Codal Logo

    Designing Your Website for HIPAA Compliance

    If you're in the healthcare sector—or if your eCommerce site handles protected health information (PHI)—chances are you've heard of the , more commonly referred to as HIPAA.

    alt
    If you're in the healthcare sector—or if your eCommerce site handles protected health information (PHI)—chances are you've heard of the , more commonly referred to as HIPAA.
    Though it was passed in 1996, long before the ubiquity of the internet and the advent of the smartphone, HIPAA still dictates the functions, features, and protections that UX designers and developers have to include when crafting .
    As a with years of experience crafting , Codal is more than familiar with HIPAA regulations, and the best way to adhere to them without sacrificing the user's overall experience.

    WHAT IS HIPAA COMPLIANCE?

    Regulated by the (HHS), HIPAA was designed to help protect the medical information of individuals. HIPAA outlines key data privacy and security provisions that must be adhered to. The act itself contains five titles, with Title II being the most relevant to IT organizations. It requires organizations to provide safe and secure methods of accessing patient electronic health data, following strict privacy regulations set by the HHS.
    Organizations violate HIPAA when they:
    Release patient health data without authorization, or
    Do not maintain provisions required to protect health information.
    HIPAA violations occur when organizations fail to safeguard PHI adequately in the eyes of the law. Though violations can be , they are pretty common. Frequently, organizations fail to properly encrypt patient data, or store it in a secure location. A lack of sufficient employee training often leads to improper disclosure of protected PHI, be it through casual conversations outside of work, or .
    Organizations need to achieve and maintain compliance by conducting regular risk assessments to understand how vulnerable PHI is. Continuously identifying vulnerabilities ensures organizations can effectively implement safeguards to protect PHI in a timely fashion. Organizations that do not conduct these assessments regularly risk having these vulnerabilities exploited and face heavy fines and penalties as a result.
    Any business or organization that interacts with PHI needs to be HIPAA compliant. Additionally, all other businesses, subcontractors, and third-party vendors that provide services to compliant organizations—and as a result, interact with PHI—must also maintain compliance. That means that IT providers must ensure their systems comply with the standards set forth with HIPAA.
    Image

    HOW TO ENSURE YOUR WEBSITE IS HIPAA COMPLIANT

    If you’re an IT service provider—or a healthcare organization that maintains its own web presence—there are some key requirements you will need to meet to ensure your website is HIPAA-compliant. Here are some key design practices to implement to ensure compliance.
    If you're an IT service provider—or a healthcare organization that maintains its own web presence—there are some key requirements you will need to meet to ensure your website is HIPAA compliant. Here are some key design practices to implement to ensure compliance.

    SSL ENCRYPTION

    SSL—or "secure sockets layer"—is a networking protocol that ensures a safe connection between a client and server by requiring authentication from both. This communication between client and server is encrypted by a dual key system, meaning SSL is a secure enough protocol to be used for the trafficking of highly sensitive information (like a patient's PHI).
    When a healthcare organization hires Codal's UX services, we advise protecting the entire website with the SSL protocol, rather than implementing it solely on certain pages. You can generally tell if a page is using an SSL connection if it begins with "https" rather than the standard "http".
    This practice allows some flexibility with the architecture and organization of the site-if the webmaster wishes to change the sitemap, they can easily do so without worrying about disrupting security or re-encrypting pages. If time permits, encrypting the entire site with SSL can save valuable time and resources in the long term.
    SSL encryption is regularly utilized for websites of all kinds, but HIPAA requires it for sites that handle personal medical information. It is the necessary foundation of a secure, stable medical platform.

    DATA PROTECTION, BACKUP, AND DELETION

    While the SSL protocol protects the client and server through encryption and authentication, the data passing through the secure connection should be encrypted for additional security. Fully encrypting data still safeguards your users' PHI, even if the data is intercepted.
    To add another layer of security, HIPAA also requires platforms to generate and store backups of all essential health information. In healthcare web design, a secure database is paramount. In many practical applications, this can mean leveraging an external database.
    The last major functionality that must be implemented in all HIPAA-compliant platforms is a permanent data deletion mechanism. HIPAA states that any PHI that is no longer relevant to the organization—say, a customer leaving their healthcare provider—must be permanently wiped from the servers and database.

    SECURITY TESTING

    To be truly HIPAA compliant, your website and its infrastructure must pass stringent, and regular, testing protocols. This validation and testing confirms your platform's adherence to all HIPAA standards and regulations and should be performed by the site's IT or development firm.
    These tests can help diagnose vulnerable areas in the site's security, as well as identify pain points and flaws in the user experience. These tests extend not just to the site owners, but also the site and server hosts as well.
    Under HIPAA's protocols, any security issues that may arise must be resolved within 48 hours. It's crucial to review the troubleshooting processes of IT teams maintaining the site, to ensure this deadline can be met efficiently.

