Doctors and medical professionals feel under pressure when using the web as a platform for patient protected information or ePHI (e.g., electronic prescription use, appointments and remote medicine and web-based electronic medical record). The HIPAA/HITECH law requires that these tools have very specific safety controls.
The Health Insurance Portability and Accountability Act (HIPAA) is the official compliance document. And with the Omnibus rule in place, all websites (old and new), must be properly designed or their owners face potential financial liability in fines that could become very high (millions of $$$) to be more specific.
So what do these hosting requirements mean and how can HIPAA be followed in the context of a website?
What are the HIPAA requirements for a website?
HIPAA is an unusual law in that it makes a lot of recommendations (addressable articles) and affirmations (articles required), but in the end, it depends on each organization to determine for themselves what they need to be obedient. This creates great flexibility and also a great deal of uncertainty. In general, to be with the HIPAA law, a website should at least ensure that all protected health information (ePHI):
- Encrypted transport: It is always encrypted as it is transmitted over the Internet
- Backup: Never lost, that is, Must be backed up and can be recovered
- Authorization: Only accessible by authorized personnel through single access controls, audited
- Integrity: Not manipulated or altered
- Storage encryption: How do you accumulate a “basic” website to these requirements?
For a ‘basic’ website, we refer to a configuration in any old web hosting provider and written using platform software or by a person without training in best website security practices:
- Transport Encryption – Fail: The data is not encrypted during transmission
- Backups – Maybe: More web servers will backup and restore your data for you. However, this assumes that the data collected is in a host-backed position. If you have information emailed to you, you should make sure that your email record is complete and the backups are good.
- Authorization – Maybe: It depends on its implementation.
- Integrity – Fail: There is no way to make sure it is not manipulated data or if it has been.
- Storage Encryption – Fail: Data is never encrypted
- Disposal – Maybe: It depends on its implementation. However, some web servers and departments of you keep data backups indefinitely – and they do not “delete”.
- Ombibus – Fail: Most web hosting providers do not even know what an HAPAA BAA would require them to do and most others know that they cannot both sign such an agreement and fulfill their requirements without completely changing how their business operates and what are their prices.
Overall grade — failing: In general, if you have a basic website that has never been explicitly updated for HIPAA and has something to do with protected patient data, you can be pretty sure that it is unsupported and needs care. If you plan on extending your site include protecting patient data, make sure that you are familiar with the requirements that must be met by whoever does it.
So what can be done to ensure compliance?
Obviously, there are a large number of steps that can and should be taken to convert your basic website into one with HIPAA one. What works for you will depend exactly what you want to accomplish with your site and how protected health information is present and transmitted. Below, we discuss the seven most common cases we encounter.
1. Transmit Encryption: PHI is always encrypted as it is transmitted over the Internet. The first step is to ensure that you have a secure website (i.e., an SSL protected and accessible via https://). Any web page that collects or displays the protected health information, or that is used for the registration of a user, which transmits cookie authorization, etc., should be protected by SSL certificate and should not be insecurely accessible (i.e., Should not be an alternative version of the same page insecurity that people can access). Use of SSL complies with HIPAA data transmission security requirements in terms of communication between the end user and your website.
Then what if the end user submits PHI on your site and then the data is transmitted elsewhere, or stores it. This process must also be HIPAA compliant. We will discuss it below, as it is one of the most difficult things and still be obedient.
2. Copy security: is not lost, that is, is backed up and can be recovered.
You should be sure that all protected information stored on your website or compiled from your website is backed up and can be recovered in case of accident or accidental deletion. More web servers offer this information service stored on their servers. If the information from your website is sent elsewhere (for example, to you by email), then those messages should also be backed up or archived and you must be careful that those copies are robust, available and accessible only to authorized persons.
3. Authorization: only accessible by authorized personnel through unique, audited access controls who can access the protected health information that resides on your website or is collected there? Your web hosting provider probably can. Are HIPAA business trust associated with a confidentiality agreement? If the collected health information from the site is sent to you or others, it is important to know who can access those messages or the information. Does anyone have access to your email or messaging system? If your website stores or provides access to PHI, your website will meet unique, secure access to ensure that only authorized/appropriate people can access that data. Are these logins and data access audited? This will depend on your website designers to properly set up for you.
4. Integrity: PHI is not manipulated or altered.
Unless the information we collect and the store is digitally encrypted or signed, it is impossible to avoid being manipulated or to verify if the manipulation has happened. It depends on your organization to determine whether you are forcing-waterproofing your data are needed and how best to achieve that. In general, using PGP, SSL or AES encryption of stored data can accomplish this very well and also address the next point.
