facebook-script

Fast Guide to a HIPAA Compliant Website

Fast Guide to a hipaa compliant website

There’s no question that people expect to be able to find anything online, including doctors, and as much information about them as possible. But as a medical professional, business is much more sensitive and stricter requirements must be followed. Not following these may result in up to a million dollars in fees.

However, here are 7 checks you can do to make sure your site is secured.

Encrypted Transmission:
Data transmitted through the internet needs to be encrypted. By default, information is not encrypted and can be intercepted by anyone that knows how. This has an easy solution and is recommended all sites be encrypted. Use an SSL or TLS certificate to encrypt this and check this box off your list.

Backup:
All data should be backed up regularly. Most web hosts will create backup points for you, however, most e-mails are not automatically backed up and a third party program or technical knowledge may be needed for this.

Proper Authorization:
This is completely dependant on management. Do you share one login to check PHI or does each individual have their own login? Is your hosting provider a trusted HIPAA Business Associate? Best practice is to give each staff member only as much access as they need, and not share logins with others. This includes access to the backup.

Storage Encryption:
This is dependant on your host, make sure your site content is stored in an encrypted server. Normally, data is not encrypted in storage. SSL only affect data transmitted, but we must also secure data stored.

Disposal:
Making sure data that needs to disappear, disappears. This is harder than it sounds because we have so many systems making backups automatically. This may require a lot of scrubbing and manually deleting backups.

Integrity of Data:
If all other precautions are taken, this is checked off. What this refers to, is that data is accurate and has not been altered. It could maliciously be altered by the wrong person having access to the PHI or an outside party exploiting a vulnerability.

BAA:
You’re required to have a Business Associate Agreement with vendors associated with your website. It’s important for your website to be designed, developed, and hosted with knowledge of all HIPAA requirements.

If you’re not able to check off everything in this guide, we recommend discussing this with your web developers and addressing any shortcomings.

Related Blogs