So today, there are many options when it comes to developing a website for your medical practice or healthcare organization. Some developers may promise to secure your new website with an SSL certificate, claiming that patients can complete their medical history form or appointment requests “securely” online. However, without proper training in HIPAA security or required technical infrastructure, you may be at risk for a breach.
Collecting ePHI on your medical website requires more than just an SSL certificate and an online form.
In order to safely protect health data on your site, there are a number of things you or your developer must do before launching. This includes developing an infrastructure with audit trails and abundant software and hardware to monitor unauthorized activity. In addition, working with staff who are highly trained and knowledgeable in HIPAA security can prevent any potential issues and create quick resolutions.
So beyond hiring a developer with this expertise, what can you do? Start by understanding all the important facets of website and form security. Know that there are affordable hosted HIPAA compliant form builder tools that allow you to easily and safely offer online forms on your website to collect ePHI.
Secure Certificate (SSL)
Not having a SSL on your site or form means visitors are on a non-secure connection. Basically anyone can view the data that is being sent from your form. Installing an SSL certificate on your website will ensure that anyone accessing information on your site is doing so over a secure connection. The data that is sent from your users to the server will be secure and encrypted during its transmission.
Securing the Data
Ensuring that your users’ data is transmitted securely is critical. The most common way for data to be sent from an online form on your website is using a simple script to email results. While it may be easy and convenient for you to receive data right to your inbox, the message sent is unencrypted and can be viewed by others. To ensure compliance with HIPAA, sending and receiving ePHI through standard email should be avoided at all times. One cannot guarantee the recipient or sender is utilizing a secure messaging service.
Saving Data into a Secure Separate Database Server
Encrypting data and storing it into a secure, separate database server allows you to maintain strong access controls and minimize risk. If your website is on a shared web server and storing ePHI in a local database, your website and associated data could be compromised by another website on that same server. If some other customer website is compromised, this could lead to unauthorized access of your data.
Security of Your Web Host
The right web hosting provider is crucial for the security of your data. A web hosting provider that does not specialize in HIPAA security will not likely have the infrastructure and software needed to safeguard sensitive data. Typically they will not sign or abide by a Business Associate Agreement. What that means is your online forms may not meet HIPAA requirements. System administrators and technical support staff for the web host can potentially access your data. If that data is not encrypted, they can view it and or modify your form application.
Practis Forms can Help
Automate, streamline and secure your patient data with Practis Forms. Added to any website, Practis Forms allow you to securely collect data from any form including patient history, health assessments, payment information, and patient consent. Contact Practis to learn more.