Before we create a HIPAA compliant website, we need to know what HIPAA means. It is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996.
HIPAA reduces health care fraud and abuse, mandates industry-wide standards for health care information on electronic billing and other processes and requires the protection and confidential handling of protected health information.
In a digital age, it is essential for companies, including healthcare providers, to own a website. In fact, 93 percent of corporate decisions are made as a result of online research. However, some companies' websites, such as those of healthcare providers, need to be much more precautious and HIPAA compliant.
Any medical eCommerce company or practice that sells medical equipment may face HIPAA compliance issues. Any business that handles the protected or confidential health information or PHI must bear additional care.
Companies or practices selling medical supplies may face HIPAA compliance issues. In addition, companies that do business with protected or confidential health information should also pay special attention to this issue.
Companies that do business with medical information or materials, especially e-commerce companies, must be compliant with the HIPAA checklist. If these companies do not partner with the right e-commerce companies, they risk facing non-compliance penalties, security breaches and additional penalties. In addition, companies lose their credibility in the eyes of patients in cases such as the exposed of patients' medical information.
First, owning a HIPAA-compliant website means taking physical, administrative and technical safeguards in a sensible way to keep personal health information safe.
For example, if you are storing personal health records on the cloud, but you do not have a proper policy to share this information with other people, anyone may intentionally or accidentally share or leak this information, although they do not have the right. As a result, your website may encounter a HIPAA violation. This and similar violations may occur due to a stolen smartphone or laptop. If you don't have the right procedures and policies to encrypt and secure devices, no technology can help you store information.
If you think your website should be HIPAA compliant, you need to determine the ways in which your visitors interact with your website. After completing this phase, you should work to ensure that interactions are user-friendly and safe.
In general, it asks for four fundamental things of an organization, handling medical records of patients in any way.
1. You should have proper safeguards in place to fully protect the health information of the patient
2. You must restrict the sharing or use of health information up to the extent needed for the purpose.
3. If your medical records are being handled by any contracted service, you must have agreements to ensure they are also compliant with HIPAA regulations.
4. You must have procedures and policies to ensure limited access while training staff related to the protection of hard copy as well as electronic Protected Health information.
If you are involved in health technology development, make sure there is a proper technology that meets HIPAA standards. One of the best ways to be sure of this is to have a HIPAA checklist. This checklist can also be used by development teams to make compatible applications.
Once you have identified handling Protected Health Information that you must be HIPAA compliant, you need to go through the HIPAA compliance checklist to ensure the privacy and security of the data.
HIPAA Privacy Rule
HIPAA Enforcement Rule
HIPAA Security Rule
HIPAA Breach Notification Rule
In terms of action items, you must follow the HIPAA Privacy and Security Rule.
The HIPAA Security Rule is about appropriate Physical, Administrative and Technical Safeguards to make sure the integrity, confidentiality and security of PHI. We can divide the security rule in three fundamental aspects:
Physical Safeguards
Technical Safeguards
Administrative Safeguards
These parts incorporate implementation specifications. Some of them are addressable and some are required. When we say addressable implementation, they can be implemented if there is an appropriate and reasonable need to do so. Similarly, the required implementations are the ones that must be implemented.
This set of guidelines focuses on the physical PHI access and contains four standards.
Workstation use
Facility access control
Device and media controls
Workstation security
And as we further break down these 4 major standards of physical safeguards, there are ten essentials we need to implement:
Contingency Operations: Establish procedures that enable facility access to support lost data restoration under the emergency mode operation plan and disaster recovery plan in an emergent event.
Facility Security Plan: Implement procedures and policies to safeguard the equipment and facility therein from theft, tampering or unauthorized physical access.
Validation and Access Control Procedures: Implement policies to validate and control the access of a person to facilities based on their function and role. This may also include visitor control and access control to various software programs in terms of revision and testing.
Maintenance Records: Implement procedures and policies to document modifications and repairs to the facility’s physical component, related to security like doors, walls, hardware, and locks.
