If you offer a health-related tech product, online service, or web application, you’ve likely heard of HIPAA. In the acronym-ridden world of health tech, HIPAA is one that gets talked about a lot — and for good reason. HIPAA compliance is an essential piece of any health tech service that is hosted online. In this article, we’ll look at HIPAA compliance for web applications and services, outline HIPAA cloud compliance, and show you how to make your website HIPAA compliant in 3 steps.
What Are HIPAA and PHI?
HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is legislation that governs how organizations store, share, and use protected health information (PHI) and electronic protected health information (ePHI). PHI and ePHI is any health data that can be used to identify an individual; for example, device serial numbers and identifiers, photographs of patients, date of admission and discharge, and zip code. (For a comprehensive list of PHI, visit our Knowledge Base)
ePHI, like any data received, stored, or transmitted online, is vulnerable to being stolen by cybercriminals. Your organization’s security policies must address the security of ePHI across your web servers. It also needs to address the security policies of any third-party vendors who come into contact with that data; in particular, cloud vendors.
The consequences of breaking HIPAA are serious for your organization, your B2B or B2C clients, and the patients they serve. More stringent enforcement of HIPAA has meant costly fines for a number of organizations in the healthcare industry that have improperly managed ePHI and HIPAA standards. Since 2015, fines for noncompliance have more than quadrupled. At the same time, cybersecurity risks in the healthcare industry are also growing.
When does my website need to be HIPAA compliant?
If your website collects personally identifiable health information, then HIPAA compliance applies to you. Consider whether you gather ePHI in any of the following ways:
- Contact forms that ask about medications, treatment, symptoms, or other health-related information
- Online patient forms
- Live chat in which ePHI may be shared
- Patient portals
- Patient reviews or testimonials
If any of these cases apply to your healthcare website or app, then you likely store that information on a server, as well. That means you also need to secure your ePHI at rest. The last piece to consider is if your website transmits ePHI, for example, via email or to a third-party vendor. In all of these cases, you will need to construct HIPAA compliant security policies.
When doesn’t my website need to be HIPAA compliant?
Not all health data is considered ePHI. Remember, ePHI is personally identifiable health information. If you offer a step-counting app that tracks number of steps, for example, you’re in the clear. But if your step-counting app also measures data like heart rate in connection with user information such as name, address, or zip code, then you’re dealing with ePHI.
What are HIPAA website and web application security requirements?
Requirements for how to secure ePHI are outlined in the HIPAA Security Rule, an amendment to HIPAA legislation meant to address PHI in the digital age. When building a website or web application to meet HIPAA requirements, follow these 3 steps:
- Perform a security assessment of your servers and vendors. This must be done even for those vendors who already use HIPAA “certified” cloud services and technologies.
- Select and implement technical safeguards. This can be trickiest for organizations to understand because, since technology and IT security change rapidly, HIPAA does not specify exact products or technologies that must be used. At the same time, HIPAA does lay out certain implementation specifications. While some of these are required, others may not be necessary for your website, depending on the size of your organization. These are known as “addressable specifications”. In these cases, organizations are required to document their assessment of addressable specifications as inapplicable to them. It’s important to remember that “addressable” is not the same as “optional”.
- Encrypt data. If your website collects ePHI and then transmits it to third parties, you need to encrypt data in transmission using SSL/TLS standards. That goes for email communications, as well. Similarly, if your website stores ePHI on its servers, you also need encryption.
Again, HIPAA does not stipulate specific types of encryption that should be used because IT security is such a quickly developing sphere. The best way to ensure HIPAA compliance is to use encryption processes that follow criteria from the NIST (National Institute of Standards and Technology).
Making a HIPAA compliant website in the cloud
The most important piece of making a HIPAA compliant website is ensuring the compliance of your cloud vendors. This applies to websites that are built on a cloud server or that transmit or store data in the cloud. Not every cloud server is HIPAA compliant. When assessing whether or not a cloud provider can be considered HIPAA compliant, the first thing to check is if they provide a BAA (business associate agreement). Secondly, affirm that they encrypt data in-transit and at-rest.
Some cloud hosts such as GoDaddy and cloud storage providers such as iCloud do not meet these requirements. Cloud service providers, like Amazon Web Services (AWS), operate on a shared responsibility model, meaning they provide a BAA, while the user sets specific controls for their environment. Some services may not HIPAA compliant out-of-the-box, but can be configured to meet these requirements. In both these cases, maintaining HIPAA compliance in the cloud depends on a reciprocal relationship between you and your cloud service provider. Your cloud service is responsible for providing encryption and a BAA; you, in turn, will need to set the administrative and technical controls for your specific cloud environment.
Here, software can be a big help in configuring these settings and maintaining them at scale. Platforms like Dash, for example, allow users to manage HIPAA administrative policies, technical controls, and cloud security without sacrificing scalability or uptime. Apart from scalability, using a software solution to configure your cloud environment drastically reduces your risk of a breach due to gaps in security or outdated policies. Beyond that, it is up to your HIPAA Security Officer to determine proper administrative policies to adopt within your organization.
Dash is a leading HIPAA compliance solution for cloud-based healthcare software, websites, and applications. To learn more about how Dash can help you get continuously compliant or to request a free demo, get in touch with us.