• linkedin
  • Increase Font
  • Sharebar

    Is your website a HIPAA violation?

    5 questions to ask yourself to avoid an HHS lawsuit.

    Since the Health Insurance Portability and Accountability Act (HIPAA) became law in 2003, dental offices have struggled to comply with the vast regulations and requirements set forth by the legislation. Back then, many dentists didn’t have a website, nor did they understand the power of the internet to increase efficiencies in their practices.

    Today, there are over one billion websites on the internet and HIPAA compliance has extended its reach to include the electronic transfer of personal health information (ePHI) over the web and how the data is hosted and stored.

    According to the US Department of Health and Human Services (HHS), the lack of administrative safeguards of ePHI is currently the fourth-most investigated type of non-compliance since the law’s inception. It’s fair to assume these type of violations will continue to be reported and draw the attention of HHS.

    Related article: 12 steps for creating a HIPAA compliance plan

    There are many technical specifications related to HIPAA compliance, and we will cover that in a moment. For now, ask yourself the following:


    1. Do patients contact me through my website regarding their symptoms?
    2. Do patients contact me through my website with post-op questions?
    3. Do I have online forms that patients can complete (like new patient forms or health history forms) or do I want to add that to my website?
    4. Do I have patient data on a laptop that leaves my office?
    5. Are staff members emailing patients regarding their dental health or treatment without using encryption?

    If you answered “yes” to any one of these questions, then you need a HIPAA-compliant website.

    HIPAA on a tabletSo, how do you ensure your website is HIPAA compliant? For smaller entities like an independent dental office, you are required to take reasonable steps to ensure the protection of your patients’ ePHI. Some of these requirements are simple to implement in your practice right away.

    Determining your level of compliance

    Seven major points should be evaluated to determine if your website is HIPAA compliant. They consist of the following:

    1. Access Control: Team members should have unique logins and passwords when accessing your website. Administrative access should not be given to team members who do not need to have complete access to every function. As a basic rule, limit access as much as possible but still allows the team member to perform his or her basic duties within your practice.

    Related article: What you need to know about HIPAA compliance and patch management

    If your team does not access your website but instead has a third party maintaining and making updates, you must have a current HIPAA Business Associates Agreement with that company. We’ll go into more detail on agreements shortly.

    Read on to find six more ways to evaluate your compliance...

    Christine C. Bahu
    Christine Bahu is the agency founder of SmileMore Marketing (https://smilemore.marketing). She has helped 100+ dentists bring new ...


    Add Comment
    • No comments available