10 keys to a HIPAA-compliant medical practice website

Your medical practice website is essential for growth, but before you dive into adding pages, forms, and functionality, make sure you review and keep the Health Insurance Portability and Accountability Act (HIPAA) in mind. HIPAA has regulated patient privacy and information since 1996 — and the rise of online health portals has made managing HIPAA compliance much more complicated. But how to stay HIPAA compliant on your medical practice website?

It’s not as hard as you think to make a website HIPAA compliant. Yet it’s also crucial to your success as a healthcare provider — and to building patient trust.

In 2022 there were 707 healthcare data breaches, resulting in the release of tens of thousands of patient records. Medical practices made up 35.6% of these breaches. Ensuring that your website is secure, well-maintained, and up to date can reduce the likelihood that it will be subject to a costly breach and can also reassure both you and your patients that their data is safe and protected.

How does HIPAA compliance relate to websites?

HIPAA was written before healthcare websites were common, but many of the rules that relate to patient privacy and data storage apply. 

In particular, the HIPAA privacy rule and the HIPAA security rule dictate how protected health information (PHI) can be collected, stored, and used. The Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) consider the following types of data to be PHI:

1. Patient name
2. Address
3. Important dates, such as a birthday, admission or discharge date, or date of death
4. Contact data like telephone number, fax number, or email address
5. Social Security number
6. Medical record number
7. Health plan beneficiary number
8. Account number
9. Any kind of certificate and/or license number associated with the patient that could reveal their identity, such as driver’s licenses, death certificates, etc. 
10. Vehicle identifiers, serial numbers, and license plate numbers
11. Device identifiers or serial numbers
12. Web URLs that contain sensitive information, such as web form records that contain patient details
13. IP addresses
14. Biometric identifiers like fingerprints or voice prints
15. Full-face photos
16. Any other unique identifying numbers, characteristics, or codes 

But how and why does a medical practice collect PHI? For practices that have begun to embrace the digital patient journey, patients might be able to: 

• Review lab results and personal health records from a patient portal
• Schedule appointments online
• Email medical documents
• Follow up after an appointment via email or text
• Request digital medical documentation 
• Pay bills using a link you provide

With more and more patients accessing and sharing this sensitive information directly from their mobile devices and laptops, ensuring your practice website is HIPAA compliant is the minimum.

Why make your website HIPAA compliant? 

Before you improve your site’s security and privacy, consider what’s necessary for compliance. To remain compliant with HIPAA, medical practice websites must:

• Securely send, store, and receive patient data
• Provide access to good-faith disclosures
• Limit who can access data 
• Regularly monitor activity

Each one of these procedures is part of keeping your healthcare website compliant — but they’re all also part of creating a quality and streamlined patient experience, ensuring smooth patient-provider communications and transparency, building trust, and reducing the risk of downtime. Not to mention that healthcare providers found to violate HIPAA can face fines or even criminal consequences. 

How to stay HIPAA compliant on your medical practice website

The following 10 keys can help you achieve HIPAA compliance, and many are easy to set up and maintain.

1. Secure your website connection

First things first, purchase a Secure Sockets Layer (SSL) certificate if one did not come with your hosting package. SSL improves website security through encryption. 

If you’re not sure whether or not your website connection is secure already, navigate to your home page in your browser and look at the address bar. Depending on your browser, you might need to click to see the full URL. If it has an “https://” before it, you’re using an SSL certificate. Many web browsers will also display a lock symbol before the URL in the address bar. If you click on the lock, you should be able to find the SSL certificate information for the current website. 

SSL is part of ensuring that your website is secure, that third parties can’t view or modify the secure information between your site and users, and that your users are who they say they are. Search engines like Google also prefer websites with an SSL certificate, which means that if you improve your security, you might improve your search result rankings. 

