If you are a HIPAA-covered entity or business associate, you likely know that patient PHI may only be created, received, maintained, and transmitted as permitted by the HIPAA Security Rule and the HIPAA Privacy Rule. Yet you may not have focused on your company’s website as a place where PHI is collected and transmitted. If you are subject to HIPAA, you should continually assess your website data practices. As described in this blog post, you should make sure third-party trackers like Meta Pixel are not accessing and disclosing data behind the scenes. But common customer-facing tools should not be overlooked. Common ways in which PHI may be collected and transmitted include:
- Live Chat
- Patient Portals
- Online Patient Forms
- Online Scheduling Tools
- Reviews and Testimonials
- Online loyalty Programs
The HIPAA Privacy Rule requires that entities that create, receive, maintain, and/or transmit PHI take specific measures to protect it. For example, if your company keeps individually identifiable medical information on a server, that server must be encrypted and secure. Transmitting PHI includes sending information via email, text, web forms or other types of digital messaging. Storing PHI includes storing information in apps, data centers, etc. If your company website collects, stores, or transmits PHI and does not take reasonable measures to secure that data, it may violate HIPAA.
To begin remediating risks, companies should:
- Purchase and implement an SSL certificate for the company website
- Ensure all web forms on the company website are encrypted and secure
- Only send emails containing PHI through encrypted email servers
- Partner with web hosting companies that are HIPAA-compliant and have processes for protecting PHI
- Execute BAAs with third parties that have access to PHI (including web hosting companies)
- Ensure that PHI is only accessible by authorized individuals within your company