HIPAA is a term well known to medical providers that stand for the Health Insurance Portability and Accountability Act. It is designed to protect “individually identifiable health information.” Medical information, and the sharing of such, has been regulated for quite some time. When paper records carried the entirety of a person’s personal and medical information, it was somewhat easier to prevent that information from falling into the wrong hands. It would have been very difficult to steal information from across the country. In today’s technology-based world, an experienced hacker can potentially tap into electronic Protected Health Information (ePHI) midstream.
The Nitty Gritty of HIPAA Compliance
Based on the fact that the HIPAA is all about privacy, let’s take a look at the Privacy Rule from which the standards are set in protecting individual patient rights. Many patients assume HIPAA only applies to healthcare providers and they don’t give a second thought to the medical coders, billers, and insurance providers that work behind the scenes. All entities who may come into contact with personally identifiable health information are known as covered entities. The Privacy Standards make it clear that use and disclosure of not only electronic but also oral and written Protected Health Information (PHI) must be controlled in a way that protects the privacy of the individual.
Go one step further, and you’ll find the Security Standards that were implemented to cover the electronic side or ePHI. The information safeguards apply not only to covered entities but also to any business associates who will have access to protected information. From organization and administration through technical and physical safeguards, all covered entities must actively work to protect and secure identifiable health data. In February 2010, the HITECH section of the American Recovery and Investment Act upped the ante by increasing penalties and made business partners liable if unauthorized disclosures take place. The Omnibus rule took effect in September of 2013 and expanded coverage that strengthened HIPAA enforcement and created harsher penalties.
Medical Website Designs
Medical website designs were made easy and many medical practitioners saw choosing the template based approach to allow their staff to create an aesthetically pleasing website with just enough bells and whistles to be functional. The problem with this approach stems from a lack of understanding about just how far ePHI may travel once it is in electronic form. A secured domain beginning with https could be compared to installing a new lock on your door. It is a good start, but if the keys are not distributed to trustworthy individuals, you could be at risk.
It is vital that access is limited to parties on a need to know basis. Be sure each or entity logs in so you have a record of when, from where, and who has accessed ePHI. A HIPAA breach is not something a doctor wants to pop-up unexpectedly. Experienced website developers will ensure storage and transmission of data are set up to protect all parties involved.
Five Minimum Protections
Certain items are not negotiable regarding providing the minimum protections under the law.
- Transport encryption ensures ePHI is encrypted when sent;
- Storage encryption covers information when it is archived or stored on a server;
- Integrity speaks to the information remaining unaltered;
- Backup plans to make sure no ePHI is permanently lost;
- Disposal refers to the time when specific ePHI is not needed and must be wholly destroyed.
Website designs for medical doctors have transformed over the years. Initially, it was sort of like an electronic billboard designed to give basic contact information. A static site like that is no longer an option for doctors who wish to stay current with today’s patients. Conversions will not happen if a patient can access more usable material with another doctor. Many patients prefer to renew and receive their prescriptions digitally. Something as simple as making an appointment or signing up for a webinar can cause potential problems once personally identifiable information is sent.
Modern medical website designs must guarantee that any forms used will provide inherent protection of the contents within the form. As the information is sent, it should be automatically encrypted so it can be sent to 3rd parties securely. Then, once it is received, only authorized persons or entities can decrypt said information. An SSL certificate is one way to ensure transactions going to and from your site is encrypted. You also want to make sure your web developer creates audit trails of all logins and incidents of access so the records can be maintained for up to 10 years.
Shared vs. Dedicated Server
A dedicated server provides the highest level of control and protection because it is less likely that 3rd parties can gain access to your private servers. HIPAA compliant dedicated servers are worth the additional cost since they provide peace of mind. Should the unthinkable happen and someone uncover your raw files or scripts, the protections available on a dedicated server can prevent them from gaining access to passwords that will unlock files.
A shared server can open you up to breaches in HIPAA compliance, even with security protocols in place. The nature of a shared server allows different clients to access the same shared space. If a shared server is necessary, take every precaution to make data secure. Make sure data is encrypted coming in when it is stored, and when it goes out. Passwords and keys to decrypt files need to be kept separately from the files. Use a database to store sensitive information.
HIPAA compliant medical websites are a must for doctors who wish to stay on top of their game. Today’s technically savvy patients expect easily accessible information and forms. They are not always concerned about the ramifications of HIPAA violations unless it directly affects them. Doctors and their business partners must implement safeguards to protect both patients and their practices. Optimized360 understands the importance of HIPAA compliance and will do all in their power to ensure the protection of all parties.