·  Legal News, Analysis, & Commentary


How to Make Your Website HIPAA Compliant

— December 11, 2020

Engaging in HIPAA best practices and carrying out periodic checks is the ideal way to keep your patient’s information and your business safe at all times.

Anyone involved in the healthcare industry knows the criticality of sensitive data that is handled on a daily basis. The privacy and security of health and medical information are equally important for both patients and healthcare professionals. But how you manage these criteria reflects directly on your business’s image.

Therefore, health care providers such as doctors, clinics, hospitals, nursing homes, pharmacies, etc. need to ensure they have a HIPAA compliant website.

What Aspects Should You Consider?

Your responsibility is to make sure that, at the bare minimum, data is:

  • always encrypted during online transmission
  • never lost
  • only accessible by authorized personnel 
  • not tampered with or altered
  • encrypted when stored or archived

Can your website guarantee all this and more?

If your website is a basic one created through an ordinary web hosting provider with the help of off-the-shelf software and doesn’t have security best practices in place, you need to continue reading this blog.

As a business owner in the medical community, your top-most priority should be to ensure that protected health information (PHI) about patients is safe and secure at all times, whether it’s during collection, storage, or transmission. The best solution is to use a website that is HIPAA (Health Insurance Portability and Accountability Act) compliant and confirm that the latest security protocols are always being utilized.

This not only prevents hackers from accessing sensitive data, but it also improves your credibility and trustworthiness. In fact, if your website is found to be HIPAA-noncompliant, you are at risk of violating the HIPAA Security Rules and incurring fines for not following these guidelines.

Steps to Follow to Make Your Website HIPAA Compliant

HIPAA requires explicit administrative, physical, and technical safeguards to protect healthcare data. Here is a list of steps you need to work on in order to make your website HIPAA compliant:

1. Use SSL protection

One of the first HIPAA protection measures is to acquire an SSL certificate for your website. This is clearly seen as https:// in the URL before the name of your website.

SSL stands for Secure Sockets Layer. It refers to the technology used to keep an internet connection secure and safeguard data sent between your website and the server.

With the help of encryption algorithms, SSL ensures that the data is impossible to read. So if someone were to log into your site, it would not make any sense.

While SSL allows websites to meet HIPAA’s data transmission security requirement, the crucial aspect here is to make sure that your web host provides a strong enough SSL configuration.

2. Encrypt all data

All highly sensitive data shared, collected, or stored on your website needs to be protected. Whether the data you have is gathered through emails or online web forms on your site, it must always be encrypted. This keeps all communications between your website and the end-user safe. The only person who should be able to see the information should be the end-user.

But this also implies that data that is stored or archived, locally and via a cloud, needs to be encrypted. It is especially important if you have backed up data which is stored in locations out of your control, or if you share a web server with other customers.

3. Backup all information

All client information needs to be backed up so that it can be restored in case there is an emergency. Whether you use a local backup or a secure cloud service, you must ensure that it is HIPAA compliant.

You must have a data backup plan, and data restoration procedures for retrieving exact copies of PHIs in case originals are damaged due to fire, natural disasters, accidental deletion, or system malfunctions.

4. Ensure data integrity

Data integrity means data that you have is not tampered with or altered in any way. There are various encryption methods that offer tamper-proof integrity, such as AES, PGP, or SSL.

You need to develop integrity policies and implement the right procedures to address these requirements. Complete regular integrity checks to identify and verify all the users that have the authorization to access PHI.

5. Data should be encrypted during transmission

While it’s necessary to ensure data is stored on a server that is HIPPA compliant, you must establish transmission security as well.

Any data transferred between users and sites need to be encrypted. Often encryption algorithms scramble data while during transit. So even if a hacker tries to intercept the information during transmission, they will not be able to read, understand, or modify any details. 

6. Permanent deletion of data

If a client requests to have their information removed from your database or decides to leave your service, you will need to remove the data permanently. HIPAA mandates that all data irrelevant to a business must be deleted.

But this may be a bit harder than it sounds. Locating all the places that the data is stored and archived up takes time. And this includes information that is backed up in storage and on servers.

7. Access to PHI only by authorized personnel

You’ve taken the time and effort to ensure that information is encrypted and stored in a protected environment. But anyone with access to the appropriate keys can gain access to the data as well.

Image of a doctor working at a laptop
Doctor working at a laptop; image courtesy of Free-Photos via Pixabay,

You need to implement appropriate authorization protocols such as:

  • Unique, secure logins 
  • Granting only authorized personnel the authority to access controls
  • Limiting the people who can access your email and messaging systems
  • Restricting access to administrative functions only to administrators such as making changes on a website
  • Assigning different levels of clearance and system access to employees depending upon their job description

Employees need to understand that only authorized individuals have access to protected health documents and information. Failure to do so could compromise HIPAA’s regulations.

8. Appropriate security management and data breach protocol

As one of the administrative safeguards of HIPAA’s checklist, you need to implement security best practices through awareness and training. You should consider the following:

  • Issue security updates and reminders regularly
  • Implement adequate safety measures to protect workstations, servers, and digital systems from malicious software
  • Monitor user logins 
  • Devise strategies to respond to suspicious activities and diminish their effects
  • Evaluate whether your policies and protocols effectively protect client information 
  • Develop a contingency plan to help neutralize a breach as quickly as possible and manage the compromised data

9. Regularly change passwords

You should establish and implement strict rules for password creation, modification, and protection. But according to HIPAA, all passwords must be changed regularly.

10. Business associate agreements ensuring HIPAA compliance with third-party vendors

Any service provider and third-party vendor that has access to your website must also sign a HIPAA Business Associate Privacy Agreement. This ensures that they will also follow HIPAA security requirements.

Similarly, a web development company and web host provider will have to make sure that the infrastructure they provide is HIPAA compliant.

Final thoughts

There are several other ways you can guarantee compliance. But it all boils down to the fact that you need to implement the right HIPAA compliance measures today and ensure your business is not negatively impacted. If you are found to be noncompliant, severe penalties can be imposed, with criminal charges going up to $1.5 million in fines and liability in civil suits.

Engaging in HIPAA best practices and carrying out periodic checks is the ideal way to keep your patient’s information and your business safe at all times.

Join the conversation!