Websites – is your data secure?

 

By Aris Medical Solutions

 

Many healthcare providers have websites, since in today’s digital age nearly everyone searches for goods and services before making a decision, this includes healthcare. However, healthcare providers must ensure their websites are HIPAA compliant if any patient data is transferred or accepted.

Many vendors are targeting healthcare with promises of ease of use, added patient interactions, and the ability to gain more patients. Before you agree to accept patient information through your website, you must ensure the vendor or service you are going to use actually understands HIPAA and the requirements.

Here are some issues to consider:

  1. Do patients complete forms on your website? If yes, your website must be secure by utilizing encryption during transmission. This also includes if you are using appointment scheduling through your website. If your site starts with “https” then the data is securely transmitted. However, your site may require updates to ensure the encryption is up to date. If you have a “contact us” and they can send an email to you and your site is not encrypted you should post a message advising them not to send any personal information.
  2. Who has access to your website? If you work with a third party, they too must be HIPAA compliant and understand how to protect your website. If possible add a two-step authentication to prevent unauthorized access. Make sure you have administrative access to your site as well.
  3. Do you know how and where your data is stored? You must utilize a company that understands HIPAA and security if your website accepts or stores any patient data. If your site is not set up properly, Google can actually index your intake forms. If your web hosting company shares your web server with other clients, this too must be reviewed. Keep in mind, if your data (including your backups) is encrypted, it would not be a reportable breach but you still must have a HIPAA compliant business associate agreement in place.
  4. Do you have a recent backup of your website? This may sound crazy because it’s “in the cloud”. Keep in mind, a cloud is just a term used to explain it is NOT on your physical location. It is located on a server somewhere on someone’s physical site.
  5. Do you know how to properly destroy old data? Whether the data is stored on a web server, an old external hard drive, or computer, all data must be removed in a HIPAA compliant manner. This could be a physical destruction or sanitized so that the data cannot retrieved. Don’t forget to document this process!

 

Websites are a necessity today. If you decide to add features like online forms and/or patient scheduling, only do so if properly setup and secured.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Practice call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Share This HIPAA Blog

File sharing and cloud computing, is it permitted under HIPAA?

August 2, 2017

USB flash drives are a huge risk in healthcare!

September 5, 2017
©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC