• linkedin
  • Increase Font
  • Sharebar

    Is your website a HIPAA violation?

    5 questions to ask yourself to avoid an HHS lawsuit.


    2. Audit Control: Most websites have a reporting mechanism that can audit users’ activity. It’s necessary to track activity in case of a security violation. It should be noted that the HIPAA Security Rule does not specify what type of data needs to be collected by the audit mechanism or how often audit reports need to be reviewed. Confirm with your web developer that such audit controls exist — they most likely do.

    Related article: Can email really be HIPAA compliant?

    3. Integrity: If data stored on your website is not properly encrypted, it can be modified or destroyed, unintentionally or otherwise. Humans are not the only ones responsible for a breach of data integrity. Electronic errors or failures can cause data to change or even be deleted. Your web developer has many options to encrypt your data, from hard-coding encryption methods to installing a plugin that encrypts data and decrypts only when a user is logged in.

    In May 2018, the European Union enacted changes to its web security laws, called the General Data Protection Regulation, or GDPR. Because of this new law, it’s highly likely more plugins will be developed to assist in maintaining a high level of encryption and integrity.

    4. Transmission Security: In addition to data integrity in your website’s database, the transfer of ePHI needs to be encrypted as well. The first step is to purchase and install an SSL certificate to migrate your website from HTTP to HTTPS. The HTTPS protocol allows for a secure connection from a web server to a browser.

    It’s also important that you are accessing your website data over a secure network. Your team should never access your website from any open network, like internet connections that do not require a password.

    If you are emailing patients’ ePHI, then a secure email system should be used. Many reputable companies provide this service for a reasonable price, and they are easy for both your team and your patients to use.

    5. Backup: If you are storing ePHI on your website, you must be sure a backup of your database is frequently taken and can be recovered in case of an emergency or unintentional deletion. Most hosting companies already provide this service. Restoring a backup may incur a charge, but it’s usually a nominal fee worth paying. Check with your provider to confirm how often website backups are taken and how they are being stored. HIPAA compliance standards also apply to your backed-up data, so it needs to be secure.

    6. Disposal: After you’ve confirmed the frequency of your data backups, you need to determine how it’s disposed of when no longer needed. Your hosting company will likely not keep your backups indefinitely, so find out what happens to the discarded data. Also, when an old server needs to be retired, the hard drive will need to be securely deleted. The hosting provider should use software that performs several passes of random writes to the hard disk to make it impossible to recover data.

    Related article: 7 ways to avoid becoming a HIPAA horror story

    7. Business Associates Agreement: If any vendor working with your practice has access to your patients ePHI you must have a signed Business Associates Agreement. Vendors include, but are not limited to, your website designer, your IT company maintaining in-office server and equipment, electronic claims vendors, marketing companies, consultants, accountants, appointment reminder software companies and your practice management software provider. Last year, a health care provider settled a lawsuit with HHS for $31K for not having the appropriate Business Associates Agreements in place. You can find free templates for HIPAA Business Associates Agreements online.

    Ensuring your website is HIPAA compliant may seem like an overwhelming task, but there are simple tools at your disposal and processes you can implement which prove reasonable steps are taken to protect your patients’ ePHI. With the increase in HHS compliance reviews, it’s well worth your time and money to protect your practice from potential violations.

    Christine C. Bahu
    Christine Bahu is the agency founder of SmileMore Marketing (https://smilemore.marketing). She has helped 100+ dentists bring new ...


    Add Comment
    • No comments available