If you are a health care services provider and your practice has a website, then your website must be HIPAA/HITECH compliant.
Many small and medium size medical and mental health care practices know that a well designed website can add to their patient base, improve their marketable image and provide the vector for a vast array of patient-oriented services.
However, most practitioners are not aware that HIPAA and HITECH cover their websites as well. If a practitioner's website receives or transmits nearly any personal information regarding a patient, even a patient's name within a common "contact us" form, that website must comply with the strict laws of the Health Insurance Privacy and Portability (HIPAA) Act and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
These federal laws can carry both civil and criminal penalties for violations - and the United States Department of Health and Human Services (HHS) is cracking down so your chances of being audited are much higher.
A 2015 United States Office of the Inspector General's report criticized HHS for its lack of diligent oversight and, as a result, the HHS's HIPAA enforcement arm, the Office of Civil Rights, is intending to audit more small and medium size practices and health care practitioner websites beginning in early 2016 (Health Law & Policy Matters and Lexology).
Website Development Shop will enter a Business Associate Agreement (BAA) with your practice and will provide a website that looks great, is feature rich and HIPAA and HITECH compliant.
Protected health information (PHI), the receiving, sending or storage of which is protected by HIPAA, consists of almost any information about a patient - including information indicating whether an individual is a patient at all.
Issues: A patient uses a practitioner's website to contact them to change an appointment and the practitioner's website is not HIPAA/HITECH compliant and/or the practitioner does not have the HIPAA required policies and/or does not follow their detailed procedures to enforce them.
Facts: As a patient's name, telephone number and e-mail address are defined by HIPAA as PHI, each and every communication from a patient through a non-HIPAA compliant website and can face penalties of $1,000 to $50,000 per violation (that is, per patient) even if the violation is due to reasonable cause and not due to willful neglect (American Medical Association).
There are so many every day examples in which health care service providers believe they may be acting in accordance with HIPAA privacy and security regulations, but are not. Nonetheless, those who order HIPAA compliance audits and prosecute cases for violations (HHS, OCR and each state's attorney general's office (42 USC § 1320d-5)) do not find such excuses by providers to prevent the imposition of penalties. The presumption is that if a health care provider receives, transmits and/or maintains PHI then they are fully responsible for doing so under the laws enacted under HIPAA and HITECH.
Issues: A health care service provider uses their GMail, Yahoo or Hotmail e-mail account to communicate with a patient and/or to receive patient communications believing that their e-mail address is secure.
Facts: While general use e-mail providers such as Google, Yahoo or Microsoft use standard security protocols which are sufficient for many uses, the fact is that they were never created to comply with the security provisions of HIPAA or HITECH - nor do they do so now. A provider who uses these services to communicate with patients is in immediate violation of HIPAA and can face penalties of $1,000 to $50,000 per violation (that is, per patient) even if the violation is due to reasonable cause and not due to willful neglect. (See, 42 USC § 1320d-5, above)
A HIPAA/HITECH compliant website consists of many components including but not limited to those related to data security (e.g., encryption), physical security (ensuring only those who are properly authorized and who the provider maintains a BAA with can access the web server) and, of course, the policies that dictate the specific security measures to be undertaken to keep it that way as well as those required to manage any potential or actual breach.
Security is a process not a product.
Neglecting to maintain, practice and enforce the proper HIPAA required policies is a serious HIPAA violation.
Issues: A health care service provider website is hosted on dedicated web server by a large, reputable and well known website host such as GoDaddy. The website has a current and valid SSL certificate to both encrypt the content of the website and all communications to and from it. A patient uses that website to contact the provider to change their contact phone number. Both the provider and the patient believe the website is secure and is in conformance with HIPAA/HITECH laws.
Facts: The provider's website is not secure nor does it comply with the requirements under HIPAA. Website hosts such as GoDaddy do not enter Business Associate Agreements (BAAs) which are required under HIPAA and HIPAA requires a data center inspection which is not be possible with GoDaddy. Further, shared hosting accounts do not meet the security requirements under HIPAA and HITECH (GoDaddy).
A provider who uses these services to communicate with patients is in immediate violation of HIPAA and can face penalties of $1,000 to $50,000 per violation (that is, per patient) even if the violation is due to reasonable cause and not due to willful neglect.
Website Development Shop will provide your practice with the expertise you need to have a beautiful HIPAA compliant website that helps your practice provide services more efficiently while protecting it from the damage due to an unsuccessful HIPAA audit. Please reach out to us with any questions or to discuss your needs.