'%3e%3cpath%20d='%20M%2099.777%200%20L%2099.777%200%20Q%20129.414%200%20144.43%2011.361%20L%20144.43%2011.361%20L%20144.43%2011.361%20Q%20159.446%2022.721%20159.446%2044.652%20L%20159.446%2044.652%20L%20159.446%2044.652%20Q%20159.446%2055.519%20155.495%2069.745%20L%20155.495%2069.745%20L%20155.495%2069.745%20Q%20148.974%2092.665%20137.909%20106.099%20L%20137.909%20106.099%20L%20137.909%20106.099%20Q%20126.846%20119.535%20108.767%20125.66%20L%20108.767%20125.66%20L%20108.767%20125.66%20Q%2090.689%20131.785%2062.435%20131.587%20L%2062.435%20131.587%20L%208.693%20131.39%20L%208.693%20131.39%20Q%204.544%20131.39%202.273%20130.007%20L%202.273%20130.007%20L%202.273%20130.007%20Q%200%20128.624%200%20126.253%20L%200%20126.253%20L%200%20126.253%20Q%200%20125.068%200.593%20123.685%20L%200.593%20123.685%20L%200.593%20123.685%20Q%201.185%20121.907%202.273%20121.115%20L%202.273%20121.115%20L%202.273%20121.115%20Q%203.359%20120.325%205.532%20118.942%20L%205.532%20118.942%20L%205.532%20118.942%20Q%208.693%20117.164%2010.57%20114.991%20L%2010.57%20114.991%20L%2010.57%20114.991%20Q%2012.448%20112.817%2013.831%20108.076%20L%2013.831%20108.076%20L%2037.935%2023.116%20L%2037.935%2023.116%20Q%2038.725%2020.548%2038.725%2018.177%20L%2038.725%2018.177%20L%2038.725%2018.177%20Q%2038.725%2016.004%2038.034%2014.522%20L%2038.034%2014.522%20L%2038.034%2014.522%20Q%2037.342%2013.039%2036.157%2011.064%20L%2036.157%2011.064%20L%2036.157%2011.064%20Q%2034.379%208.495%2034.379%206.915%20L%2034.379%206.915%20L%2034.379%206.915%20Q%2034.379%206.322%2034.774%204.742%20L%2034.774%204.742%20L%2034.774%204.742%20Q%2035.564%202.173%2038.232%201.086%20L%2038.232%201.086%20L%2038.232%201.086%20Q%2040.898%200%2046.431%200%20L%2046.431%200%20L%2099.777%200%20L%2099.777%200%20L%2099.777%200%20Z%20M%2088.326%2047.267%20L%2088.326%2047.267%20Q%2095.303%2047.267%2098.553%2049.915%20L%2098.553%2049.915%20L%2098.553%2049.915%20Q%20101.8%2052.562%20101.8%2057.134%20L%20101.8%2057.134%20L%20101.8%2057.134%20Q%20101.8%2059.902%20100.959%2062.427%20L%20100.959%2062.427%20L%2089.89%2098.403%20L%2089.89%2098.403%20Q%2089.529%2099.846%2089.529%20100.928%20L%2089.529%20100.928%20L%2089.529%20100.928%20Q%2089.529%20102.493%2090.131%20103.395%20L%2090.131%20103.395%20L%2090.131%20103.395%20Q%2090.731%20104.298%2091.815%20105.139%20L%2091.815%20105.139%20L%2091.815%20105.139%20Q%2092.658%20105.982%2093.017%20106.524%20L%2093.017%20106.524%20L%2093.017%20106.524%20Q%2093.378%20107.065%2093.138%20107.907%20L%2093.138%20107.907%20L%2093.138%20107.907%20Q%2092.537%20109.471%2090.731%20110.193%20L%2090.731%20110.193%20L%2090.731%20110.193%20Q%2088.927%20110.915%2085.197%20110.915%20L%2085.197%20110.915%20L%2057.766%20110.915%20L%2057.766%20110.915%20Q%2054.637%20110.915%2053.193%20109.892%20L%2053.193%20109.892%20L%2053.193%20109.892%20Q%2051.75%20108.87%2052.23%20107.184%20L%2052.23%20107.184%20L%2052.23%20107.184%20Q%2052.712%20105.741%2054.757%20104.659%20L%2054.757%20104.659%20L%2054.757%20104.659%20Q%2056.562%20103.696%2057.766%20102.373%20L%2057.766%20102.373%20L%2057.766%20102.373%20Q%2058.968%20101.049%2059.811%2098.162%20L%2059.811%2098.162%20L%2070.278%2063.39%20L%2070.278%2063.39%20Q%2070.639%2062.307%2070.639%2061.586%20L%2070.639%2061.586%20L%2070.639%2061.586%20Q%2070.639%2060.262%2070.037%2059.48%20L%2070.037%2059.48%20L%2070.037%2059.48%20Q%2069.435%2058.698%2068.233%2057.855%20L%2068.233%2057.855%20L%2068.233%2057.855%20Q%2067.029%2056.893%2066.549%2056.171%20L%2066.549%2056.171%20L%2066.549%2056.171%20Q%2066.067%2055.45%2066.428%2054.246%20L%2066.428%2054.246%20L%2066.428%2054.246%20Q%2067.149%2051.478%2074.008%2049.373%20L%2074.008%2049.373%20L%2074.008%2049.373%20Q%2080.866%2047.267%2088.326%2047.267%20L%2088.326%2047.267%20L%2088.326%2047.267%20L%2088.326%2047.267%20Z%20M%2096.387%2020.679%20L%2096.387%2020.679%20Q%20101.08%2020.679%20104.207%2023.746%20L%20104.207%2023.746%20L%20104.207%2023.746%20Q%20107.336%2026.815%20107.336%2031.266%20L%20107.336%2031.266%20L%20107.336%2031.266%20Q%20107.336%2034.394%20105.71%2037.402%20L%20105.71%2037.402%20L%20105.71%2037.402%20Q%20104.087%2040.411%20101.14%2042.275%20L%20101.14%2042.275%20L%20101.14%2042.275%20Q%2098.191%2044.14%2094.582%2044.14%20L%2094.582%2044.14%20L%2094.582%2044.14%20Q%2090.01%2044.14%2086.942%2041.071%20L%2086.942%2041.071%20L%2086.942%2041.071%20Q%2083.874%2038.004%2083.754%2033.432%20L%2083.754%2033.432%20L%2083.754%2033.432%20Q%2083.754%2030.423%2085.318%2027.477%20L%2085.318%2027.477%20L%2085.318%2027.477%20Q%2086.881%2024.528%2089.769%2022.604%20L%2089.769%2022.604%20L%2089.769%2022.604%20Q%2092.658%2020.679%2096.387%2020.679%20L%2096.387%2020.679%20L%2096.387%2020.679%20L%2096.387%2020.679%20Z%20'%20fill-rule='evenodd'%20fill='rgb(224,242,254)'/%3e%3c/g%3e%3c/svg%3e)
BLOG
HIPAA Compliance for Websites
Posted August 8, 2024 by Dante Imerito
