Health Insurance Portability and Accountability Act Requirements
Doctors and medical professionals are feeling increasing pressure to get their websites the right amount of traffic. This includes making available protected health information to patients via web sites as well as collecting similar private information from patients or would-be patients.
However, where the health information of an identifiable individual is involved, the Health Insurance Portability and Accountability Act (HIPAA) is the official compliance document. And with the omnibus rule in place, all web sites, old and new, must be properly designed or their owners face potential financial liability into the millions of dollars.
So, what do these requirements mean and how can HIPAA be followed in the context of a website
HIPAA is an unusual law in that it makes a lot of recommendations (addressable items) and a few assertions (required items), but in the end it is up to each organization to determine for themselves what they need to do to be compliant. This creates a great deal of flexibility and also a great deal of uncertainty. In general, to be HIPAA-compliant, a web site must at a minimum ensure that all protected health information (ePHI):
- Transport Encryption: Is always encrypted as it is transmitted over the Internet
- Backup: Is never lost, i.e. should be backed up and can be recovered
- Authorization: Is only accessible by authorized personnel using unique, audited access controls
- Integrity: Is not tampered with or altered
- Storage Encryption: Should be encrypted when it is being stored or archived
- Disposal: Can be permanently disposed of when no longer needed
- Omnibus/HITECH: Is located on the web servers of a company with whom you have a HIPAA Business Associate Agreement (or it is hosted in house and those servers are properly secured per the HIPAA security rule requirements).