How to Make a HIPAA-Compliant Website

The rules and requirements of HIPAA-Compliant website hosting are far-reaching and often difficult to understand. One of the most common questions we are asked by healthcare providers and clients is if their websites, web forms, or web host is HIPAA-Compliant.

Legislation demands that any website handing electronic patient data via a web server must comply with the physical, technical, and administrative safeguards of HIPAA. Any website that handles electronic patient information must adhere to the healthcare industry’s HIPAA-Compliant website standards to prevent data breaches.

Many organizations are still unsure what rules in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are necessary. Our healthcare team has put together this Q&A to help you determine what controls need to be considered as part of your website design. The bottom line is that you need a compliant site if you are collecting PHI (protected health information), and that means any personally identifiable information collected during the provision of healthcare.

Is It Possible To Have a HIPAA-Compliant Website?

If you are handling electronic PHI, you must ensure that your website is HIPAA compliant. By implementing the necessary administrative, physical, and technical safeguards, it is possible to produce a website that complies fully with HIPAA guidelines.

How Do I Ensure My Website Is HIPAA Compliant?

When a website is used to store or transmit PHI, it must comply fully with HIPAA regulations. To create a HIPAA-compliant website, healthcare organizations should consider:

• Securing the website using an SSL certificate
• Encrypting all web forms
• Using HIPAA-compliant email encryption
• Ensuring that third-party service providers sign a BAA
• Working with HIPAA-compliant web hosting providers for security needs
• Implementing secure user authentication with multi-factor authentication
• Ensuring the backup, restoration, and deletion of PHI

How To Ensure Your Website Is HIPAA Compliant?

When designing a website for a healthcare provider, HIPAA compliance regulations must be taken into consideration. Some of the key features of a HIPAA-compliant website include:

• Use of an SSL certificate
• Encrypted web forms
• Complete encryption of data
• Secure location of data and servers
• Possession of signed BAAs
• Use of secure user authentication
• Regular data backups and secure deletion of unwanted PHI

How do I make my website HIPAA compliant?

So you want a HIPAA-Compliant website? It may sound easy to do, but as with most things that involve HIPAA legislation, it is a lot harder than it might seem at first. The easiest way is to outsource this responsibility to a hosting provider that specializes in HIPAA-Compliant web hosting. Atlantic.Net are experts at this, you may wish to choose a dedicated web server running Apache, Nginx, or Microsoft IIS, or you may opt for our one-click WordPress cloud solutions.

Top 10 Considerations to Make Your Website HIPAA Compliant

When you need HIPAA website hosting, here are key concerns that should guide your efforts:

1. Privacy Rule
2. Security Rule
3. SSL encryption
4. HIPAA-compliant website platform
5. Business associate agreements
6. Healthcare focus of infrastructure
7. Security of data center & auditing
8. Offsite CDP backups
9. Managed multi-factor authentication
10. Managed firewall

1. What is the Privacy Rule?

You must know the Privacy Rule well as it is a cornerstone of HIPAA website compliance. The Privacy Rule applies to all healthcare providers, plans, and clearinghouses, as well as to their business associates (any organizations handling health information on their behalf).

The Privacy Rule mandates that there should be protections in place to safeguard the privacy of health information. The rule also establishes rights that patients have related to their information, such as the right to get a copy of health information and to review it, as well as to ask for corrections.

What is Protected Health Information (PHI)?

PHI is any personally identifiable material that directly relates to patients’ healthcare. Any statistics collected on contact forms that are anonymized are out of scope and not considered PHI. Here are some examples of information collected for physician medical records where HIPAA regulations apply:

• Any part of a name;
• Any location information that is more specific than the state, such as a street address, town, or county (however, there is an exception: you can use the first three numbers within a ZIP Code if “[t]he geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people” or if you replace the first three digits with 000);
• The months and days of any patient services or events (birthdate, date of treatment, etc.), although the year is unprotected. Specifically, any data showing that someone is 90 years or older is considered an identifier unless it is brought together under the single heading of 90 and above;
• Any telephone numbers belonging to the patient;
• Any patient fax numbers;
• Email addresses;
• Social Security numbers;
• The number identifying the record;
• Numbers associated with health insurance or plans;
• The ID number for the account;
• Numbers associated with state registrations or licenses;
• Car tags or vehicle identification numbers;
• Any data related to particular computers, including serial numbers;
• URLs specific to individual patients;
• IP’s of patient devices;
• Anything classifiable as biometric and that identifies the individual, such as a fingerprint;
• Photographs in which the person’s face is visible; and
• Any other features or numbers that directly relate to the patient.

