As we all know, the Health Insurance Portability and Accountability Act (HIPAA) provides strict guidelines on all aspects of maintaining your patient privacy. This is essential for your data records and EMRs and so companies like WebPT ensure strict adherence to these rules within their apps.
Did you know that your website is also subject to these rules? Check here to ensure that you are meeting the standards.
The Omnibus rule, established in 2013, is now being enforced to a greater degree and clinics of all sizes are being audited for compliance.
HIPAA rules govern any entity, provider or associate that deals with protected health information (PHI). If your website contains, transmits or receives this individually identifiable health information then it does need to be compliant.
Compliance is costly and many clinics opt to ensure instead that their website does not deal in PHI and is a standalone element of the practice. Consider the following simple decision tree:
Option A: Ensure that your website is fully HIPAA compliant.
Activities: Billing, Patient Portal, Online Health Records, Marketing, and General Information
Hosting: Typically, PT clinics will have their website hosted with an external hosting provider (think GoDaddy or Hostgator). Most of these larger providers do not offer HIPAA compliance. Below is a list of providers that do offer safe servers and will sign a Service Level Agreement (SLA) and a Business Associate Agreement (BAA) with you. The cost of these services ranges from $700 to over $2,500 per month.
If Option A is for you, contact us or another specialized medical website developer for more information.
Option B: Ensure that your website does not access or manage any sensitive information
Activities: Marketing, and General Information
Hosting: Regular hosting account with SSL and other simple security measures.
Something to consider:
Many practices contain embedded social media feeds. Does yours? What happens if a patient posts personal information on your feed? How do you guard against this?
Yes, this is a breach and requires an incident report. To prevent against this, allow only moderated comments in your blog posts and ensure that your social media feeds only display posts by the site owners.
For more information, or to discuss your clinic’s needs, please contact PT Clinic Marketing for a complimentary evaluation.