By: Shobha Lizaso
Medical web-based businesses have been on the rise, while the number of HIPAA enforcement actions by the US Department of Health and Human Services (HHS) has risen exponentially as well. Since the beginning of this year, HHS has announced several large settlements with companies that failed to comply with HIPAA Compliance requirements. For example, in January, HHS announced a $2.2 million settlement with a health insurance company when a breach resulted from a stolen portable USB device containing PHI. Also, In February, HHS announced a penalty of $3.2 million against a medical center for a breach that arose from a theft of an unencrypted laptop containing PHI. This enforcement activity is becoming the norm, so it is best to ensure that your medical website is legally compliant.
If you are handling any PHI on or through your website, you must ensure that your website is up to speed with HIPAA compliance. Here are some recommendations to address the security and privacy of PHI that your website may manage (please note that this is not a comprehensive list):
- Unique User Identification: each user should have a unique User ID so that use can be tracked.
- Automatic Logoff: implement electronic safeguards that terminate an online session after a period of inactivity.
- Authorization: the PHI should only be accessible by authorized personnel.
- Storage: PHI must be encrypted when it is stored or archived.
- Fire Transfer Protocol: Don’t Use File Transfer Protocol (FTP) to transfer patient data
- Remote access: When accessing data from remote locations for telecommuting, use a Virtual Private Network because it creates a temporary encrypted connection that only exists during the period of use.
- SSL encryption: In order to safely transmit information online, a SSL (Secure Sockets Layer) certificate provides the encryption of sensitive data, including financial and healthcare.
- Data must be sent through a secure network: HIPAA-protected information should never be sent through an unencrypted network to an insecure email account. If you want to receive this data by email, it must be encrypted from sender to recipient. Another option would be to store the information on your HIPAA-compliant server, and set up email alerts any time new data is submitted by a user on your website. Users would instead log into your server account to retrieve the information.
- Privacy Policy: Your privacy policy must be regularly updated to keep up with any changes in the law or your practice’s privacy policy to maintain HIPAA-compliance.