Workstation Security: Implement physical safeguards in terms of all workstations that restrict authorized users' access by accessing ePHI.
Workstation Use: Implement procedures and policies that state the functions that need to be performed and the manner in which they must be performed including the physical attributes of the specific workstation surrounding or class of workstation that must access ePHI.
Disposal: Implement policies to address the ePHI final disposition and the electronic and hardware media on which it is actually stored.
Accountability: Maintain the electronic media and hardware movement records including any person responsible thereof.
Media Re-Use: Implement policies for ePHI removal from electronic media and before the media are available for re-use.
Data Backup and Storage: Create an exact retrievable copy of ePHI, before equipment movement and when needed.
These are the set of policies that govern the workforce code of conduct along with security measures implemented to protect ePHI. This is the most important component when implementing HIPAA compliance program.
We have nine standards under this section:
Assigned Security Responsibility
Security Management Process
Training and Security Awareness
Information Access Management
Workforce Security
Business Associate Contracts and Other Arrangements
Evaluation
Contingency Plan
Security Incident Procedures
Compliance with this section of safeguards requires the complete evaluation of the implemented security controls, a thorough and accurate risk analysis along with a series of documented solutions.
These nine standards are further broken down into 18 areas that must be ensured:
Risk Analysis: Document the performed risk analysis to ascertain where PHI is being stored and used to figure out the ways in which HIPAA can be violated.
Sanction Policy: Apply sanction policies for individuals failing to comply.
Risk Management: Implement adequate measures to cut down these risks up to an acceptable level.
Information Systems Activity Reviews: Frequently review logs, system activity, audit trails, etc.
Officers: Designate Officers for HIPAA Security and Privacy
Employee Oversight: Implement policies to supervise and authorize employees working with PHI and for removing and granting PHI access to employees.
ePHI Access: Implement policies for granting ePHI access that document ePHI access, or to systems and services that grant ePHI access.
Multiple Organizations: Make sure PHI is inaccessible by parent organizations or parent or subcontractors which are unauthorized for access.
Protection against Malware: Implement procedures to guard detecting, against and reporting malevolent software.
Login Monitoring: Establish discrepancies reporting and monitoring of systems logins.
Security Reminders: Periodically send reminders and updates about privacy and security policies to employees.
Response and Reporting: Document, identify, and respond to security incidents.
Password Management: Make sure there are procedures for changing, creating and protecting passwords
Contingency Plans: Make sure there are proper accessible ePHI backups as well as procedures to restore the lost data.
Emergency Mode: Establish procedures and enable critical business processes continuation for the protection of ePHI security when operating in an emergency mode.
Contingency Plans Updates and Analysis: Have policies for frequent testing and contingency plans revision. Assess the criticality of particular data and applications in support of some other contingency plan components.
Business Associate Agreements: if any business partner access the ePHI, have specific contracts to make sure they are compliant. Select partners that also have similar agreements with their partners to which they are extending access.
Evaluations: Conduct periodic evaluations to observe if any changes in the law or business need changes in the HIPAA compliance procedures.
This section relates to the disclosure and use of electronic patient health information and is applicable to the different healthcare organizations. It is also applicable to those who offer health insurance plans along with eh enterprises’ business associates.
In this section, patients get the right to get copies of their relevant health records. Also, the EMR and EHR implications are obvious, especially to ensure that every patient identifiers are also secure.
Business associates are liable for the disclosure and use of PHI which is not covered under their HIPAA Privacy Rule or the BAA. This rule asks the business associated with the following actions:
Provide adequate breach notification to the Covered Entity
Don’t allow any impermissible disclosure or use of PHI
Offer an accounting of disclosures
Be compliant with the HIPAA Security Rule requirements
If needed, the disclosure of PHI to the HHS Secretary
Provide either the Covered Entity or individual access to PHI.
Implementation of HIPAA Security Rules
In addition, you can get detailed information about patient portals by reading our article titled What Are the Benefits of Patient Portal?. See you on different topics.
