Many organizations are unsure if they need to follow the rules in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). You need a compliant site if you are handling electronic protected health information (ePHI), which is personally identifiable data collected during the course of the provision of healthcare.

Top 10 Considerations to Make Your Website HIPAA Compliant

When you need a HIPAA-compliant website, here are key concerns that should guide your efforts:

1. Privacy Rule
2. Security Rule
3. SSL encryption
4. HIPAA-compliant website platform
5. Business associate agreements
6. Healthcare focus of infrastructure
7. Security of data center & auditing
8. Offsite CDP backups
9. Managed multi-factor authentication
10. Managed firewall

1. Privacy Rule

Know the Privacy Rule, a cornerstone of HIPAA. This rule creates national standards for the safeguarding of personal health data, which is called protected health information (PHI) under HIPAA. The Privacy Rule is applicable to all healthcare providers, plans, and data clearinghouses, as well as to their business associates (any organizations handling health information on their behalf). The Privacy Rule mandates that there should be protections in place to safeguard the privacy of health information. The rule also establishes rights that patients have related to their information, such as the rights to get a copy of health information and to review it, as well as to ask for corrections.

2. Security Rule

Understand the Security Rule. This HIPAA rule is an implementation of the Privacy Rule, essentially (specific to ePHI) – since security is intended to protect privacy.  The Security Rule creates national standards to safeguard health information in electronic form, whether an organization is producing, receiving, sending, or storing it. Through the adoption of “reasonable and appropriate” technical, physical, and administrative safeguards, organizations are able to protect the security, integrity, and confidentiality of ePHI in a HIPAA-compliant manner.

3. SSL encryption

A primary security question is deciding whether you will implement secure sockets layer (SSL) encryption across your site, transitioning from http to the secure https protocol. This protocol encrypts all data that is in motion between the client device and the server. Web designers should know how to install SSL certificates, but you can always work with your hosting company on SSL-encrypting your site since it involves a (relatively simple) server installation.

4. HIPAA-compliant website platform

You want the designer you choose to build a HIPAA-compliant site to have experience with healthcare development. Healthcare requires an additional layer of concern and preparation to ensure compliance. For a compliant environment, think about the ways in which people will use your site. The ways that patients can use your site will drive the need for security measures. The concern is specifically related to ePHI – whether your organization is creating, transmitting, receiving, or maintaining it. If you are collecting information through forms on your site, you will need to ensure all that data is protected per HIPAA rules. Any form collecting health data should protect the information as it would any ePHI, defending against unauthorized access.

5. Business associate agreements

If you are going to work with any outside providers on aspects of your site that involve the handling of ePHI, you need to sign BAAs with them. It is essential to your compliance to verify that all health data that you store or that is sent through your site is secured (whether at-rest or in-transit). Be aware that your web designer is a direct business associate, but they will in turn have subcontractor business associates who independently perform services for them. Confirm that the web designer has BAAs with each of its subcontractors – so that all applicable parties are included within compliance upfront. Push your business associates, but it is in their best interests. Failure to identify business associates is no defense and in one case led to a $1.5 million HHS fine.

6. Healthcare focus of infrastructure

Finding a strong hosting plan for your site is challenging for any business. For organizations that handle ePHI, choosing the right host is particularly tricky because you need one that is as dedicated to following the Privacy Rule and Security Rule as you are – and that has technical, administrative, and physical safeguards installed that prove its commitment. In other words, is it healthcare-compliant, and is it certified to meet the requirements of HIPAA and the Health Information for Economic and Clinical Health Act (HITECH) of 2009?

7. Security of data center & auditing

One thing you can do to get a better sense for a host’s security stance is to look beyond those healthcare law certifications to an audit based on the insight of the American Institute for Certified Public Accountants (AICPA), Statement on Standards for Attestation Engagements 18 (SSAE 18; formerly SSAE 16), SOC 1 and SOC 2.

8. Offsite CDP backups

CDP backup skips over the intricate file system and reads data straight from the disk. Your information is easily accessible and available, in its most updated form. With CDP backup, you can determine how many retention points you want to have over a span of time. If you have a high-quality offsite CDP backup service, the settings you’ve established and all contents of your server will be completely restored if the system crashes.

9. Managed multi-factor authentication

You want a managed multi-factor authentication system that is accessible through one sign-on. The system should perform diagnostics on devices to ensure their health. Infected and high-risk devices can be blocked via scanning for outdated applications and enforcing security controls.

10. Managed firewall

A strong managed firewall will include powerful security response, routine device health checks, log monitoring, and control of network ingress and egress points. The system should include load balancing, redundancy via a secondary firewall, global blacklisting, virtual private network (VPN) connectivity, stateful filtering, monitoring, and reporting.

Your HIPAA-compliant website

Many organizations work with third parties on their data systems, particularly if they are in rigorously controlled sectors such as healthcare. Contracting with outside organizations is not simply a way to push away off-focus work; it is also a way to tap expertise that is not present in-house. When you need a healthcare website, work with organizations that are HIPAA and HITECH certified, as well as SSAE 18 SOC 1 and SOC 2 audited. See our HIPAA-compliant hosting solutions.