In many situations, building a website is a straight-forward process. Many projects can follow similar path; as sites get bigger, however, there’s more to think about. If you’re working with a financial institution you’ll need to follow certain regulations. The same goes with education, government, and the medical field.
When we work on medical projects, there’s an incredibly important regulation that we need to keep in mind called HIPAA – the Health Insurance Portability & Accountability Act. While there are many facets to this law, there’s one that people in tech really need to focus on: the section of HIPAA called the “HIPAA Privacy Rule.”
The HIPAA Privacy Rule
Under the HIPAA Privacy Rule, anyone who works with patient health information must protect it. For example, a nurse cannot disclose patient information (or protected health information – PHI for short) to anyone except those that have been specifically authorized by the patient.
There are some nuances to that example (like usually you can find out if a patient is staying at a hospital, but some can’t even know that much). The main takeaway is that under the HIPAA Privacy Rule, medical professionals need to be very careful about what information they disclose. My wife (who is a nurse) can’t call her hospital to check up on a patient she previously had under the HIPAA Privacy Rule.
What Does That Mean for Us?
I know what you’re thinking. Web Professionals aren’t medical personnel, so why does this matter to us? It’s because the HIPAA Privacy Rule also extends to Business Associates. This is anyone who performs work on behalf of a covered entity – that is, medical professionals. Being a Business Associate also requires a Business Associate Agreement (BAA). As web professionals, if we are hired to do work in the healthcare field, we must protect electronic PHI (ePHI for short).
What does HIPAA Consider PHI?
Note: Now is a great time to mention that I’m neither a lawyer, nor a compliance expert. There are a lot of intricacies to HIPAA, and this article’s purpose is to introduce and raise awareness. There are some links at the end with more information.
Under the HIPAA Privacy Rule, we need to protect 3 main types of information:
- Past, Present, and Future Conditions
- Type of Care the patient is receiving or has received
- Past, Present, and Future Payment Information and Method
For example, if a Physical Therapy Clinic hires you to make an online patient portal, you need to take every precaution to protect patient information; you may also not disclose that information to anyone who isn’t privy to it, including service providers, unless a BAA is in place. If you fail in either case, you could be in violation of the act and face up to $50,000 in fines.
Note that these are pretty broad types. As a rule of thumb, perhaps it’s best to consider most patient information PHI. Consult a trusted healthcare professional if you’re unsure.
How do we Make Sure we Properly Handle ePHI?
There are a lot of ways to ensure ePHI is secured, but it boils down to 3 themes:
- Is the data properly encrypted?
- Is the data only accessible to those who are allowed to access it?
- Can the data be easily destroyed?
As you plan out a site that handles ePHI, you need to ask yourself these questions. For example, you should always use SSL when creating a site like this (specifically a paid SSL Certificate). If a patient fills out a form, how is that form processed? Is the information emailed to someone? If so, it may not be easy to destroy it. How are your servers protected to ensure only authorized parties have access to ePHI?
There are a lot of ways you can secure your information in preparation for handling ePHI. These 5 ways are a good start:
- Buy an SSL Certificate that offers good liability protection on top of an encrypted connection
- Make sure you work with a hosting provider that’s also HIPAA Compliant
- Offer encrypted, secure, off-site backups to ensure there’s no data loss
- Keep track of those backups so that if data needs to be destroyed, it can be done so easily and in all instances
- Add proper user management and access controls (via a username, password, and user roles) to all ePHI to ensure only authorized parties are accessing it
Work Closely with Your Client!
If you are hired to create a site that includes ePHI, make sure to work closely with your client to make sure all precautions are taken on your end to protect that patient information. Ask yourself the 3 above questions, and test your application every step of the way with fake data to make sure your application is air tight!
- HIPAA Entry on Wikipedia
- HIPAA Summary on HHS.gov
- What Exactly is ePHI?
- Is Your Solution HIPAA Compliant?
Thanks to my wife, Erin, Cal K, Patrick Rauland, Dre Armeda, and everyone else who reviewed this article for me!
Want a more in-depth guide with actionable ways to secure ePHI? Sign up below for our newsletter and get our free PDF!