How to design a HIPAA-friendly website

A 2018 survey of more than 1,000 U.S. adults found that 80 percent of respondents have used the internet to conduct a healthcare-related search in the past year. In addition, 63 percent of those respondents will choose one provider over another because of a strong online presence with relevant, accurate, and compelling information.

It’s critical that a medical provider has a good website. But the website also needs to enable the Health Insurance Portability and Accountability Act (HIPAA). If it doesn’t, your website can cause irreparable damage to your reputation and heavy fines and penalties.

The following tips will help ensure the website you design is effective and HIPAA-friendly.

The basics of HIPAA-friendly websites

To ensure your website is HIPAA-friendly, you need to understand the basics of HIPAA.

HIPAA was created to regulate how protected health information (PHI) is secured. PHI is basically any patient data, such as a name, address, telephone number, birthday, email address, or medical record. Even scheduling an appointment requires the use of PHI, because you’re dealing with information that identifies who the patient is.

According to HIPAA, healthcare providers and vendors who encounter PHI must comply with the regulations. HIPAA designates healthcare providers as “covered entities” and the vendors they use as “business associates.” If a provider is working with a vendor and PHI is involved, the two parties must sign a business associate agreement (BAA), which legally covers the provider if there’s a data breach..

Whether you’re a physician or a telehealth service provider, you must have a HIPAA-friendly website that protects PHI.

What is a HIPAA-friendly website?

Basically, a HIPAA-friendly website is one that protects PHI. If you collect, transmit, or store PHI on and through your website, your site needs to be HIPAA-friendly.

Securing and encrypting your website — from web hosting and email servers to passwords and web forms — makes it HIPAA-friendly. These measures protect everyone involved in a patient’s care (including doctors, nurses, administrators, and the patients themselves) against a data breach.

When designing your website, it’s important to determine what you want visitors to do. For example, you might want them to be able to send an email to you, fill out a form, or access a patient portal to view and update their medical histories.

Once you know what you want your visitors to do on your website, make sure these actions are not only easy for them to take but also that they’re HIPAA-friendly. To ensure you’re enabling HIPAA, ask yourself these questions:

• Are you collecting PHI via your website?
• Are you transmitting PHI through your website?
• Are you storing PHI on a server on your website?

If the answer to any of these questions is yes, make sure your website is HIPAA-friendly.

How to make a website HIPAA-friendly

Due to the serious nature of HIPAA regulations and the information they protect, it’s important your website is HIPAA-friendly to safely and securely collect, transmit, and store sensitive data like PHI.

Here are five steps to help you get started:

1. Use HIPAA-friendly web hosting. Since your web host is the first line of defense against security threats and breaches, it needs to have proper HIPAA practices in place, such as providing regular scans and updates. And if it doesn’t, you need to find one that does.

2. Obtain a Secure Sockets Layer (SSL) certificate. An SSL certificate will create a secure link between your website and a visitor’s browser, ensuring that all PHI passing between the two remains private and secure.
3. Use HIPAA-friendly online forms. With HIPAA-friendly online forms, like those from Jotform, you can ensure you’re collecting PHI securely, which helps reduce the risk of data breaches and unsecured information being released. Additionally, if you use Jotform’s HIPAA-friendly online forms, you can build and customize forms for your particular needs, allow patients to schedule appointments, collect consent forms, take payments, integrate with other HIPAA-friendly software, and obtain patient signatures and files.
4. Encrypt your collected data. Encrypting the data you collect turns PHI into unreadable text using software or algorithms that can be deciphered through an encryption key only you have access to. This protects your data if there’s a breach or theft, and it makes the data useless to anyone who unlawfully obtains it. Jotform’s HIPAA-friendly online forms automatically encrypt form data, guaranteeing the privacy of PHI. To ensure your PHI stays secure, you’ll also receive a signed business associate agreement (BAA) that creates binding liability and keeps your business protected.
5. Provide compliance training. Once you implement these changes and update your website to be HIPAA-friendly, it’s important to provide company-wide compliance training, no matter the size of your organization. This way, everyone will be on the same page about both the basics of features that help with HIPAA compliance and what they’re required to do to help reduce data breaches, such as not sharing passwords or leaving logged-in computers unattended. Consider offering the training annually, too, as a refresher or if security issues seem to be on an uptick.

The bottom line on HIPAA-friendly websites

When designing a HIPAA-friendly website, you must make sure that PHI is secure the entire time it’s being collected, stored, and transmitted.

When you use secure online forms and encrypted data to protect PHI, your website has the key components necessary to be both HIPAA-friendly and safe for your patients to use, all while supporting your marketing efforts.