If you're a medical professional you are probably familiar with HIPAA or the Health Insurance Portability and Accountability Act of 1996 and the HIPAA Privacy Rule. However, are you familiar with the HIPAA Security Rule? The Security Standards for the Protection of Electronic Protected Health Information establish national security standards that protect the electronic transfer of protected health information, also known as e-PHI. As more medical professionals and offices are building websites online, it is important to understand what e-PHI is, how to determine if your site needs to be HIPAA-Compliant and the requirements a site must meet in order to be considered a HIPAA-Compliant website.
What is e-PHI?
According to the U.S. Department of Health & Human Services, Electronic Protected Health Information (e-PHI) refers to "all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form." What does that mean? If you are a practice that transmits any patient data via your medical website, that's e-PHI.
This can include:
- Patient names, addresses, phone numbers, social security numbers
- Patient photographs, X-Rays, MRIs
- Past medical records
- Patient payment information and insurance data
- Patient demographics
- Tests and lab results
Does my website need to be HIPAA-compliant?
If you collect any of the above information via your website, yes you need to have a HIPPA-compliant website. You might collect this information through
forms on your medical website, allowing patient to schedule appointments, contact their doctor with questions, make payments or send in medical records.
The bottom line is if you're handling any patient data through your website, you MUST have a HIPAA-compliant website or you will be violating the HIPAA
Security Rule. Even if you are not collecting patient data, you should highly consider making your website HIPAA-compliant. That's because sites with
HIPAA-compliant website hosting ( hosted on servers that meet the requirements of the HIPAA Security Rule,) are also more secure, and can prevent hackers
from inserting fake forms on the site to collect patient data such as social security numbers.
How do I know if my site meets the standards of the HIPAA Security Rule?
If you can answer yes to all of the questions below, your medical site probably meets the standards of the HIPAA Security Rule.
- Does your site have automatic backups that are never lost and can be recovered at any time?
- Is all data transmitted from your site, over the Internet, encrypted?
- Is your stored data also encrypted?
- Is your website data accessible only by authorized persons with unique permissions that can be audited?
- If your site is no longer needed, can it be permanently deleted?
- Do you have a HIPAA Business Associate Agreement with the company that currently hosts your website? If not, does the server that hosts your website
meet the rules and requirements of the HIPAA Security Rule?
Ready to Get Started?
Wide Web Marketing is very familiar with the HIPAA Security Rule and our team has put in countless hours researching the best solutions available in order
to provide our medical clients with secure, HIPAA-compliant websites. As a result, we have successfully launched several sites in the medical industry
for nursing homes, surgeons and doctors utilizing HIPAA-compliant servers. In addition, several members of our team have taken the time to start the necessary courses in order to be as familiar
as possible with the HIPAA Privacy Rule and HIPAA Security Rule.
To work with a professional team, well-versed in providing HIPAA-compliant websites, call us at (337) 366-0306 to get started!