Think Your Healthcare Website is HIPAA Proof? Think Again

Think Your Healthcare Website is HIPAA Proof Think Again

A HIPAA Compliant Website is required if the website is used to collect, display, store, process, or transmit PHI.


If your website only showcases your company, provides contact information, and lists the services you provide, then there are no HIPAA requirements for your website.


However, this is where confusion reigns. It’s easy (and some would say endemic) for healthcare providers to take an ostrich view of their website and simply stick their head in the sand when it comes to HIPAA.


A recent survey by HIPPA Digital revealed that 72% of United States Healthcare website owners including Psychiatrists, Therapists, Counselors, Dentists and Doctors believed their website did not need to be HIPAA Compliant, when in fact all of their websites were processing PHI and inadvertently breaching HIPAA.


The confusion stems from misunderstanding what constitutes PHI and what activities necessitate HIPAA compliance.


The biggest mistake Healthcare providers are making is to assume their website does not collect ePHI


PHI is not limited to medical records. It includes any information that can be used to identify a patient and relates to their health condition, provision of health care, or payment for health care.


This broad definition means that even seemingly innocuous information collected via contact forms, appointment requests, or chat services on a website qualifies as PHI.


If your website has any of the following things then it must be HIPAA compliant:


  • Contact Forms: Any form that patients use to provide personal information, including health-related details (regardless of whether or not you have a disclaimer)
  • Click to Email Buttons: Features that allow users to send an email to the provider directly from the website, which may include PHI.
  • Reviews: If you display user reviews on your website you are inviting a HIPAA violation.
  • Analytics: Tools that track and analyze website traffic and user behavior. Analytics captures IP addresses and other identifiers linked to PHI.
  • Server Logs: Records that contain details about website visits, including IP addresses, which can be linked to specific individuals. Most providers are unaware of server logs.
  • Social Media Links: Direct links transfer user data to social media platforms, which is a sharing of PHI.
  • Facebook Tracking Pixels: These collect data on website visitors for retargeting and behavioral advertising.
  • Advertising Pixels: Similar to Facebook tracking pixels, these are used for online ad targeting and track user behavior across sites.
  • Appointment Scheduling Systems: Online systems where patients can book appointments, often requiring them to enter personal and health information. Regardless of whether the actual Patient Portal is HIPAA compliant, the instance between a user being on a website and clicking on the patient portal can be intercepted by bad actors.
  • Live Chat Support: Real-time chat features involve the exchange of PHI.
  • Patient Portals: Sections of the website where patients can access their health records, communicate with healthcare providers, and manage appointments.
  • Payment Gateways: If the website processes payments for healthcare services, the transactional data could include PHI. Most payment gateways are not HIPAA compliant i.e. Stripe and PayPal are not HIPAA compliant and the responsibility is on you, as a provider.
  • Health Forms and Questionnaires: Online forms that collect health information, medical history, or other data that falls under PHI.
  • Telehealth Services: If the website facilitates or hosts virtual healthcare services, the interactions and data exchanged are considered PHI. Skype is not HIPAA compliant, neither is basic Zoom iterations.
  • Cloud Storage Integration: When a website uses cloud services to store or process data, any PHI stored or transmitted must be protected in compliance with HIPAA.
  • User Registration and Login Areas: Where users can create accounts, log in, and access or input health information.
  • Email: If you communicate with patients via email then this email needs to be HIPAA Compliant. Basic Gmail is not HIPAA compliant and using it to send PHI is a violation.


The HIPAA Problem with Website Builders



If your healthcare website is based on Wix, or any of the popular cheap (or free) website builders such as Squarespace and has any PHI identifiers listed above then there is a high chance your website is not HIPAA compliant.


It’s time to reassess your HIPAA requirements


It is crucial for healthcare providers to take a proactive approach to HIPAA compliance. Relying on outdated information or assumptions about their website’s interaction with Protected Health Information (PHI) is a risky gamble.


Just because a healthcare provider read something years ago, which led them to believe that their site does not handle PHI, does not exempt them from the obligations under HIPAA.


The landscape of digital health information is constantly evolving, and what may have been true at one point, quickly becomes outdated.


The Office for Civil Rights (OCR) is increasingly vigilant in its oversight of healthcare entities, including their websites. The OCR has the authority to conduct audits, investigate complaints and issue fines against entities that fail to comply with HIPAA regulations.


The OCR does not discriminate between larger and SME healthcare provider HIPAA requirements, because regardless of size, they must all comply.


Ignoring HIPAA requirements because of a misunderstanding or outdated information about the website’s function can lead to severe penalties and damage to your reputation.


Healthcare providers must start to re-evaluate and update their understanding of how their websites interact with PHI. They need to ensure that all aspects of their digital presence comply with HIPAA’s privacy and security rules. This includes ensuring that all website functions are secure and compliant.


HIPAA Compliant Website Checklist


  • Do you have a valid SSL certificate?
  • Is the website hosted with a HIPAA compliant hosting company?
  • Have you encrypted data at rest and in transit?
  • Are you using HIPAA-compliant web forms?
  • Have you set access controls?
  • Are you recording and monitoring logs?
  • Are you maintaining an audit trail?
  • Have you got signed business associate agreements for all vendors?
  • Are you backing up all PHI?
  • Have you developed policies and procedures for restoring and deleting data?
  • Have you obtained consent from patients before publishing testimonials on your website?
  • Does your website include a notice of privacy practices?
  • Does your website include your HIPAA policy?


The Solution


HIPAA Digital are a complete 3-in-one done for you solution, so that you never need worry again about your website, hosting or Business Associate Agreements.


As well as singing a BAA we also make sure all of your BAAs relating to your website and marketing activities are signed by the relevant providers, and available in your dashboard for as and when they are needed.


Our friendly account managers talk your language, we all have significant experience in digital healthcare and won’t bamboozle you with technical jargon.


We’ll work out whats wrong, fix it, and make sure you are fully compliant going forwards.

Share it :
Get free tips and resources right in your inbox, along with 10,000+ others