMOs, company health plans, and government programs that pay for healthcare, such as Medicare, Medicaid, and the military and veterans’ healthcare programs.
  • Healthcare clearinghouses: Entities that process nonstandard health information they receive from another entity into a standard format (or vice versa).
  • Business associates: Any organization or person working with or providing services to a covered entity that involves the use or disclosure of PHI. This includes entities such as billing companies, third-party consultants, IT service providers, and cloud storage providers.

HIPAA Compliant Website Video

HIPAA Compliant Website Checklist

What Is Needed to Make Your Website HIPAA Compliant?

Below you can find our 10-step checklist to make your website HIPAA compliant, which includes steps like identifying PHI, applying SSL encryption, and signing business associate agreements (BAAs).

The easiest way to achieve HIPAA compliance is to outsource this responsibility to a hosting provider that specializes in HIPAA-compliant hosting. Atlantic.Net is a leading provider that specializes in HIPAA-compliant web hosting. Atlantic.Net provides dedicated, HIPAA-compliant web servers running Apache, Nginx, or Microsoft IIS, as well as a one-click WordPress cloud solution.

Here are key HIPAA compliance concerns that should guide your efforts:

  1. Privacy Rule
  2. Security Rule
  3. SSL encryption
  4. HIPAA-compliant website platform
  5. Business associate agreements
  6. Healthcare focus of infrastructure
  7. Security of data center & auditing
  8. Offsite CDP backups
  9. Managed multi-factor authentication
  10. Managed firewall

1. Adhere to the Privacy Rule

The HIPAA Privacy Rule applies to all healthcare providers, plans, and clearinghouses, as well as to their business associates (any organizations handling health information on their behalf).

What Is the Privacy Rule?

The Privacy Rule mandates that there should be protections in place to safeguard the privacy of health information. The rule also establishes rights that patients have related to their information, such as the right to get a copy of health information and to review it, as well as to ask for corrections.

What Is Protected Health Information (PHI)?

PHI is any personally identifiable material that directly relates to patients’ healthcare. Any statistics collected on contact forms that are anonymized are out of HIPAA compliance scope and not considered PHI.

Examples of PHI

Here are some examples of information collected for physician medical records where HIPAA regulations apply and HIPAA-compliant web forms/contact forms would be necessary:

  • Any part of a name;
  • Any location information that is more specific than the state, such as a street address, town, or county
  • The months and days of any patient services or events (birthdate, date of treatment, etc.), although the year is unprotected.
  • Any email addresses, telephone or fax numbers belonging to the patient;
  • Social Security numbers;
  • The number identifying the record;
  • Numbers associated with health insurance or plans;
  • The ID number for the account;
  • Numbers associated with state registrations or licenses;
  • Car tags or vehicle identification numbers;
  • Any data related to particular computers, including serial numbers;
  • URLs specific to individual patients;
  • IP’s of patient devices;
  • Anything classifiable as biometric and that identifies the individual, such as a fingerprint;
  • Photographs in which the person’s face is visible; and
  • Any other features or numbers that directly relate to the patient.

2. Adhere to the Security Rule

The HIPAA Security Rule creates national standards to safeguard health information in electronic form, whether an organization is producing, receiving, sending, or storing it.

It requires the adoption of “reasonable and appropriate” technical, physical, and administrative safeguards, so organizations can protect the security, integrity, and confidentiality of ePHI in a HIPAA-compliant manner. The easiest way for covered entities with a website to achieve compliance with the security rule is to use HIPAA-compliant website hosting providers (see section 4 below).

3. Implement SSL Certificate Encryption (TLS)

You must implement a secure sockets layer (SSL) [TLS] encryption certificate for your website, transitioning from HTTP to the secure HTTPS protocol. This protocol encrypts all data that is in motion between the client device and the server.

Web developers should know how to install SSL certificates, but you can also work with your hosting provider on SSL-encrypting your site.

4. Use a HIPAA-Compliant Platform and HIPAA-Compliant Web Forms

To make sure your website is HIPAA-compliant, you must utilize a compliant content management platform and HIPAA-compliant web forms. No platform is inherently HIPAA-compliant, but some platforms are HIPAA-compliant when the proper procedures and safeguards are in place. For example, Atlantic.net can help you set up a HIPAA-compliant WordPress instance.

