How to design a HIPAA-compliant website

A 2018 survey of more than 1,000 U.S. adults found that 80 percent of respondents have used the internet to conduct a healthcare-related search in the past year. In addition, 63 percent of those respondents will choose one provider over another because of a strong online presence with relevant, accurate, and compelling information.

It’s critical that a medical provider has a good website. But the website also needs to comply with the Health Insurance Portability and Accountability Act (HIPAA). If it doesn’t, your website can cause irreparable damage to your reputation and heavy fines and penalties.

The following tips will help ensure the website you design is effective and HIPAA compliant.

The basics of HIPAA-compliant websites

To ensure your website is HIPAA compliant, you need to understand the basics of HIPAA.

HIPAA was created to regulate how protected health information (PHI) is secured. PHI is basically any patient data, such as a name, address, telephone number, birthday, email address, or medical record. Even scheduling an appointment requires the use of PHI, because you’re dealing with information that identifies who the patient is.

According to HIPAA, healthcare providers and vendors who encounter PHI must comply with the regulations. HIPAA designates healthcare providers as “covered entities” and the vendors they use as “business associates.” If a provider is working with a vendor and PHI is involved, the two parties must sign a business associate agreement (BAA), which legally covers the provider if there’s a data breach..

Whether you’re a physician or a telehealth service provider, you must have a HIPAA-compliant website that protects PHI.

Just so you know

Make your website HIPAA-compliant with Jotform’s HIPAA-compliant forms. Safely collect sensitive patient data, signatures, files, and more online.

What is a HIPAA-compliant website?

Basically, a HIPAA-compliant website is one that protects PHI. If you collect, transmit, or store PHI on and through your website, your site needs to be HIPAA compliant.

Securing and encrypting your website — from web hosting and email servers to passwords and web forms — makes it HIPAA compliant. These measures protect everyone involved in a patient’s care (including doctors, nurses, administrators, and the patients themselves) against a data breach.

When designing your website, it’s important to determine what you want visitors to do. For example, you might want them to be able to send an email to you, fill out a form, or access a patient portal to view and update their medical histories.

Once you know what you want your visitors to do on your website, make sure these actions are not only easy for them to take but also that they’re HIPAA compliant. To ensure you’re complying with HIPAA, ask yourself these questions:

  • Are you collecting PHI via your website?
  • Are you transmitting PHI through your website?
  • Are you storing PHI on a server on your website?

If the answer to any of these questions is yes, make sure your website is HIPAA compliant.

How to make a website HIPAA compliant

Due to the serious nature of HIPAA regulations and the information they protect, it’s important your website is HIPAA compliant to safely and securely collect, transmit, and store sensitive data like PHI.

Here are five steps to help you get started:

  1. Use HIPAA-compliant web hosting. Since your web host is the first line of defense against security threats and breaches, it needs to have proper HIPAA practices in place, such as providing regular scans and updates. And if it doesn’t, you need to find one that does.
  2. Obtain a Secure Sockets Layer (SSL) certificate. An SSL certificate will create a secure link between your website and a visitor’s browser, ensuring that all PHI passing between the two remains private and secure.
  3. Use HIPAA-compliant online forms. With HIPAA-compliant online forms, like those from Jotform, you can ensure you’re collecting PHI securely, which helps reduce the risk of data breaches and unsecured information being released. Additionally, if you use Jotform’s HIPAA-compliant online forms, you can build and customize forms for your particular needs, allow patients to schedule appointments, collect consent forms, take payments, integrate with other HIPAA-compliant software, and obtain patient signatures and files.
  4. Encrypt your collected data. Encrypting the data you collect turns PHI into unreadable text using software or algorithms that can be deciphered through an encryption key only you have access to. This protects your data if there’s a breach or theft, and it makes the data useless to anyone who unlawfully obtains it. Jotform’s HIPAA-compliant online forms automatically encrypt form data, guaranteeing the privacy of PHI. To ensure your PHI stays secure, you’ll also receive a signed business associate agreement (BAA) that creates binding liability and keeps your business protected.
  5. Provide compliance training. Once you implement these changes and update your website to be HIPAA compliant, it’s important to provide company-wide compliance training, no matter the size of your organization. This way, everyone will be on the same page about both the basics of HIPAA compliance and what they’re required to do to help reduce data breaches, such as not sharing passwords or leaving logged-in computers unattended. Consider offering the training annually, too, as a refresher or if security issues seem to be on an uptick.

The bottom line on HIPAA-compliant websites

When designing a HIPAA-compliant website, you must make sure that PHI is secure the entire time it’s being collected, stored, and transmitted.

When you use secure online forms and encrypted data to protect PHI, your website has the key components necessary to be both HIPAA compliant and safe for your patients to use, all while supporting your marketing efforts.

This article is originally published on Jun 18, 2020, and updated on Jun 14, 2022.

Send Comment:

Jotform Avatar
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Comment:

Podo CommentBe the first to comment.