Is your website HIPAA compliant?

Here’s how to find out if your website complies with the privacy law.

In an era when automation, digital transformation, and even machine learning are becoming commonplace in business, many healthcare practices are looking to automate processes, improve the patient experience with digital tools, and ultimately, achieve better outcomes by reducing the risk of human error. After all, the simpler and more efficient your office staff’s workflow can be, the more time they’ll have to address patient needs. It’s really a win-win.

But there’s one huge factor to consider when it comes to digital tools in the healthcare space: the Health Insurance Portability and Accountability Act (HIPAA) compliance. HIPAA is likely the first thing on your mind when it comes to the proper management of patient records, but it also extends to your healthcare practice’s digital presence.

Even simple processes, like “request appointment” forms and signups for educational events, can cross into HIPAA violation territory. Whether your website is several years old and in need of an upgrade, or was just launched, the following steps will help you ensure a seamless experience for patients while protecting their data, as well as your practice, from the risk of HIPAA compliance violations.

Tracking your patients’ digital pathway

Although there are small, individual steps you can take to audit your healthcare website for HIPAA compliance, the overarching audit goal is to trace the pathway(s) by which your patients go from finding your services through the completion of their interactions with your practice. Essentially, take the time to unravel the threads of the patient experience and follow them all the way to the end of the process. You may even identify a number of potential paths, and you’ll need to take a deep dive into each one. I’d encourage you to grab a notepad and map out each step so nothing gets overlooked or forgotten during the auditing process.

As you identify the various pathways through which patients make their way to your practice (for instance, chat functions, online forms, “click-to-call” features, event signup forms, etc.), be sure to follow the journey from inquiry to completion. HIPAA compliance requirements don’t end with your website and even relate to how information is shared internally.

As you’re mapping out these patient journeys, be sure to:

1. Identify any “in-betweens.” Where does data go as it’s being transmitted? I’ll avoid getting overly technical here and jump straight to the point: To uphold HIPAA compliance, even the “in-between” stages of data transmission must be compliant. If you’re collecting data into a secure form but then emailing it insecurely before it’s stored in a compliant database, that middle step of transmission puts you at risk for a costly HIPAA compliance violation. Make sure you know not just how information is being collected, but every location where it is being stored, as well as how it’s shared.

2. Evaluate data collection tools. Forms are one of the most common causes of HIPAA violations on websites. Anything that collects protected health information (PHI) must be housed in a properly secured environment — and no, having an SSL on your website does not satisfy HIPAA’s security requirements (although you absolutely should have a working SSL on your site).

3. Talk to your staff. I’ve been helping healthcare organizations generate leads for more than 15 years, and one of the most common HIPAA compliance issues I’ve seen is a breakdown in communication amongst office staff. HIPAA compliance is one part technology and one part process. If you have the technology component down but no processes to support the proper use of those technologies, you may still be vulnerable to HIPAA compliance issues.

In many cases, new policies and procedures are implemented without adequate explanation and training for the people who will be expected to adopt them. This is a bad scenario not only because it can create internal friction, but also because when people don’t understand the importance of a process, they may be less likely to follow it. If folks don’t follow a policy that makes or breaks your HIPAA compliance, your entire practice is at risk.

On the front end of a HIPAA compliance audit, find out how team members are receiving leads from your website and what they do with that information. If there are holes in the process, fix them — and follow up continuously. Some website platforms make it so easy to create forms that team members could do so with the click of a button. If you aren’t talking regularly about what HIPAA compliance on your website should look like, someone may unintentionally create compliance issues.

4. Trust an expert to fill in the gaps. If you’re part of a larger healthcare organization, you may have an IT team who can help you solve some of these challenges or answer questions that arise during your website audit. If not, you may choose to consult with a HIPAA-compliant marketing firm and/or cybersecurity/IT firm to ensure your digital presence is both effective and secure. It’s important to note that not all marketing organizations are HIPAA compliant — even those who call themselves healthcare marketing agencies. For this reason, we encourage you to evaluate your website, even if it was built very recently. While well-intentioned, we’ve seen non-compliant agencies build beautiful, well-functioning websites loaded with HIPAA compliance infractions. (In many cases, compliance issues may be fairly simple to fix, but you’ll still want to take action as quickly as possible to prevent potential complications.)

Kevin West is a founding partner, Executive Vice President, and Chief Technical Officer for Full Media, a Chattanooga, Tenn.-based digital marketing agency specializing in health care. Full Media offers a full spectrum of HIPAA-compliant digital marketing capabilities within the healthcare space, including website design, online advertising, SEO, patient experience optimization, and analytics.