How to design a HIPAA-compliant website

A 2018 survey of more than 1,000 U.S. adults found that 80 percent of respondents have used the internet to conduct a healthcare-related search in the past year. In addition, 63 percent of those respondents will choose one provider over another because of a strong online presence with relevant, accurate, and compelling information.

It’s critical that a medical provider has a good website. But the website also needs to comply with the Health Insurance Portability and Accountability Act (HIPAA). If it doesn’t, your website can cause irreparable damage to your reputation and heavy fines and penalties.

The following tips will help ensure the website you design is effective and HIPAA compliant.

Basics of HIPAA-compliant websites

To ensure you have a HIPAA-compliant website, it’s important to understand the basics of HIPAA.

HIPAA was created to regulate how protected health information (PHI) is secured. PHI is basically any patient data, such as a name, address, telephone number, birthday, email address, or medical record. Even scheduling an appointment requires the use of PHI, because you’re dealing with information that identifies who the patient is.

According to HIPAA, healthcare providers and vendors who encounter PHI must comply with the regulations. HIPAA designates healthcare providers as “covered entities” and the vendors they use as “business associates.” If a provider is working with a vendor and PHI is involved, it’s also mandatory that they sign a business associate agreement (BAA), which legally covers the provider if there’s a data breach.

Whether you’re a physician or a telehealth service provider, you must have a HIPAA-compliant website that protects PHI.

Just so you know

Make your website HIPAA-compliant with JotForm’s HIPAA-compliant forms. Safely collect sensitive patient data, signatures, files, and more online.

Do you need to make your website HIPAA compliant?

When designing your website, it’s important to determine what you want visitors to do. For example, you might want them to be able to send an email to you, fill out a form, or access a patient portal to view and update their medical histories.

Once you know what you want your visitors to do on your website, make sure that these actions are HIPAA-compliant, as well as easy for them to do. To ensure you’re complying with HIPAA, ask yourself these questions:

  • Is PHI being collected on your website?
  • Is PHI being transmitted through your website?
  • Is PHI being stored on a server on your website?

If the answer to any of these questions is yes, make sure your website is HIPAA compliant.

Creating a HIPAA-compliant website

The first step is to obtain a Secure Socket Layer (SSL) certificate. This will create a secure link between your website and a visitor’s browser, ensuring that all PHI passed between the two remains private and secure.

Next, make sure your website is using HIPAA-compliant online forms, like those from JotForm. This ensures that PHI is collected securely , which helps reduce the risk of data breaches and unsecured information being released.

With JotForm’s HIPAA-compliant online forms, you can

  • Build and customize forms for your particular needs
  • Allow patients to schedule appointments
  • Collect consent forms
  • Collect payments
  • Integrate with other HIPAA-compliant software
  • Obtain patient signatures and files

The next step is to ensure that the data you collect is encrypted, which means your PHI and data are turned into unreadable text using software or algorithms that are deciphered through an encryption key only you have access to. This protects your data if there’s a breach or theft, and makes the data useless to anyone who unlawfully obtains it.

JotForm’s HIPAA-compliant online forms automatically encrypt form data, guaranteeing the privacy of PHI. To ensure your PHI stays secure, you’ll also receive a signed BAA that creates binding liability and keeps your business protected.

The bottom line on HIPAA-compliant websites

When designing a HIPAA-compliant website, you must make sure that, when you collect PHI, it’s secure the entire time it’s being collected, stored, and transmitted.

When you use secure online forms and encrypted data to protect PHI, your website has the key components necessary to be both HIPAA compliant and safe for your patients to use, all while supporting your marketing efforts.

This article is originally published on Jun 18, 2020, and updated on May 14, 2021.
Firm believer in personal data privacy in the age of information. Close follower of the new regulations concerning patient confidentiality & HIPAA. You can reach George through his contact form. The views stated herein are for discussion only, and are not intended to constitute medical advice or any other advice, procedures, or guidelines for diagnosing or treating any medical condition or for any aspect of the practice of medicine.

Send Comment:

JotForm Avatar
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Podo CommentBe the first to comment.