The Complete Medical Practice Digital Marketing Blueprint

Maximize Your Presence With Our Free Practice Marketing eBook

HIPAA Compliant Website Checklist: Keeping Your Patient’s Info Safe

by | Nov 22, 2021

The pandemic event of 2020 underscored our reliance on the internet, to say the least. To “slow the spread,” we saw an increase in patients completing registration tasks online, and attending appointments virtually via telehealth. This has made having a HIPAA compliant website more important than ever for medical practices.

As digital dependence increases across the healthcare landscape, it is important to remember that cybersecurity threats are unrelenting — and so too is the need for data protection. One critically-important piece of any healthcare organization’s cybersecurity strategy is a HIPAA-compliant website. 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes responsibility for the handling of patient health information (PHI). Law or not, providers have an incentive to protect patient data as this vigilance preserves public and patient trust. 

Given that all healthcare organizations have HIPAA-compliance protocols in place, it’s beneficial to perform periodic check-ins and audits to resolve any organizational weaknesses. System migrations, software updates, vendor or staff changes, and the like may leave gaps that become vulnerabilities. Routine website checks work to supplement routine internal audits or other HIPAA-compliance verification that ensure PHI is completely secure on all fronts. 

Patient Engagement Podcast Series Part 2 CTA

HIPAA Website Compliance 101  

HIPAA policies are designed to both protect patient health information from unauthorized view or capture and to facilitate a patient’s right to their health information using a three-pronged approach: 

  • Privacy Rule: Establishes national standards as to when protected health information (PHI) may be used or disclosed. 
  • Security Rule: Dictates how all stakeholders safeguard the confidentiality, integrity, and availability of electronic protected health information (ePHI). 
  • Breach Notification Rule: In the event of an ePHI breach, a healthcare organization must understand and properly follow through with the set protocol for reporting – this notifies the affected individuals, the Department of Health and Human Services (HHS), and the public. 

Because healthcare entities use websites as instruments to receive patient data, websites, web forms, and web hosting must all meet HIPAA-secure standards (such as encryption and secure data retention). There are three classifications of HIPAA protection: 

  • Physical: Prevents PHI data from being compromised through manual means (i.e., protecting computers and physical records from environmental hazards, or unauthorized view). 
  • Technical: Prevents PHI data from being compromised through digital means (i.e., ensuring that transmission of data cannot be accessed or intercepted by unauthorized users). 
  • Administrative: Conduct a risk assessment for PHI breaches. (i.e., addressing any compliance weaknesses, providing compliance training for staff, and ensuring that service agreements with third parties include HIPAA-compliance). 

Healthcare entities can incur fines (ranging from $100 to $1.5 million depending on the severity) for HIPAA non-compliance – even if there has not yet been a security breach. Also of note is the impact of a PHI breach on public trust. The patients affected would naturally be inclined to seek another provider, and when the records of more than 500 people are breached, the public must be notified – this can taint your reputation indefinitely. 

Do You Have an SSL Certificate?  

SSL (or secure sockets layer) and TLS (or transport layer security) encryption protect data traveling from your website to another destination, such as a server, internal email inbox, or EHR (electronic health record). Encryption is absolutely crucial for the HIPAA-compliant website. 

A telltale sign of SSL/TLS security is to see a web address that begins with “HTTPS” instead of “HTTP,” or alternatively, a lock icon. A professional web design agency should already have this covered for you, but it doesn’t hurt to check. 

Image of a glowing lock on an SSL certificate secure website

Web Forms and Emails Must Be Encrypted

HIPAA website compliance means that PHI is protected at every stage and level, and not all methods of website data capture (like third-party online forms) have the proper encryption to ensure security. Encryption protects the patient information captured by online forms, online bill pay, and so forth, as it is transmitted to your clinic.  

For example, if the form inputs are routing to an inbox, your IT professionals would need to ensure that you are using HIPAA-compliant email tools and services. Third-party services should be transparent in explaining how they ensure that forms and emails are HIPAA compliant such as SSL security and provisions detailed in the BAA. 

Our team of medical practice website specialists not only ensure website encryption, but we also provide HIPPA-secure forms and bill pay. When every aspect of a medical website is HIPAA-secure, patients can enjoy convenient web features with peace of mind. 

Select a Secure Web Hosting Vendor  

Google “web hosting,” and there are dozens of services eager to win your business with all the bells and whistles. However, not all web hosting companies are equipped for secure ePHI management. A medical practice must take the extra step of ensuring that a web host has sufficient security measures in place to safeguard sensitive patient information. 

Web hosting also involves the storage of website files, so you will need to ensure the host is well protected from intrusion. When considering a web hosting service, ask what HIPAA-compliant website solutions they currently have in place (such as HIPPA-secure forms) to protect data at all stages and levels, and what assurances they can provide for ongoing ePHI security. 

Establish Strict Policies for Staff, Contractors, and Third-Party Partners 

Before giving anyone access to the website or the data collected from the website, they will need to be aware of and fully understand the security measures set in place. As a best practice, each user should have their own login (no shared access) and have a unique alphanumeric password.  The password should be hard to remember. A secure password manager can assist in helping staff login easily (yet safely) by storing complex passwords. 

Each user should be trained on when to log out of the website manager, forms application, email system, computers, etc. Administrators should also avoid taking laptops outside of the facility, as several cases of stolen laptops have resulted in fines or legal settlements. 

Practice management and IT experts can work together to create a comprehensive policy and training plan, as this ensures everyone who has access to sensitive patient data is vigilant about security. 

Are You Using 3rd Party Partners? Sign a BAA  

The old adage, “many hands make for lighter work,” aptly describes the modern healthcare landscape. For busy medical professionals, the enlisting of third-party services becomes necessary. This often involves third parties having Business Associate Agreement (BAA) with ePHI, or systems that store this data.  

To ensure that ePHI is secure at all times, all stakeholders must be accountable for the protection of sensitive patient data. Website agencies who are equipped to keep ePHI safe would also be prepared to enter a service level agreement that ensures sufficient web security for your patients.  

Maintain HIPAA Compliance: Continue to Test Your Security  

Medical practices are at the mercy of technology, and technologies are always shifting and evolving. In addition, the more people you give privileged access to (both internal and third-party associates), the more opportunities there are for a data breach.  

Launching a HIPAA-compliant website is foundational to your success, but beyond this initial step, ongoing verification is needed to ensure that patient information continues to be securely captured and stored. Establish an internal audit and risk assessment protocol, and make its routine implementation mandatory for your operations. 

Because ePHI security is only as strong as the weakest link in your organizational chain, periodic audits, risk assessments, and refresher training are each essential to keep patient data safe. Expert consultants (such as Medical Advantage) can help you come up with a schedule that encompasses all the vulnerable points of ePHI management.  

Is your website hipaa secure infographic

Get a HIPAA-Secure Website and Ongoing Medical Website Support 

Over 4,000 providers trust Medical Advantage (powered by iHealthSpot) to build and host their websites. Not only are our websites well-encrypted for online forms and online bill pay, but they are also designed to attract new patients every month. Contact Medical Advantage today for a quote.


Talk to a Practice Marketing Expert Today



The Complete Medical Practice Digital Marketing Blueprint

Maximize Your Presence With Our Free Practice Marketing eBook

Medical Advantage - TDC Group