HIPAA Website Guide for SME Healthcare Organizations

Mastering HIPAA Website Compliance

hipaadigital.com

HIPAA Website Guide for SME Healthcare Organizations

Alexander Bentley-Sutherland

HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security

Alexander Bentley-Sutherland

If you’re an SME business in the healthcare market, chances are that you are struggling to understand how healthcare legislation like the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) impact your website.

You know about HIPAA and it's impact on PHI - and even that's tough enough!

But, you've been hearing a lot about what you need to do in order to ensure that your website is compliant with the law That’s not an easy task, especially when more and more businesses like yours are relying on website and hosting companies to deliver the technology that you need to effectively operate and compete.

Recent HHS and OCR announcements have sharpened the focus towards healthcare business websites and it's easy to mistakenly think your website is fine Except, in most SME cases, it's not

One of the first places an auditor will look when a HIPAA investigation begins is a covered entity’s website. When a website does not have the basic requirements it raises red flags and invites more scrutiny. HIPAA Cybersecurity Laws are changing, with already far reaching consequences for non-compliance getting bigger

HIPAA DIGITAL Healthcare Website Compliance

HIPAA Digital Full Suite of Products to Make Your Website

HIPAA Compliant

HIPAA Website

HIPAA Emails

HIPAA WordPress

HIPAA Marketing

HIPAA Hosting

HIPAA Analytics

Business Associate Agreement

HIPAA SEO

Mastering HIPAA Website Compliance

hipaadigital.com

HIPAA Website Guide for SME Healthcare Organizations

Alexander Bentley-Sutherland

HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security

Alexander Bentley-Sutherland

But my website is exempt from HIPAA...

Claiming your website is exempt from HIPAA compliance because it "doesn't capture PHI" ignores the broader requirements of HIPAA, including HIPAA hosting, HIPAA analytics and the overall security of your digital presence.

Such excuses are not just inadequate; they highlight a failure to grasp the fundamental aspects of patient data protection, making them not just flawed but dangerously complacent

HIPAA compliance is not just about avoiding the collection of PHI on a website, it extends to how the website is hosted and how data is secured, even in transit

3 Healthcare Laws That Impact a Covered Entities Healthcare Website

If your website stores or processes seen or unseen (analytics) electronic protected health information (ePHI), then your business is impacted by three pieces of healthcare legislation: HIPAA, HITECH and the HIPAA Omnibus Rule

HIPAA DIGITAL

Healthcare Website Compliance

HIPAA Digital Full Suite of Products to Make Your Website

HIPAA Compliant

HIPAA Website

HIPAA Emails

HIPAA WordPress

HIPAA Marketing

HIPAA Hosting

HIPAA Analytics

Business Associate Agreement

HIPAA SEO

Mastering HIPAA Website Compliance

hipaadigital.com

HIPAA Website Guide for SME Healthcare

Organizations

Alexander Bentley-Sutherland

HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security

HIPAA for Websites

Alexander

The Healthcare Insurance Portability and Accountability Act (HIPAA) has four main goals:

To provide workers who change or quit jobs with continuous healthcare coverage.

To reduce the administrative burdens and cost of healthcare by establishing standards for the electronic transmission of administrative and financial transactions

To combat abuse, fraud and waste in health insurance and healthcare delivery

Improve access to long-term care services and health insurance

HIPAA consists of five sections, which are usually referred to as titles When people refer to HIPAA compliance, they usually mean adhering to Title II of HIPAA, which is referred to as the Administrative Simplification Provisions

When it comes to working with a website or any other technology partner, the most important component of the Administrative Simplification Provisions is the HIPAA Security Rule

Mastering HIPAA Website Compliance

hipaadigital.com

HIPAA Website Guide for SME Healthcare Organizations

Alexander Bentley-Sutherland

HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security

Alexander Bentley-Sutherland

This establishes security standards for protecting PHI that is being housed or transferred in electronic form

All healthcare related businesses (covered entities) and their technology partners who process ePHI on their behalf (business associates) must follow these rules in order to attain HIPAA compliance

HITECH Act

The Health Information Technology for Economic and Clinical Health (HITECH) Act added additional requirements to HIPAA with provisions that strengthen the civil and criminal enforcement of the HIPAA rules It established new categories of violations and tiers of penalty amounts

HIPAA Omnibus Rule

The HIPAA Omnibus Rule was published by the Department of Health and Human Services (HHS) in 2013. These final regulations modifying HIPAA were designed to expand the requirements for HIPAA to business associates such as website and marketing companies or contractors that process ePHI on behalf of covered entities

HIPAA DIGITAL

Healthcare Website Compliance

HIPAA Website

HIPAA Emails

HIPAA WordPress

HIPAA Marketing

HIPAA Hosting HIPAA Analytics Business Associate Agreement

HIPAA SEO

Mastering HIPAA Website Compliance

hipaadigital.com

HIPAA Website Guide for SME Healthcare Organizations

Alexander Bentley-Sutherland

HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security

HIPAA Security Rule Consideration for Websites

The HIPAA Security Rule consists of three core safeguards that every covered entity must implement to ensure the confidentiality, integrity and security of electronic protected health in all its forms

1. Administrative Safeguards

Administrative Safeguards are policies and procedures that define, document and implement how you secure ePHI, who within your workforce has access to it, and what employees are allowed to do with the data

It also requires your organization to regularly review security measures and to have written business contracts with all third-parties (Business Associates) that have access to ePHI data that you manage.

ePHI Covers Much More Than You Think

Name and Contact Information

Regardless of whether a website user leaves any further details about specific medical conditions, the act of collecting their name and contact information

Mastering HIPAA Website Compliance

hipaadigital.com

HIPAA Website Guide for SME Healthcare Organizations

Alexander Bentley-Sutherland

HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security

(including email address) is enough. And no, despite what you may have been led to believe, a disclaimer on your website does not suffice Why? because your disclaimer does not remove the rights of patients (and potential patients) from HIPAA If it did, the Act would be diluted

IP Address and Geo-location Data

Many business owners in the United States healthcare sector remain unaware of how Electronic Protected Health Information is collected through their websites.