2. What is the HIPAA Security Rule?

Understand the Security Rule. This HIPAA rule is an implementation of the Privacy Rule. The rule creates national standards to safeguard health information in electronic form, whether an organization is producing, receiving, sending, or storing it.

It requires the adoption of “reasonable and appropriate” technical, physical, and administrative safeguards, organizations can protect the security, integrity, and confidentiality of ePHI in a HIPAA-compliant manner. The easiest way to achieve compliance with the security rule is to research HIPAA-Compliant hosting providers.

3. Do I need SSL certificate encryption (TLS)?

Yes, you must implement a secure sockets layer (SSL) [TLS] encryption certificate for your website, transitioning from HTTP to the secure HTTPS protocol. This protocol encrypts all data that is in motion between the client device and the server.

Web designers should know how to install SSL certificates, but you can always work with your service providers on SSL-encrypting your site since it involves a (relatively simple) server installation.

4. Does my website platform need to be HIPAA compliant?

To make sure your website is HIPAA-Compliant, you must utilize a compliant platform. For a compliant environment, think about how people will use your site. The ways that patients can use your site will drive the need for security measures. The concern is specifically related to ePHI – whether your organization is creating, transmitting, receiving, or maintaining it.

If you are collecting information through forms on your site, you will need to ensure all that data is protected per HIPAA rules. Any form collecting health data should protect the information as it would any ePHI, defending against unauthorized access and potential data breach.

5. Do I need a Business Associate Agreement?

If you are going to work with any outside providers or businesses on any aspect of your site that involves the handling of ePHI, you need to sign BAAs with them. It is essential for compliance that you verify all health data that you store and that it is sent through your site securely (whether at-rest or transmitting PHI in-transit).

Be aware that your website designer is a direct business associate, but they will in turn have subcontractor business associates who independently perform services for them. Confirm that the website designer has BAAs with each of its third-party subcontractors – so that all applicable parties are included within compliance upfront. Push your business associates, but it is in their best interests. Failure to identify business associates is no defense and in one case led to a $1.5 million HHS fine.

6. Should my hosting infrastructure be healthcare-specific?

Finding a strong hosting plan for your site is challenging for any business. For organizations that handle ePHI, choosing the right host is an important first step, you need one that is as dedicated to following the Privacy Rule and Security Rule as you are – and that has technical, administrative, and physical safeguards installed that prove its commitment.

To get started, ask yourself the question: can my hosting provider offer a HIPAA-Compliant website that is certified to meet the necessary safeguards of HIPAA and the Health Information for Economic and Clinical Health Act (HITECH) of 2009?

7. Should my provider be secure and audited?

Absolutely yes. One thing you can do to get a better sense for a host’s security stance is to look beyond those healthcare law certifications to an audit based on the insight of the American Institute for Certified Public Accountants (AICPA), Statement on Standards for Attestation Engagements 18 (SSAE 18; formerly SSAE 16), SOC 2 and SOC 3.

8. Do I need Off-site Backups?

It is best practice to have a replicated offsite copy of your daily backups for business continuity and disaster recovery capabilities. We can copy your backup data to any of our seven data center locations. Replicated offsite backups are easily retrievable and if a restore is needed, the process is incredibly quick and can be completed in any of our hosting locations.  Custom retention periods and backup frequency are available such as 5 minutes, 15 minutes, and hourly backups.

What about Onsite Backups?

Onsite backups using the ACP Onsite Backup solution create daily backups of your required servers and stores the data geographically local in a protected secured area. These backups are easily retrievable and if a restore is needed, the process is incredibly quick.  Custom retention periods and backup frequency are available such as 5 minutes, 15 minutes, and hourly backups.

9. Do I need MFA for my website?

You want a managed multi-factor authentication access system that is available through one sign-on. The system should perform diagnostics on devices to ensure their health. Infected and high-risk devices can be blocked via scanning for outdated applications and enforcing security controls.

10. Do I need a Managed Firewall?

A strong managed firewall will include powerful security response, routine device health checks, log monitoring, and control of network ingress and egress points. The system should include load balancing, redundancy via a secondary firewall, global blacklisting, virtual private network (VPN) connectivity, stateful filtering, monitoring, and reporting.

Your HIPAA-Compliant Website

Many organizations work with third parties on their data systems, particularly if they are in rigorously controlled sectors such as healthcare. Contracting with outside organizations is not simply a way to push away off-focus work; it is also a way to tap expertise that is not present in-house. When you need a healthcare website, work with organizations that are HIPAA and HITECH certified, as well as SOC 2 and SOC 3 audited. See our HIPAA-compliant hosting solutions.