2. Use a HIPAA-compliant hosting provider

Not all web hosts are created equal. It can be tempting to go for cheap hosting options, but it’s always better to use a web host with a sound track record on cybersecurity. Your host of choice should be, at minimum, familiar with HIPAA requirements as well as any state requirements, including with the administrative, technical, and physical security measures required to protect PHI. Better yet, use a healthcare-focused host with a commitment to HIPAA and to staying up to date with the regulatory landscape. 

3. Capture data securely

Avoid sending PHI through email or public web forms. A digital intake form on your website can help you to be more efficient and save time for your front office staff — but it must be encrypted. It’s also best practice to ask only for essential data. 

There are various levels of encryption, but your best bet is to use end-to-end encryption. Good encryption software will be able to protect both data you transfer over the internet and also data that lives on your computers and mobile devices or in the cloud.

4. Limit access to data

Encryption is part of the foundation of effective data management and ensuring that only authorized individuals with the correct login credentials can access PHI. But who should be authorized? 

In general, access to medical documents should be limited to as few parties as possible. For instance, if you have a team of several providers, perhaps only those directly involved in a given patient’s care can access their electronic health records. It can be helpful to update access regularly to ensure only a few people can access these records.

You should also have policies that clarify how patients can access their own patient records, limit sharing of their records or PHI with other parties, and review everyone who has accessed their PHI.

5. Lock down your data storage

There are 2 ways you can store data: on servers or in the cloud. Both have pros and cons, but cloud storage has become increasingly popular due to its portability. 

Data cloud storage can be HIPAA compliant. There are a number of steps a cloud vendor can take to be compliant, such as offering 256-bit AES encryption, access controls, audit logs, and other features. Users must also sign a Business Associate Agreement (BAA) before uploading documents onto the platform. 

6. Backup your data

Health records are critical for patient well-being. The last thing you want is to lose data, even accidentally. It’s important to make regular data backups and encrypt them for storage. You can likely automate this process. The most important part is ensuring that access to these files is limited in terms of who is supposed to access them, who has the passwords or keys to do so, and the physical security around them. 

7. Prune your database

Over time, you will wind up storing data that you or your patient no longer need. This information is best deleted. You will often need to delete this information from the server or cloud that houses your data, as well as from your EHR database.

8. Use business agreements with vendors

When working with any healthcare vendor, you must use a BAA. This contract states that your vendor will adhere to HIPAA standards and ensure their systems are compliant. 

Aim to work with vendors that highlight their already-compliant systems.

9. Audit regularly

Performing ongoing monitoring and surprise audits can ensure that your systems remain compliant. Some tasks that fall into this category are conducting assessments, scanning for malware, and reviewing transaction or user logs.

10. Require secure authentication

Your team shouldn’t depend on just a strong password. Two-factor authentication or biometric access can help reduce the likelihood of a breach and protect patient data on the backend. For most small medical practices, it’s possible to enable two-factor authentication as a requirement for both your team and your patients (though if your patients are sometimes unhoused, enabling two-factor authentication can be a barrier to access).

Keep up with HIPAA compliance

When it comes to compliance, there’s always something new. Regulators modify and add new rules as technology advances. But as a healthcare provider, your specialty isn’t in compliance, it’s in providing quality patient care.

That said, there are 2 main ways you can keep up with compliance.

First, it can often be helpful to hire a third party to audit your systems once a year. An objective third party can ensure that your website and digital security remain compliant. 

Second, it’s essential to work with business and software vendors that build compliance into their systems. The best-in-class solutions will focus on staying aligned with HIPAA and other key policies, so you don’t have to.

Build a more secure website

The path of how to stay HIPAA compliant on your medical practice website can be simple if you think about it with compliance in mind. Ensuring that you consider patient privacy and security before you update your website or data procedures is essential to protect your patients and yourself.

The best part is that there are many solutions available for you to create a medical practice site that attracts, retains, and safeguards patients. Or you can choose an all-in-one solution (like Tebra). If you want to find out what patients expect from your medical website and your practice, check out Tebra’s 4th annual Patient Perspectives report.