Hipaa compliant websites

As we all know, the Health Insurance Portability and Accountability Act (HIPAA) provides strict guidelines on all aspects of maintaining your patient privacy. This is essential for your data records and EMRs and so companies like WebPT ensure strict adherence to these rules within their apps.

Did you know that your website is also subject to these rules? Check here to ensure that you are meeting the standards.

The Omnibus rule, established in 2013, is now being enforced to a greater degree and clinics of all sizes are being audited for compliance.

HIPAA rules govern any entity, provider or associate that deals with protected health information (PHI). If your website contains, transmits or receives this individually identifiable health information then it does need to be compliant.

Compliance is costly and many clinics opt to ensure instead that their website does not deal in PHI and is a standalone element of the practice. Consider the following simple decision tree:

HIPAA Website Compliance


Option A: Ensure that your website is fully HIPAA compliant.

Activities: Billing, Patient Portal, Online Health Records, Marketing, and General Information

Hosting: Typically, PT clinics will have their website hosted with an external hosting provider (think GoDaddy or Hostgator). Most of these larger providers do not offer HIPAA compliance. Below is a list of providers that do offer safe servers and will sign a Service Level Agreement (SLA) and a Business Associate Agreement (BAA) with you. The cost of these services ranges from $700 to over $2,500 per month.

If Option A is for you, contact us or another specialized medical website developer for more information.

Option B: Ensure that your website does not access or manage any sensitive information

Activities: Marketing, and General Information

Hosting: Regular hosting account with SSL and other simple security measures.

Something to consider:
Many practices contain embedded social media feeds. Does yours? What happens if a patient posts personal information on your feed? How do you guard against this?
Yes, this is a breach and requires an incident report. To prevent against this, allow only moderated comments in your blog posts and ensure that your social media feeds only display posts by the site owners.

For more information, or to discuss your clinic’s needs, please contact PT Clinic Marketing for a complimentary evaluation.

Option B Checklist

  • My website does not collect or store sensitive patient information
  • My website is hosted in a secure facility
  • My website has regular (at least monthly) encrypted backups to an offsite secure location or the cloud
  • My website has regular (at least monthly) security updates
  • SSL certificate – your website address starts with https://
  • Strong passwords are required for website administrators
  • Contact forms are encrypted
  • Privacy Policy and Terms of Use remind visitors to not share personal information
  • We have an established incident response plan to address a breach if it occurs
Leave Comment

Your email address will not be published. Required fields are marked *

clear formSubmit