When the United States enacted the Health Insurance Portability and Accountability Act (“HIPAA”) in 1996, it did so in part to give health- care patients better assurances that their personal medical histories and information would not be publicized or utilized for improper purposes.
But, despite cyber help – cloud-based applications, data-collection storage, management systems for information safety and law-compliance purposes – the bad guys, who have a strong will, have found many ways to get in. These complex digital risks include malware, e-mail security hacks, breaches, brand fraud, domain name hacks, website infiltrations, phishing scams, digital bots, imposter social media accounts and mobile data theft.
As the digital world expands, it is important to keep all aspects of your practice compliant. One major reason: HIPAA violations can lead to significant fines against any practice that is deemed responsible for failing to protect patient information and privacy. In our experience, we have found that many websites belonging to ophthalmology practices are not HIPAA compliant. They become negligent by accepting electronic-protected health information (e-PHI) that is not secure.
This article will discuss the main components of HIPAA compliant website forms, the creation of Business Associate Agreements (BAA) and steps for keeping a website secure from outside hacks.
WHAT’S IN YOUR WEBSITE?
That all-important HIPAA-compliant website your practice needs resembles the following:
All collected e-PHI website forms are encrypted; the same is true for all information transmitted (this includes pre- and postpatient information.)
- Any patient information is backed up and recoverable.
- Only authorized personnel bound by the BAA (we’ll get to this) can access protected data.
- A secure disposal method for the information is in place.
- Information should be secured by HIPAA security rules.
- Privacy policies are easily accessed on the practice’s website.
- An encryption certificate (SSL) is a given.
WHY SHOULD YOU WORRY?
You might find this point ludicrous, but health care websites are compromised all the time. According to Health IT Security, health care cyber attacks rose 320% from 2015 to 2016.1
In June 2016 alone, 95,251 health care records were stolen or improperly viewed.2 The intention of most website hackers is not to steal your data, but rather to use your server as a spam device, hijack your hard-earned website equity or even take down your homepage.
A little story to illustrate. We got called in to help out a practice whose site was hacked for its online position. It had ignored many of the hacker’s ominous signs, but couldn’t ignore this one: A week after the hackers made their cyber presence known, the practice’s waiting room TVs were transmitting pornography. During office hours. (Full disclosure: we get very few clients this way.)
|HIPAA SECURITY RULE REFERENCE||SAFEGUARD (R) = REQUIRED||STATUS|
|164.308(a)(1)(i)||Security management process: Implement policies and procedures to prevent, detect, contain, and correct security violations.|
|164.308(a)(1)(ii)(A)||Has a risk analysis been completed in accordance with Nat’l Institute of Standards and Technology (NIST) guidelines? (R)|
|164.308(a)(1)(ii)(B)||Has the risk management process been completed according to NIST guidelines? (R)|
|164.308(a)(1)(ii)(C)||Do you have formal sanctions against employees who fail to comply with security policies and procedures? (R)|
|164.308(a)(1)(ii)(D)||Have you implemented procedures to regularly review records of IS activity such as audit logs, access reports, and security incident tracking? (R)|
|164.308(a)(2)||Assigned security responsibility Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.|
The price to pay for a hack or PHI breach is too costly when you could just take the necessary steps to be secure.
SET UP A BAA
The 2013 HIPAA omnibus rule, also called “HIPAA 2.0” by the American Medical Association, expanded the security rule to include direct liability for business associates of covered entities — which means your website must comply with HIPAA security standards.
One of those standards is the business associate agreement. A BAA is a promise between the practice and a health care entity — a health plan, health care clearinghouse — with which it does business. HIPAA allows practices to share protected information if the business associate promises to use the information in the way it was contracted to do so.
By law, practices are required to have this document to be HIPAA compliant.
Any company that you work with that is involved with PHI will need to sign this document. These include web vendors, e-mail vendors, IT vendors, server vendors or website design vendors. If the vendor will not sign a BAA, this might be a red flag regarding compliancy.
Types of e-PHI include general patient demographic information, such as names, addresses, phone numbers, social security numbers and dates of birth, patient photographs, X-rays or CT scans, patient medical history records, payment information and even insurance information.
The U.S. Department of Health & Human Services describes e-PHI as “all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form.” If your practice transmits patient data or communicates electronically with a patient via your medical website, you are responsible for protecting this information.
Many practices don’t. They violate the security rules by downloading information from secure websites onto local computers for day-to-day use.
Huge mistake: Always keep this information encrypted and make sure no employees are downloading these data onto a laptop to ease their day’s work. Medical records are valuable on the black market.
To avoid penalties, you need to build, or hire someone to build, a HIPAA-compliant website — the benefits from doing this are far-reaching.
Regardless of which way you go, print out the below URL. It leads to the government’s official HIPAA security checklist: four pages, 44 entries, written in government-speak. Even if you hire someone, you should have the checklist to check off each entry as your website is built.
If you do it yourself, do two things: Hire a consultant who has built many a compliant HIPAA website and who has quality experience with cyber security. And two, make e-PHI security a top priority. This begins with technologies like Secure Sockets Layer (SSL) protection; do this even before you decide on whether to build the site yourself or farm it out. SSL protection will ensure that the initial leg in the transmission of PHI from the patient to the web server is secure. From there, data can be passed to someone via e-mail, stored on your web server or on someone else’s web server.
Google encourages the use of SSL technology on every website page.
WEBSITE FORMS: THE ACHILLES HEEL?
Many website forms, such as medical history intake, self-evaluation tests, and scheduling apps, are often sources of HIPAA violations on medical websites, because they often do not handle e-PHI securely.
When these forms transmit, store or send data insecurely or otherwise do not treat the data submitted with the level of protection required, you put the users at risk. The answer is not to stop using website forms. They are important methods of patient engagement and marketing. In fact, according to our own data, self-evaluation tests are six times more likely to attract a lead than a standard contact form.
If your current forms are not HIPAA compliant, at least develop a disclaimer that states not to put sensitive PHI information into forms.
HOW DO I PLAN FROM HERE?
Once you make the decision to become HIPAA compliant at the digital level, make your website and any intake forms HIPAA compliant. SSL must be a first step.
Review the items listed above, and begin to patch each hole one by one. Then, review the vulnerable gaps on your other digitals such as social media and mobile. You will be glad you did. OM
- Snell E. Healthcare cybersecurity attacks rise 320% from 2015 to 2016. HealthITSecurity.com. Feb. 15, 2017. http://ow.ly/kOBW30ely7I Accessed Aug. 1, 2017
- HIPAA Journal. Major 2016 healthcare data breaches: mid year summary. HIPAA Journal. Jul. 11, 2016. http://ow.ly/ZX4a30elyuY Accessed Aug. 1, 2017.