In case you are a HIPAA-covered entity or enterprise affiliate, you doubtless know that affected person PHI could solely be created, acquired, maintained, and transmitted as permitted by the HIPAA Safety Rule and the HIPAA Privateness Rule. But chances are you’ll not have targeted in your firm’s web site as a spot the place PHI is collected and transmitted. In case you are topic to HIPAA, you must frequently assess your web site information practices. As described on this weblog submit, you must ensure that third-party trackers like Meta Pixel will not be accessing and disclosing information behind the scenes. However frequent customer-facing instruments shouldn’t be missed. Frequent methods during which PHI could also be collected and transmitted embrace:
- Reside Chat
- Affected person Portals
- On-line Affected person Kinds
- On-line Scheduling Instruments
- Evaluations and Testimonials
- E mail
- On-line loyalty Packages
The HIPAA Privateness Rule requires that entities that create, obtain, keep, and/or transmit PHI take particular measures to guard it. For instance, if your organization retains individually identifiable medical data on a server, that server should be encrypted and safe. Transmitting PHI consists of sending data by way of electronic mail, textual content, net kinds or different forms of digital messaging. Storing PHI consists of storing data in apps, information facilities, and so forth. If your organization web site collects, shops, or transmits PHI and doesn’t take affordable measures to safe that information, it could violate HIPAA.
To start remediating dangers, corporations ought to:
- Buy and implement an SSL certificates for the corporate web site
- Guarantee all net kinds on the corporate web site are encrypted and safe
- Solely ship emails containing PHI by way of encrypted electronic mail servers
- Accomplice with website hosting corporations which are HIPAA-compliant and have processes for shielding PHI
- Execute BAAs with third events which have entry to PHI (together with website hosting corporations)
- Be certain that PHI is just accessible by approved people inside your organization