The healthcare industry is currently experiencing an accelerated trend of remote patient offerings and the digitization of services for patients. This movement has brought on a slew of new healthcare-related technologies and expanded digital access for many patients. While welcome by most patients, this progress also raises concerns about the safeguarding of patient privacy. Confidentiality becomes especially significant when considering UI and web design for healthcare.
Until 1996, the healthcare industry faced an inadequacy: no national standard for protecting private patient information. The internet was still very new then, but it was expected that patient information would move from paper to electronic format as new technologies were created and used by healthcare systems and companies.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996, better known as HIPAA, protected the patients’ health information privacy and security. The Department of Health and Human Services, or HHS, enforces HIPAA regulations and has created two rules to define compliance requirements clearly. They are known as the Privacy Rule and the Security Rule.
The HIPAA Privacy Rule and HIPAA Security Rule together provide the regulations needed to follow HIPAA requirements.
The Privacy Rule sets a national standard for safeguarding specific health information. It defines what types of information must be protected and labels this as PHI (Protected Health Information) or, in electronic format, e-PHI. The Privacy Rule also specifies who must safeguard this information and designates these as “covered entities.”
The Security Rule sets out how “covered entities” must protect (e-)PHI. Instead of being based on current technology available at the time, both rules were designed with guiding principles that are adaptable to new technologies as they emerge.
HIPAA compliance in web design
Unfortunately, when it comes to HIPAA compliance for websites, it’s not as simple as just using a HIPAA compliant hosting service. Granted, that is important, but it’s just one of six essential steps to having HIPAA compliance.
6 Steps for HIPAA Compliant Web Design
- HIPAA Compliant Hosting. Typically, hosting providers that are HIPAA compliant will provide physical safeguards meeting the HIPAA Security Rule. In addition, as a service provider for a HIPAA “covered entity,” they will also sign a Business Associate Agreement.
- Access controls and monitoring. Strict safeguards must be in place to prevent unauthorized access to e-PHI. Administrative controls should determine access authorization for e-PHI. All access to e-PHI and the administrative controls must be monitored, recorded, and periodically reviewed.
- Integrity controls. These are controls that protect the integrity of the e-PHI, keeping it from being changed or deleted without authorization.
- Data transfer controls. Any e-PHI data uploaded, downloaded, or transferred to the server or another location must be secure throughout the process. This step means that all e-PHI data will be encrypted whether in motion or at rest.
- HIPAA training. All authorized users and administrators must be educated on HIPAA Privacy and Security Rules, the proper use of the website, and all the controls.
- Physical security. The web server location must be secured, limiting physical access to only authorized individuals. Your hosting service may already cover this.
How to maintain a HIPAA-compliant website?
The best way to ensure your new or existing website and connected systems are compliant with HIPAA rules is to conduct a risk analysis. Risk analysis is crucial as hackers, and digital terrorists constantly test systems for access and integrity breach opportunities. Unfortunately, it’s also pervasive for new coding, plugins, and applications to expose a weakness to one of your controls unintentionally.
At ArchKATect, we are not only healthcare marketing experts, but we also specialize in healthcare website design, including HIPAA controls. Our team is ready to partner with you to help ensure HIPAA compliance in every aspect. Whether it’s adding new UI functionality, conducting a risk assessment, or designing an entire website from scratch, we have the team and resources in place to make it happen. Contact us today for a free consultation. We are your healthcare web-design partners. We can help. Let’s talk.
REFERENCES AND RESOURCES
- U.S. Department of Health and Human Services (2013). Summary of the HIPAA Security Rule. [online] HHS.gov. Available at: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.