Here’s how to ensure healthcare website privacy by complying with HIPAA rules
HIPAA (Health Insurance Portability and Accountability Act) was passed in 1996 to ensure the privacy of patient records. Back then no one gave much thought to how HIPAA might apply to websites.
But with recent clarifications in the law, the guidelines have been transformed. Today, healthcare providers and not-for-profits who provide client services need to ensure healthcare website privacy by following HIPAA rules.
HIPAA privacy pitfalls
Even though websites are essentially an advertising medium, there are areas that can violate HIPAA rules:
1. Client Contact Form:
Are you asking for too much information? Restrict the form to name and contact information. If you wish to clarify the prospect’s interest you can include buttons for them to use. NEVER use a dialog box into which a user can type whatever they wish.
2. Transmittal and storage of Client Contact form
Who hosts your website? Is it on a server your own and control, or is your website hosted with an outside firm?
- If your website is hosted by an outside vendor then you must require that it is on a secure server. Legally, the hosting company is a Business Associate, so you need a signed BAA.
- Transmittal of a completed client contact page must be done in a secure manner (i.e. fax, or SSL certificate on website).
- When using an outside hosting firm the information from completed contact pages cannot be stored on the vendor’s equipment.
3. Content on Websites
When using pictures on your website, such as before and after photos, satisfied clients, or children:
- Always have the client or guardian sign a release (consult your attorney for the proper form).
- De-identify the party pictured (no first and last names, use a code just a series of numbers or letters).
The big picture
Remember the purpose of the website is to motivate a prospect to contact you directly. Do not use it to gather personal health information.
It’s always a good idea to have a person with HIPAA knowledge review your website.
And use common sense: does your site contains a request for information that you as a patient would be reluctant to provide? Then keep that information request off your client contact form..
About the author
Andrew Weitzberg is the President of HIPAA Continuity Planners, a consulting firm specializing in HIPAA and HITECH Compliance for the medical profession’s Business Associate vendors, as well as other professions who maintain Personal Health Information and well as Personal Identifiable information.
FACT OF THE MONTH
Of all the words in the English language, the word “set” has the most definitions.
LEVINSON BLOCK NEWS
This just in! We produced this video for Lighthouse Guild, a major vision and healthcare organization. Through compelling client interviews, it puts a spotlight on the organization’s successes. It was shown at their gala, and will be featured on their website.