If your company deals in healthcare and stores information about a person’s health, there’s a good chance you’ll have to abide by HIPAA. What is HIPAA, how do you stay in compliance? Let’s look at how HIPAA affects your website.
The Health Insurance Portability and Accountability Act of 1996 protects patients data. It mandates an industry-wide standard for healthcare information regarding billing processes, and also “requires protection and confidential handling of protected health information,” according to the California Department of Healthcare Services.
The HIPAA Privacy Rule, according to the Department of Health and Human Services, protects ‘“individually identifiable health information” held or transmitted by a covered entity or its business associated, in any form or media, whether electronic, paper, or oral.” In short, if you hold on to any kind of information related to a patient’s health that could identify them, it falls under HIPAA protection.
For example, a healthcare marketing agency requires call tracking to be fully HIPAA-compliant, but can still integrate the call tracking with Google AdWords and Analytics. Pulling the data for AdWords, Analytics, and for client reports could, in theory, expose the information of the client, and thus falls under HIPAA.
Does your app or site need to be HIPAA compliant? Maybe. If it, for example, allows a patient to record their weight, and then develop an exercise routine, maintain a daily diet plan and track said plan, or look up reference information, then it probably does not need to be compliant.
However, if your business is an associate of a healthcare provider, or a provider has contracted your company to create an app and associated website, then you must comply with HIPAA privacy laws. The HHS provided a few other examples of whether your app or website will need to be compliant, as well.
Consequences for non-compliance can be heavy. As the University of Cincinnati notes, a category 1 violation, which could not have realistically been avoided and measures were taken to abide by compliance rules, results in an up to $50,000 fee with a minimum fine of $100 per violation. Category 2, where the violation could not be avoided but the company should have been aware of is the same, but with a fine of at least $1,000 per violation. Category 3, willful neglect but with an attempt to correct it comes with a minimum fine of $10,000 per violation, up to $50,000. Finally, a category 4, willful neglect with no attempt at correction, results in a minimum fine of $50,000 per violation, up to $1.5 million.
There can also be association jail time, from up to a year for a tier 1 violation such as no knowledge of the violation, to a tier 3 violation of obtaining personal information with malicious intent carrying up to 10 years in jail.
You might also need to comply with the General Data Protection Regulation, the EU’s new privacy laws. One of the major takeaways is that you will need to provide a detailed list of all the information your site has collected or stored on a person. There are, of course, plenty of other rules from the GDPR concerning how data on your site is stored, backed up, and accessed. Be sure to check your compliance.
How do you protect your company and ensure you are in compliance with HIPAA? Most of the advice is, in general, good security advice. Duquesne University lists the following as the top HIPAA violations: Lost or stolen devices that could be used to store or access confidential data; hacking; employee dishonesty, such as accessing information they are not authorized to access; improper disposal of information; third-party disclosure without determining if the third party is also in compliance; unauthorized release of patient records; unencrypted data; lack of training; unsecured records; and word of mouth, such as discussing sensitive information outside of a confidential setting.
Again, many of these have simple fixes. Your database of information should be encrypted and secured. Employees with access to patient records should use complex passwords, and only employees with an absolute need should be granted authorization to access the data.
On the client end, utilize two-step authentication and e-signatures where needed to prevent breaches. Changing from HTTP to HTTPS by using an SSL certificate will protect the transmission of sensitive health data. Ensure you are using a strong encryption.
If there is a breach, it’s important to follow HIPAA Breach Notification Rules, notifying affected individuals. If more than 500 individuals are affected, you must notify the media and the HHS Secretary.