Medical Doctor Websites and HIPAA Compliance
I Operate a Medical Clinic, Do I Need to Have a HIPAA Compliant Website?
Short answer is YES.
If you have a healthcare business, medical practice or a clinic with a medical website, and potential or existing patients communicate with you using the website you are likely receiving Protected Health Information (PHI). If patients use your website to call you, book appointments, ask questions, send Emails, or send forms, it can be subject to HIPAA laws.
If you have been audited for a HIPAA violation, you may be asked to provide a Business Associate Agreements (BAA) from all vendors, including your website provider, who may have transported, viewed, stored or handled PHI. As a healthcare business owner or manager it is your responsibility to address BAA requirements from all providers of services to your medical practice.
OnRevenue provides BAA for its customers upon request. In order to understand what is covered, let’s review four major areas of HIPAA and some definitions.
What is PHI: Protected Health Information (PHI) refers to information about a patient you are about to treat (prospect patient), or an existing patient’s personal information, that must be guarded and treated as determined by HIPAA laws.
What is a Covered Entity: In HIPAA’s legal language, the Covered Entity is the healthcare business, medical practice providing services to patients. References to “Covered Entity” mean your practice, your clinic, or your medical facility.
What is a Business Associate: A business associate is a service provider or a vendor that provides services, technology, websites, electronic storage, software databases, etc. to a Covered Entity. This means your website provider is a Business Associate.
What is a Business Associate Agreement (BAA): A BAA is a legal document provided to your clinic, that states in detail that the Business Associate has taken necessary steps, in accordance with HIPAA regulations, to provide security and other measures to protect PHI.
It is important to note that Covered Entities and their Business Associates need to protect the privacy and security of protected health information (PHI). But, it gets more complicated when you start to put together a to-do list. Covered entities are required to apply the appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. This applies to all forms of protected health information. As such, covered entities are not permitted to abandon protected health information or dispose such information that it will be accessible to the public or unauthorized individuals. Covered entities are required to train their workforce on the proper disposal of protected health information. It is important to note that under federal standards, the “workforce” includes volunteers. Covered entities should also determine what steps are reasonable to dispose protected health information while comply with the HIPAA Privacy and Security Rules.
There are four key rules:
1. HIPAA Privacy Rule
2. HIPAA Security Rule
3. HIPAA Enforcement Rule
4. HIPAA Breach Notification Rule
Each Covered Entity needs to follow all four rules. HIPAA Privacy Rule and the HIPAA Security Rule are very detailed and require a lot of effort. To stay in accordance with the Breach Notification Rule, you need to provide notification following a breach of unsecured Protected Health Information.
This article is not a definitive list of what is required for HIPAA compliance, you should assign a Privacy Officer to review each rule in its entirety. This article is intended to point you in the right direction. OnRevenue will provide BAA for your clinic, if requested. OnRevenue apps for healthcare clinics save the PHI information in a secure server that meets HIPAA guidelines. Contact us for more information.