For a compliant environment, think about how people will use your site. The ways that patients can use HIPAA-compliant websites inform the types of security measures needed. The concern is specifically related to ePHI – whether your organization is creating, transmitting, receiving, or maintaining it.

If you are collecting information through forms on your site, you will need to ensure all that data is protected per HIPAA regulations. Any form collecting health data should protect the information under HIPAA regulations for safeguarding ePHI; the form must defend any identifiable health information against unauthorized access and potential data breaches. Read our list of the top HIPAA-compliant form tools here.

5. Sign a Business Associate Agreement

If you are going to work with any outside providers or businesses on any aspect of your site that involves the handling of ePHI, you need to sign a business associate agreement (BAA) with them. To meet HIPAA compliance rules, you must verify all health data that you store and that it is sent through your site securely (whether at rest or transmitting PHI in transit).

Be aware that your website developer is a direct business associate, but they will in turn have subcontractor business associates who independently perform services for them. Confirm that the website designer has BAAs with each of its third-party subcontractors – so that all applicable parties are included within HIPAA compliance upfront. Failure to identify business associates is no defense and led to a $1.5 million HHS fine in one case.

6. Select a Healthcare-Specific Infrastructure or Host

For organizations that handle individually identifiable medical information, choosing the right host for your ePHI is an important step. You need a hosting provider that is dedicated to following the Privacy Rule and Security Rule, and that has technical, administrative, and physical safeguards in place to protect PHI.

Atlantic.Net is a leading provider of HIPAA-compliant hosting services.

7. Select a Regularly Audited Secure HIPAA Data Center

Determine whether your host is secure and audited according to the appropriate HIPAA guidelines. One thing you can do to get a better sense of a host’s security stance is to look beyond those healthcare law certifications to an audit based on the insight of the American Institute for Certified Public Accountants (AICPA), Statement on Standards for Attestation Engagements 18 (SSAE 18; formerly SSAE 16), SOC 2 and SOC 3.

Atlantic.net provides its services within a HIPAA-compliant data center.

8. Perform Regular Off-Site Backups

It is best practice to have a replicated offsite copy of the daily backups of your IT infrastructure for business continuity and disaster recovery capabilities, and this is also true for HIPAA-compliant websites.

At Atlantic.net, we can back up your website data to any of our eight data center locations. Replicated offsite backups are easily retrievable and you can quickly and easily restore them when needed.  Custom retention periods and backup frequency are available such as 5 minutes, 15 minutes, and hourly backups.

What About Onsite Backups?

Onsite backups using the ACP Onsite Backup solution create daily backups of your required servers and store the data geographically locally in a protected secured area. These backups are easily retrievable and if a restore is needed, the process is incredibly quick.  Custom retention periods and backup frequency are available such as 5 minutes, 15 minutes, and hourly backups.

9. Implement Multi-Factor Authentication

You want a managed multi-factor authentication access system that is available through one sign-on. The system should perform diagnostics on devices to ensure their health. Infected and high-risk devices can be blocked via scanning for outdated applications and enforcing security controls.

10. Implement a Managed Firewall

A strong managed firewall will include powerful security response, routine device health checks, log monitoring, and control of network ingress and egress points. The system should include load balancing, redundancy via a secondary firewall, global blacklisting, virtual private network (VPN) connectivity, stateful filtering, monitoring, reporting, and management of router IP addresses.

Your HIPAA-Compliant Website

Many organizations work with third parties on their data systems, particularly if they are in rigorously controlled sectors such as healthcare. Contracting with outside organizations is not simply a way to push away off-focus work; it is also a way to tap expertise that is not present in-house. When you need a healthcare website, work with organizations that are HIPAA and HITECH certified, as well as SOC 2 and SOC 3 audited, so that they are prepared to meet their obligations to the Department of Health and Human Services. See our HIPAA-compliant web hosting solutions.

Get Help with Your Website to Make It HIPAA Compliant

Atlantic.Net can help make your website HIPAA-compliant with a range of certifications, such as SOC 2 and SOC 3, HIPAA, and HITECH, all with 24x7x365 support, monitoring, and world-class data center infrastructure. For faster application deployment, free IT architecture design, and assessment, call 888-618-DATA (3282), or email us at [email protected].

Read More About HIPAA Compliant Hosting