I recently started working on a website for a local medical provider, and it occurred to me that there are probably certain procedures that should be adhered to regarding website data that includes personal health information. As a freelance web developer, I was unclear about my obligations and responsibilities in this area, so I did some research on HIPAA regulation as it relates to websites and the people who create and maintain them. What I found was pretty interesting. If you’re a person that builds, maintains, or hosts websites, or if you’re a medical provider with a website or app, you might be interested in my journey.
This would be a good time to mention that I am not a legal expert, and no portion of this article is intended to be interpreted as legal advice. If you have questions regarding HIPAA compliance or any other legal matter, you should consult with a lawyer.
Let me start by saying that I believe there are many of us—fellow web designers, developers, or agencies—that work with clients in the medical field while having little knowledge of our responsibilities surrounding the data involved in medical-related projects.
We all know that when we browse websites, data is being collected about our interactions with those websites. Things like pages visited, length of time spent on a page, IP address, information about device type and operating system, and even our geographic location are commonly tracked and stored, often by numerous parties. When this data contains Protected Health Information (PHI), it is subject to the regulations established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Here’s some general information on HIPAA from Wikipedia: Health Insurance Portability and Accountability Act.
Fines for HIPAA violations can range anywhere from $137 to over $2 million per year, which could be career-ending for most web developers. So, it’s important that we understand how to navigate these situations. You can find more information on HIPAA violation fines here.
If you want to learn about which kinds of information need to be protected, here’s a good article to read: What is Considered PHI Under HIPAA?
Once you understand which data are subject to HIPAA regulation, you’ll want to learn about the process of protecting that data. Here’s a brief rundown of some of the things involved in ensuring that you’re responsibly handling PHI for HIPAA compliance:
1.
Understand HIPAA Requirements
Familiarize yourself with HIPAA’s Privacy Rule, Security Rule, and Breach Notification Rule. These regulations outline how to handle Protected Health Information (PHI), including electronic PHI (ePHI).
2.
Implement Strong Security Measures
Data Encryption: Encrypt ePHI both in transit and at rest. Use strong encryption standards.
Secure Authentication: Implement multi-factor authentication (MFA) for accessing ePHI.
Access Controls: Limit access to ePHI to authorized personnel only. Use role-based access controls.
3.
Use Secure Hosting
Ensure your hosting provider supports HIPAA compliance and sign a Business Associate Agreement (BAA) with them.
Make sure the data centers where your data is stored comply with physical security standards.
4.
Create a Risk Management Plan
Perform regular risk assessments to identify and address vulnerabilities.
Implement a risk management strategy to mitigate potential threats.
5.
Develop and Maintain Policies
Draft and maintain clear policies and procedures for handling ePHI.
Include protocols for data breaches, user access, and data handling.
6.
Ensure Regular Training
Train all employees on HIPAA compliance and data protection procedures.
Keep training up-to-date with any changes in HIPAA regulations.
7.
Monitor and Audit
Regularly audit your systems for compliance and security.
Implement logging and monitoring to detect and respond to unauthorized access.
8.
Have a Breach Response Plan
Develop a plan for responding to data breaches, including notification procedures.
Ensure compliance with HIPAA’s breach notification requirements.
9.
Consult with Legal and Compliance Experts
Work with HIPAA compliance specialists or legal advisors to ensure all aspects of your website and operations meet HIPAA standards.
By carefully implementing these measures, you can help ensure your website adheres to HIPAA requirements and protects sensitive health information effectively.
Conclusion
Needless to say, HIPAA compliance can be a daunting and confusing process for a web developer. For many projects, the easiest solution may be to ensure that protected data is not being collected at all. But even limiting the scope of the project in this way will require some research and understanding about the things to avoid and exclude. If you are handling PHI in your project, there are many additional measures to consider, and I would recommend consulting with a legal expert.
I hope you found this information helpful. I wish you well on your way to HIPAA compliance in your digital projects.
By Dante Imerito