This lack of awareness includes simply not knowing what types of data is being collected, where it is stored or the extent to which it is protected (or not) For example, while they might know that a website collects basic contact information and medical histories through a contact form, they may not realize that it also automatically gathers IP addresses, geo-location and device information, which can be considered ePHI

Despite lack of awareness, ignorance is not a defense under HIPAA, and the rules apply equally to all businesses, regardless of size

Mastering HIPAA Website Compliance

hipaadigital.com

HIPAA Website Guide for SME Healthcare Organizations

Alexander Bentley-Sutherland

HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security

Analytics Data

Alexander Bentley-Sutherland

Many business owners in healthcare do not fully grasp the extent and depth of analytics data collected from their websites, nor the implications of handling this data.

Types of analytics data collected includes:

User Interaction Data Traffic Sources

Device and Browser Information

Demographic and Geographic Information Conversion Data

If an employee, marketing assistant or website company has ever sent you a proposal based on 'Data Driven' principles, there is an extremely high chance you are collecting Analytics data

Device and Browser Information

Unbeknown to you, your website will likely be collecting data on the types of devices and browsers used to access the site, including operating systems, screen resolutions and browser versions.

HIPAA DIGITAL

Healthcare Website Compliance

HIPAA Digital Full Suite of Products to Make Your Website

HIPAA Compliant

HIPAA Website

HIPAA Emails

HIPAA WordPress

HIPAA Marketing

HIPAA Hosting

HIPAA Analytics

Business Associate Agreement

HIPAA SEO

Mastering HIPAA Website Compliance

hipaadigital.com

HIPAA Website Guide for SME Healthcare

Organizations

Alexander Bentley-Sutherland

HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security

How We Can Solve This Problem Immediately

Alexander Bentley-Sutherland

As a dedicated HIPAA website and hosting provider, HIPAA Digital is considered a special type of Business Associate called a Website & Hosting Service Provider By transitioning your website maintenance and hosting to our service, we guarantee the management and upkeep of your website's HIPAA compliance requirements.

As a client we not only sign a Business Associate Agreement with you directly, we also take responsibility for all of your BAAs relating to your website, hosting and marketing.

We manage and verify that every contractor and component of your technology stack has a valid Business Associate Agreement (BAA) in place, which we then securely store within your Client Dashboard.

Our team maintains the currency of all BAAs pertinent to your business's digital operations, coordinating with your vendors and suppliers to ensure that your downstream BAA audit logs are consistently updated.

Mastering HIPAA Website Compliance

hipaadigital.com

HIPAA Website Guide for SME Healthcare Organizations

Alexander Bentley-Sutherland

HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security

Alexander Bentley-Sutherland

Our commitment extends to safeguarding and archiving all your BAAs associated with our Managed Website, Hosting and Email Services This systematic approach means you can swiftly access the necessary documents through your HIPAA Digital Account Manager during critical emergencies, ensuring compliance and readiness.

2. Physical Safeguards

Physical safeguards are physical measures, policies and procedures that you implement to protect systems, buildings, and equipment from data hazards and unauthorized intrusion.

Many Healthcare Business owners are surprised to learn that the 'Physical Safeguards' component also applies to websites, hosting and email services

The following ten examples are the minimum physical safeguards that should be applied to websites, hosting and email services in the healthcare sector

1 Locked Server Rooms

2. Surveillance Systems

Alexander Bentley-Sutherland HIPAA Digital™ - HIPAA Compliant IT

Technical Safeguards are technology, policies, and procedures that protect ePHI and control access to it

You are required to use any security measures that allow you to reasonably and appropriately protect ePHI. As a Healthcare Business owner you must also determine which security measures and specific technologies are reasonable and appropriate for your type of business.

Mastering HIPAA Website Compliance

hipaadigital.com

HIPAA Website Guide for SME Healthcare Organizations

Alexander Bentley-Sutherland

HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security

Alexander Bentley-Sutherland

HIPAA Digital Helps You Stay Compliant with Technical Safeguarding

We deliver a complete 'done for you service' that includes a range of technology by default, all designed to satisfy the 'Technical Safeguards' element of HIPAA

Our Technical Safeguards include:

Access control solutions that limit who has access to hosted systems and what they can do.

Log management solutions that track who has accessed hosted systems and any actions that they took

File integrity solutions that track any changes to files running on hosted systems

Data encryption solutions that prevent unauthorized access to ePHI that is stored on hosted systems.

Network encryption solutions that prevent unauthorized access to ePHI as it travels across networks

Mastering HIPAA Website Compliance

hipaadigital.com

HIPAA Website Guide for SME Healthcare Organizations

Alexander Bentley-Sutherland

HIPAA Digital™ - HIPAA Compliant IT Systems, Websites & Cyber Security

Alexander Bentley-Sutherland

Worried About Your Healthcare Website's HIPAA Compliance?

HIPAA Digital is a premier provider of HIPAA-compliant hosting and WordPress solutions, trusted by healthcare providers and businesses across the United States to protect their health information from breaches, threats and vulnerabilities

We manage everything at a reasonable monthly rate, giving you the peace of mind to focus on your patients

HIPAA Digital Full Suite of Products to Make Your Website

HIPAA Compliant

HIPAA Website

HIPAA Emails

HIPAA WordPress

HIPAA Marketing

HIPAA Hosting

HIPAA Analytics

Business Associate Agreement

HIPAA SEO