Is Your Web site HIPAA-Compliant? | HIPAA & Well being Info Expertise


In case you are a HIPAA-covered entity or enterprise affiliate, you seemingly know that affected person PHI might solely be created, obtained, maintained, and transmitted as permitted by the HIPAA Safety Rule and the HIPAA Privateness Rule.  But chances are you’ll not have targeted in your firm’s web site as a spot the place PHI is collected and transmitted.  In case you are topic to HIPAA, you must frequently assess your web site information practices.  As described on this , you must be sure that third-party trackers like Meta Pixel will not be accessing and disclosing information behind the scenes.  However widespread customer-facing instruments shouldn’t be missed.  Frequent methods through which PHI could also be collected and transmitted embrace:

  • Stay Chat
  • Affected person Portals
  • On-line Affected person Varieties
  • On-line Scheduling Instruments
  • Critiques and Testimonials
  • E-mail
  • On-line loyalty Applications

The HIPAA Privateness Rule requires that entities that create, obtain, keep, and/or transmit PHI take particular measures to guard it. For instance, if your organization retains individually identifiable medical info on a server, that server have to be encrypted and safe. Transmitting PHI consists of sending info through e mail, textual content, net varieties or different forms of digital messaging. Storing PHI consists of storing info in apps, information facilities, and so on. If your organization web site collects, shops, or transmits PHI and doesn’t take cheap measures to safe that information, it might violate HIPAA.

To start remediating dangers, firms ought to:

  • Buy and implement an SSL certificates for the corporate web site
  • Guarantee all net varieties on the corporate web site are encrypted and safe
  • Solely ship emails containing PHI by way of encrypted e mail servers
  • Accomplice with webhosting firms which can be HIPAA-compliant and have processes for shielding PHI
  • Execute BAAs with third events which have entry to PHI (together with webhosting firms)
  • Make sure that PHI is simply accessible by licensed people inside your organization

Leave a Reply

Your email address will not be published. Required fields are marked *