If you are a health care services provider and your practice has a website, then your website must be HIPAA/HITECH compliant.
Many small and medium size medical and mental health care practices know that a well designed website can add to their patient base, improve their marketable image and provide the vector for a vast array of patient-oriented services.
However, most practitioners are not aware that HIPAA and HITECH cover their websites as well. If a practitioner's website receives or transmits nearly any personal information regarding a patient, even a patient's name within a common "contact us" form, that website must comply with the strict laws of the Health Insurance Privacy and Portability (HIPAA) Act and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
These federal laws can carry both civil and criminal penalties for violations - and the United States Department of Health and Human Services (HHS) is cracking down so your chances of being audited are much higher.
A 2015 United States Office of the Inspector General's report criticized HHS for its lack of diligent oversight and, as a result, the HHS's HIPAA enforcement arm, the Office of Civil Rights, is intending to audit more small and medium size practices and health care practitioner websites beginning in early 2016 (Health Law & Policy Matters and Lexology).
Website Development Shop will enter a Business Associate Agreement (BAA) with your practice and will provide a website that looks great, is feature rich and HIPAA and HITECH compliant.
Protected health information (PHI), the receiving, sending or storage of which is protected by HIPAA, consists of almost any information about a patient - including information indicating whether an individual is a patient at all.
Issue: A patient uses a practitioner's website to contact them to change an appointment and the practitioner's website is not HIPAA/HITECH compliant and/or the practitioner does not have the HIPAA required policies and/or does not follow their detailed procedures to enforce them.
Fact: As a patient's name, telephone number and e-mail address are defined by HIPAA as PHI, each and every communication from a patient through a non-HIPAA compliant website and can face penalties of $1,000 to $50,000 per violation (that is, per patient) even if the violation is due to reasonable cause and not due to willful neglect (American Medical Association).
There are so many every day examples in which health care service providers believe they may be acting in accordance with HIPAA privacy and security regulations, but are not. Nonetheless, those who order HIPAA compliance audits and prosecute cases for violations (HHS, OCR and each state's attorney general's office (42 USC § 1320d-5)) do not find such excuses by providers to prevent the imposition of penalties. The presumption is that if a health care provider receives, transmits and/or maintains PHI then they are fully responsible for doing so under the laws enacted under HIPAA and HITECH.
Website Development Shop gives health care providers a unique perspective on their HIPAA and HITECH requirements as they relate to their technology platforms. Contact us today to discuss your practice's unique needs.
Issue: A health care service provider uses their GMail, Yahoo or Hotmail e-mail account to communicate with a patient and/or to receive patient communications believing that their e-mail address is secure.
Fact: While general use e-mail providers such as Google, Yahoo or Microsoft use standard security protocols which are sufficient for many uses, the fact is that they were never created to comply with the security provisions of HIPAA or HITECH - nor do they do so now. As such, a provider who uses these services to communicate with patients is in immediate violation of HIPAA and can face penalties of $1,000 to $50,000 per violation (that is, per patient) even if the violation is due to reasonable cause and not due to willful neglect (Cornell University School of Law).
A HIPAA/HITECH compliant website consists of many components including but not limited to those related to data security (e.g., encryption), physical security (ensuring only those who are properly authorized and who the provider maintains a BAA with can access the web server) and, of course, the policies that dictate the specific security measures to be undertaken to keep it that way as well as those required to manage any potential or actual breach.