If you have a medical website or software, you need to make sure it’s HIPAA compliant. Here, we’ll talk about HIPAA and how to put together a HIPAA compliance checklist to make sure you’re doing everything to keep your medical website or software HIPAA compliant.

It doesn’t matter whether you’re a medical practice or a third party business provider. If you’re a covered entity, then your website needs to meet HIPAA requirements.

HIPAA policies are complex and are subject to change based on the whims of the Department of Health and Human Services. Despite the convoluted nature of these rules, an underlying theme runs through every rule: privacy and security.

You’ll need to:

  1. Protect patient health information
  2. Keep data private
  3. Inform any partners of the rules
  4. Limit internal use of patient health information

What does this mean in practice? Follow this HIPAA compliance checklist to keep your website compliant.

How to Become HIPAA Compliant: HIPAA Compliance Checklist

HIPAA compliance requires careful attention to detail. To get started, ensure these four critical elements are part of your website.

1. Encryption

All data in all forms must be encrypted. It must remain encrypted when:

  • Stored
  • Sent
  • Archived

Consider using SSL as a baseline encryption system. SSL is a common form of encryption, and it also meets the HIPAA data security standards.

2. Data Management

A transparent data management process should already be in place with your healthcare management software. The same policy applies to your website.

Storage, transmission, and deletion should all be covered. The regulation lists several proper disposal methods for health information on electronic media including:

  • Clearing
  • Purging
  • Destruction

In most cases, you’ll need to attach a trusted data disposal system to your website to dispose of data according to HIPAA rules.

3. HIPAA Privacy Officer

You must have a named HIPAA privacy officer. A HIPAA privacy officer is a person who works with patient health information and keeps the whole organization accountable to HIPAA rules. Your privacy officer performs the role of keeping up-to-date with all the present rules and regulations.

Nominating a HIPAA privacy officer is required for general compliance. You’ll need to list their contact details on the website because as the patient privacy specialist, they’ll also be the contact person for all privacy issues.

4. Display HIPAA Policy

HIPAA rule 45 CFR 164.520 says all patients and customers have the right to be informed of their provider’s privacy practices.

Your organization’s HIPAA policy must be displayed on your website. It should include:

  • How the organization uses protected health information
  • When the organization may disclose the information
  • What rights patients have and how to exercise those rights
  • What the organization is legally required to do with the information
  • Who to contact (HIPAA Privacy Officer) with questions or concerns

Remember to display your policy in clear, concise language that’s discernable to the general public.

Stay Compliant

Remaining compliant with HIPAA regulations is right for your organization and for your patients. Keeping a close eye on sensitive health data is part of caring for patients because it protects patients from damaging disclosures. Additionally, HIPAA violations start at $100 per violation and range up to $50,000 per violation depending on negligence.

For a complete HIPAA compliance checklist for your website, contact Immersion Security today for a customized approach to privacy and security.