5. Encrypted storage: It is encrypted if it is being stored or archived.
It depends on your organization to determine if it is necessary; although recommended. If storage encryption is necessary then you need to ensure that all protected medical information collected and stored is encrypted and can only be accessed/decrypted by persons with the corresponding keys. That is, it backs up, protects access data by unauthorized persons, and generally protects data from whatever happens (unless special keys are stolen). Encrypted storage is especially important in any scenario where data can be backed up or placed in places beyond your control, or where you can share a web server with other clients on the same web host.
6. Disposition: They can be permanently removed when necessary.
This sounds easy, but you have to keep in mind all the places where the data could be backed up and archived. You need to ensure that all backups expire and disappear. Consider that every situation that affects the information could be backing up and be keeping copies of your data indefinitely. It certainly helps if the data is encrypted in the backup but if the backup exists and the keys to open the data exist, then it is not really “discarded”. It is up to you to determine how much you need to go to ensure data deletion to be HIPAA compliant.
7. Business Associate: You must have an HIPAA business associate agreement with all sellers that your PHI touches.
If your website or information is located on the servers of a vendor, then HIPAA (first HITECH and then on Omnibus) requires that you have an associated business signed with them. This agreement ensures that the seller follows the HIPAA security standard requirements regarding their data and their servers. Remember that websites are complex beasts and no web hosting provider will be policing your website content and functionality – they cannot. Instead, they will provide an “infrastructure” that meets HIPAA compliance requirements and will need to design and manage your website so that its functionality is HIPAA compliant. To make an HIPAA compliant website you and your designers will need to take all steps to ensure that your design and functionality complaints. This is universal unless you purchase a website that is previously designed and completely under the control of the guest.
So, there are many things to do and much is all “it’s up to you”. Of course, just because you are on the “honor system” does not mean that you can make any choice you fancy. If you make a bad decision and something bad happens or if it is audited, it will be intentionally negligent to find you (ignorance is no excuse here). You need to carefully consider what is necessary and appropriate to properly protect health information and the privacy of your users, based on the application of your website and how the patient’s data is used and transmitted.
Collecting People’s Health Information
One of the first things that doctors and medical practices like to do when expanding online is to collect patient information on their website so they can:
- Sign up for new patients
- Schedule appointments
- Make diagnoses and recommendations about medical situations
- Enter digital prescriptions
Ensuring the transmission of patient information on the website is fairly easy (it’s # 1 – use secured website with SSL). However, what to do with that information?
Common solutions include:
- Store it on files on the web server to download later
- Store in a database for download or remote access
- E-mail someone
The third option, by e-mail to someone, is the most popular option because it is easy and requires less additional software or infrastructure from around the world already checking your email. It also opens up a whole can of worms in terms of “How does the email component comply with HIPAA?”
1. Store the data in files requires
- The website to encrypt the files
- Someone downloads the files on a secure channel (i.e., Secure FTP)
- The website owner gets notified via an email that is waiting for a new file
- Copy And disposal are taken care of
2. Store the data that a database allows you to write software for remote access and information management, however, Transmission from the database must be secure
The software that provides management access must be secure and comply with all The HIPAA requirements classes in audit and access control issues should be addressed with respect to encryption keys and their secure storage
Thus option 1 is easy, but requires a little more technical knowledge on the part of users and puts them the responsibility of backup and removal. Option 2 is better and allows for greater flexibility, usability and control and centralization of data in one place. However, Option 2 is technically more complex requiring more cost and effort to implement correctly. Option 3 is easy, but how do you make HIPAA email compliant?
Email data protection of website forms
The ideal procedure for securing your data by email is basically as follows:
Your secure website encrypts the submitted data (using PGP or S / MIME, TLS or a web-based email secure collection solution) such that only one or a few of your employees can open it.
This information is emailed to recipients and “forgotten” by the website (or an encrypted copy is stored on the site if you prefer).
The recipients receive the data and are stored on their e-mail server (encrypted even less TLS was used for delivery).
Recipients can access these messages securely (over SSL) and decrypt the data in their email program or in a Web-based interface that supports decryption.
The email provider is responsible for backups.
Deleted messages will expire from backups after a while (get a signed statement saying this, if desired).
Keep copies of all encrypted messages on the server instead of downloading them all, so you are responsible for backups and so all are stored in a central location.
As a Note:
If you are looking for HIPAA Compliant Hosting, please get in touch with our team.