5 Principles of a HIPAA Compliant Website

Keri Boyer

Why should you worry about having a HIPAA compliant website? Maybe the fact that you could face civil penalties of up to $50,000!

You could also face criminal proceedings, which can result in a prison sentence of up to 10 years.

So it’s vital you get HIPAA compliance exactly right.

HIPAA – the Health Insurance Portability and Accountability Act of 1996 – governs the privacy and security of consumer data handled online. It applies to ‘covered entities‘, which include healthcare providers and medical insurers.

A HIPAA compliant website will obey the security rules laid out in the act. These ensure that sensitive data is well protected and kept private while being transmitted electronically.

Here are the five key principles you must obey when building a HIPAA complaint website.

1. Using SSL Encryption

SSL (secure sockets layer) encryption means that all data passed between a user and a website remains private.

All web pages which ask your users to input data should be protected by this. And ideally, your entire site should be. This will help to future-proof your site, in case its structure is later changed or extra pages are added.

2. Database Encryption

Once data has been collected over a secure connection, it must be stored in a secure manner.

You may consider keeping this database separate to the front-end of your website. This will give you more confidence that the data is safe, even if there is an website security breach.

Every business needs backups in case something goes wrong – and these need to be made secure too.

3. Who Has Access to Data?

The question of who has access to sensitive data is really important. Generally, if someone doesn’t need to have access in order to do their job, they probably shouldn’t be given access.

It’s also important to consider ‘abandoned’ accounts which come about – for example – when a member of staff leaves. These should have their authorization revoked, and ideally be deleted.

This practice makes sure old and forgotten accounts don’t present a potential security threat.

4. Password Protocol

It’s important to set high password standards for all staff who have access to sensitive information.

You should train your staff to pick secure passwords, and implement protocols to prevent them choosing short or simple passwords to access their accounts.

5. Never Transmit Personal Data Over Non-Secure Channels

Even if your website is secure, human error can result in private information being transmitted through non-secure channels.

Part of this is down to good design – collecting all the personal information you need via secure portals. You can encourage customers not to supply personal details through other channels.

And part is down to staff training. Your staff should never use unsecured emails to transmit patient information.

A secure VoIP system can help your staff communicate with customers and each other without email. This reduces the risk of sensitive data being intercepted in an email.

Support for Developing Your HIPAA Compliant Website

SecureNetMD is a consultant dedicated to helping healthcare services develop HIPAA complaint websites.

We’d love to talk to you about how we can help you meet compliance standards and deliver excellence for your customers. Learn about our services, then get in touch for an initial consultation.

Leave a Comment

How to Make Healthcare Branding More PersonalHow HIPAA Allows Patients Control Over Their Health Data