    CONTINGENCY PLANNING

    If your site does experience a data breach, you need to be prepared. Even the most secure websites can be compromised, and your organization must be ready to act should a breach occur. Devising and outlining protocols for data breaches will help you quickly "stop the bleeding" by locating the source of the breach and neutralizing it. Additionally, a contingency plan can help guide your organization's efforts to notify patients and other relevant parties if and when their data was accessed during a breach and what your organization is doing to solve any subsequent challenges.
    By implementing HIPAA-compliant security and data protection measures, your organization is striving to prevent serious data breaches. By creating detailed contingency plans, your organization is ensuring that it is prepared to act in the most precarious circumstances.

    WHO SHOULD BE RESPONSIBLE FOR MAINTAINING YOUR WEBSITE’S COMPLIANCE?

    Being HIPAA-compliant is not a “one and done” scenario. While your website may implement all the necessary security and data protection measures to achieve compliance, maintaining them is another story.
    The law requires that any organization that handles PHI must have a party designated as HIPAA compliance officer. In many companies, this is a single employee, and they are often hired specifically for the role. In others, the responsibilities associated with maintaining compliance are placed on existing departments, like legal.
    However, many organizations do not have the resources or budget to staff a compliance officer internally. And tacking on the duties associated with maintaining compliance to an existing role or department with a heavy workload is not ideal.
    As a result, many organizations elect to outsource the job of maintaining HIPAA compliance. This provides a whole host of benefits. It allows organizations to easily tap into a wealth of knowledge and information from a third party that focuses exclusively on the intricacies of HIPAA law. It also prevents organizations from having to hire and train compliance offers and eliminates the risks associated with employee turnover.
    HIPAA regulations are constantly changing and evolving and, as a result, compliance regulations are something of a moving target. Third-party compliance teams stay on top of all changes because it’s their job to do so. By contracting with an outside compliance team, you are getting the expertise required to stay compliant with regulations that can change with short notice.
    Larger organizations often prefer to keep a HIPAA compliance officer—or two—on their payroll. However, outsourcing the responsibilities can save organizations time and money—and provides the peace of mind that comes from knowing their compliance officer is well-versed in HIPAA regulations.

    WHO SHOULD BE RESPONSIBLE FOR MAINTAINING YOUR WEBSITE'S COMPLIANCE?

    Being HIPAA compliant is not a "one and done" scenario. While your website may implement all the necessary security and data protection measures to achieve compliance, maintaining them is another story.
    The law requires that any organization that handles PHI must have a party designated as a HIPAA compliance officer. In many companies, this is a single employee, and they are often hired specifically for the role. In others, the responsibilities associated with maintaining compliance are placed on existing departments, like legal.
    However, many organizations do not have the resources or budget to staff a compliance officer internally. And tacking on the duties associated with maintaining compliance to an existing role or department with a heavy workload is not ideal.
    As a result, many organizations elect to outsource the job of maintaining HIPAA compliance. This provides a whole host of benefits. It allows organizations to easily tap into a wealth of knowledge and information from a third party that focuses exclusively on the intricacies of HIPAA law. It also prevents organizations from having to hire and train compliance offers and eliminates the risks associated with employee turnover.
    HIPAA regulations are constantly changing and evolving and, as a result, compliance regulations are something of a moving target. Third-party compliance teams stay on top of all changes because it's their job to do so. By contracting with an outside compliance team, you are getting the expertise required to stay compliant with regulations that can change with short notice.
    Larger organizations often prefer to keep a HIPAA compliance officer—or two—on their payroll. However, outsourcing the responsibilities can save organizations time and money, and provides the peace of mind that comes from knowing their compliance officer is well-versed in HIPAA regulations.

    STAYING AHEAD OF THE CURVE

    The major industry practices outlined in this post are the same ones Codal implements for all of its clients , but it's still only the tip of the iceberg. It's easy to overlook small details, like actually publishing your adherence to HIPAA on your eCommerce site, or instituting regular password changes for its users.
    That's why it's crucial to hire a UX design and development company that understands the ins and outs of HIPAA, addressing both the nuances of the law and the broader development strategy.
    While the primary reason for adhering to HIPAA regulations is obvious, it's also beneficial to the user experience of healthcare eCommerce sites. Often sites that don't fall under the jurisdiction of HIPAA will still comply with the law, if only because it's good practice.
    If you're interested in how Codal can implement make sure your eCommerce platform is Hor improve your web presence, . With over a decade of industry experience, we're award-winning experts when it comes to UX design and development in the healthcare space.

    Written by Chris Powers

    2021-03-29