EITS Tech Tips & Tech News

How to make your website HIPAA compliant

Written by Mike Tungate | Jun 8, 2017 2:34:17 PM

 

Running a business in the medical community opens up a host of unique responsibilities and rules most other businesses do not need to abide by. This includes the Health Insurance Portability and Accountability Act (HIPAA). The act dictates everything from compliance documentation to how your website must function. Individuals who visit your website need clear and precise information while on your end the website must extend additional security features to protect a client's personal information. Due to this, your company website must meet very specific requirements to remain HIPAA compliant. Here are several steps to follow in order to make sure you have a HIPAA compliant website.

SSL Certificate 

One of the first steps you must take to ensure your website is HIPAA compliant is to make sure you have an SSL certificate for your website. On a standard non-ssl website (a website with the standard http:// in the URL) is technically insecure in that if a computer is between you and the web server, they can see all data that is passing through such as usernames, passwords and any other sensitive data passes to the web server from the users computer.  When a website has an SSL certificate (when there is an "s" after http - https://) the transmissions from the users' computer to the server is encrypted and unreadable by and third parties.

 

Backup Data

All client information must be backed up. Any data collected by your website needs to be backed up in some shape or form to avoid complete data loss. This can be done by creating a local backup or via a secure cloud service.

 

Authorization

This means only authorized individuals within your company are able to gain access to information and protected health documentation input into the website. To do this, you need to make sure your employees sign a privacy agreement. Different levels of clearance and system access should be given to employees based on whether they need access to client information or not in order to complete their job.

 

Business Associate

When working with any service providers or third party vendors, these vendors need to sign a HIPAA Business Associate Agreement with access to any part of your website.

 

See also: Why you should care about an SSL for your website

 

Removal of Information

A client may at any time request to have his or her information permenently removed from the server and website database. You need the ability to do this. While the information can be kept and maintained while providing a given medical service or product to the client, should they ever leave for another service provider all information must be completely destroyed, including all backed up information.

 

Storage Encryption

Beyond the encryption of information once it is entered and submitted into your website, all files stored, both locally and via a cloud service, need to be encrypted as well. No matter how many locations backup files exist, every existing backup that comes through your website must be encrypted.

 

Ensure Integrity

You need to ensure there is no possible way saved information can be accessed, tampered with or viewed. It is up to your company to establish a tamper proofing method for all saved documentation and information. There are varying ways you can go about providing this level of tamper proof integrity. Using encryption methods such as AES, PGP or SSL should do this, although you can always go beyond these more traditional methods of data encryption if you wish.

 

Transmission Encryption

Information shared over your website is highly sensitive. These medical records need to be encrypted once input and submitted to your site. To do this, you first need to make sure you have a secure website ("https://"). Beyond a secure website, specific data encryption needs to be levied on all data disclosed with your website. The purpose of HIPAA is to protect client data, which is why a strong encryption service is essential.

 

As a business owner, it is your obligation to protect customer information from external threats such as hacks and data loss. If you work within the medical community there are additional guidelines, established by HIPAA. By following through with these tips and guidelines, your website will adhere to all requirements. This way, your clients can maintain peace of mind while using your website and you can avoid any fines levied by not following the guidelines.