As a healthcare provider, you are already familiar with HIPAA Privacy Rule–a national regulation that sets standards to the privacy and security of protected health information (PHI). But, did you know that your website and social media accounts must also comply with these regulations? This holds true whether healthcare providers manage their online presence internally or use a third-party vendor.

Before we dig into the essentials of a HIPAA-compliant website, let’s take a look at exactly what data you are responsible to protect both online and off.

What is considered PHI?

Protected health information includes the following identifiers: 

  • Name
  • Location
  • Dates
  • Contact numbers
  • Email addresses
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers, including driver’s license numbers
  • Vehicle license plate numbers
  • URLs
  • IP address numbers
  • Biometric identifiers such as fingerprints
  • Full-face photographs and video
  • Any other unique identifying numbers, characteristics or codes

Features of a HIPAA-Compliant Website

1. Secure Sockets Layer (SSL) Protection

A secure sockets layer, or SSL, is an encrypted link between a web server and a browser that ensures all data passed between two remains private. This layer of protection keeps everything safely encrypted whenever someone logs into your site or manages their account. In the event someone stole or intercepted information, SSL protection means they wouldn’t be able to make sense of it. Not sure if your website already has SSL protection? Look at the URL in your browser to make sure it begins with “https” rather than “http”.

2. Data Encryption

Healthcare providers need layers of protection to effectively protect PHI. In addition to SSL protection, you will also need to encrypt any data that you store with full data encryption. If information is collected on a form and then passed through and emailed to an inbox, the data needs to be encrypted both in transit and at rest.

3. Secure Server

A HIPAA-compliant website must be hosted on a secure server with proper safeguards such as a firewall. You also need an established and documented policy for the storage, transfer, disposal and reuse of data. 

4. Updated Privacy Policy

A privacy policy is required by federal and state law if you collect personal data. For medical websites, the Notice of Privacy Practices needs to contain all the requirements as defined by HIPAA regulations. The U.S. Department of Health and Human Services has created a sample Notice of Privacy Practices that you can download and use (for free) to meet the requirements.

5. Third-Party Agreement

If you are using a third-party vendor, make sure you have an agreement in place that clearly defines the responsibility and requirements of service providers who manage and handle patient health information. 

There are more precautions you need to take for a HIPAA-compliant site, but these are the most important starting points for your practice. If your website is not compliant, there is a higher risk of a breach which potentially could lead to a possible violation and fine.

Working with established healthcare industry website designers can help minimize the stress in creating a HIPAA-compliant website. They will know everything that’s needed, both on the website’s backend and for patient-facing information.

Request a free consultation and learn more about how we can help protect your patients and yourself with a custom-designed HIPAA-compliant website.

Previous Blog
Next Blog

Agency Insights + Perspectives

Sign up to receive the latest agency perspectives,
cultural insights and inspiration.