Is Your Medical Website HIPAA Compliant?
TL;DR 99% chance the answer is no.
When people talk about HIPAA compliant websites they usually refer to the technical or the physical safeguards. In order for a medical website to be fully HIPAA compliant it needs to fulfill the requirements of Administrative, Physical, and Technical safeguards.
Planet HIPAA did a “for fun” audit of 18 medical websites based on one component of an HIPAA compliant website. This component is the easiest to implement. Yet, it was found 100% of the websites were non-compliant. All medical practices are required to post a Notice of Privacy Practices (NPP) on their website, which includes a standalone NPP page and a link to the page in a menu.
Missing Notice of Privacy Practices on the website is a symptom of a larger website non-compliance problem.
HIPAA Privacy Rule
The HIPAA Privacy Rule requires all Protected Health Information (PHI) remain confidential. The rule covers the protection, use, and disclosure of all health information, whether it is written, verbal, or electronic.
All persons and entities who handle PHI, including Covered Entities (CE) and their Business Associates (BA), must follow the rule and be in compliance. The rule is enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
Minimum Necessary
The primary principal of the privacy rule is to share PHI with the minimum number of people and entities. Those that require access should be granted access to the patient data needed to complete their job, however, there should be written policies limiting each role’s access.
HIPAA Security Rule
The HIPAA Security Rule governs the privacy of PHI stored, transmitted, or processed electronically. The security rule was updated in 2013 by the Omnibus Final Rule and requires CEs and BAs to identify risks, manage them, and maintain security.
CIA
Confidentiality, Integrity, and Availability
The primary principal of the security rule is the safeguard of Electronic Protected Health Information (ePHI) through Confidentiality, Integrity, and Availability (CIA).
CIA is achieved by breaking down the security rule into Administrative, Physical, and Technical Safeguards. These safeguards are further divided into Standards and Implementation specifications. The implementation of specifications is either Required or Addressable.
Addressable Specifications are NOT optional or voluntary. The CE and BA must document and explain the chosen procedure used to satisfy the specification.
Administrative Safeguards
Designed to create a “culture of compliance.” The Administrative Safeguards are written documentation of policies and procedures that govern the safety of PHI in all forms.
Physical Safeguards
HIPAA requires electronic medical records. The Physical Safeguard governs the security precautions, use, and destruction of devices and hardware used to access, store, and process ePHI.
Technical Safeguards
Technical Safeguards governs the rules and implementation to protect the access and readability of ePHI. These rules include encryption, passwords, and other electronic security methods and tools.
HIPAA Administrative Safeguards
The first requirement of the security rule is Risk Analysis. This is, in many respects, the most important requirement. A Risk Analysis identifies vulnerabilities and compliance gaps in the Physical and Technical infrastructure of an organization (CEs and BAs). A remediation report guides the organization on the details to institute compliance and satisfies all the requirements of the Security Rule.
The government advises organizations do, “a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of experiences outside professional.” This means that all organizations should consider hiring an independent Health IT security specialist to verify the CIA of your infrastructure and execute an implementation guide.
Business Associates Agreement
HIPAA Omnibus Final Rule requires CEs to execute a Business Associates Agreement (BAA) with all third-parties who handle PHI in any form.
In April 2017, The Center for Children’s Digestive Health (CCDH) settled their potential violations with OCR. They were fined $31,000 for failure to execute a timely BAA with their fax provider, FileFax, Inc. CCDH began service with FileFax in 2003. Neither party could produce a BAA for the period between 2003 and 2015. The Resolution Agreement and Corrective Action Plan may be found on the OCR website.
The BAA is just one part of the Administrative requirements. Every touch point of the website needs to be considered, along with the current and anticipated use.
For example, the Physical Safeguards chosen and implemented by a CE will direct the allowable use and operation of a CE’s website. The physical components define which elements a website may or may not have based on the Integrity of the system. These determinations must be documented as policy and a procedure must be created for the future date the website will be updated. This mitigates the risk of non-compliance.
HIPAA Physical Safeguards
The Physical Safeguards are the tangible components of a website. Even if they can not physically be touched by the CE, there is a person somewhere that can. In most cases, this is the website and email hosting provider(s).
It is the physical components that are susceptible to cyber attacks. Protecting the Integrity of the physical components ensures the Confidentiality of the information stored, processed, and transmitted.
Common cyber attacks or threats against a website are Malware, Phishing scams, and Eavesdropping. A website resides within the physical technology, just as a document file resides within a computer or network. Both the physical and the technical, the “website documents”, need technical safeguards to protect against these types of threats, as well as, less common cyber attacks.
“FBI statistics put bank robbery in the U.S. as a $40-million-a-year problem. Ransomware criminals make over $200 million per quarter,” Clark Davis, Health IT Security Expert.
Malware
Software designed to change the functions of a web server, computer, tablet, or mobile phone to gain access to a system and its private information. The most alarming Malware for small businesses is Ransomware.
Phishing
Phishing scams happen through email. In most cases, the potential hacker sends out thousands of emails seeking the “fish” that takes the link bait. These emails often seem to come from reputable companies. By clicking the link and/ or completing the next action gives the hacker access to the information they seek.
Eavesdropping
Unencrypted information shared or transmitted over the Internet can easily be intercepted by an eavesdropping hacker. Once the plain text has been captured, the hacker can read it or alter it before sending it on to its destination.
Who Would Hack Me?
About 13,000,000 American small businesses were the victims of a data breach and do not even know it. Small businesses are a ripe target for nefarious and defacing hackers. Few small businesses take the proper precautions to protect their website, which could lead to major breaches or business defamation.
Several small businesses consider their websites to be a “brochure” website and do not consider the ramifications of a website breach. For medical and dental practices this oversight could lead to massive OCR fines.
In April 2017, Metro Community Provider Network (MCPN) was fined $400,000 to settle an email breach. A hacker gained access to 3,200 individuals’ ePHI through a phishing scam. The incident investigation revealed MCPN failed to conduct a timely risk analysis. Failure to access and mitigate risk resulted in a high fine. The Resolution Agreement and Corrective Action Plan may be found on the OCR website.
HIPAA Technical Safeguards
Technical Safeguards cover the Availability of ePHI by ensuring the Confidentiality and Integrity of the technical systems and assure the Minimum Necessary principle.
The requirements and penalties on Technical Safeguards significantly changed in 2009 with the addition of the Health Information Technology for Economic and Clinic Health (HITECH) Act.
HITECH is often considered to be a part of the Patient Protection and Affordable Care Act (PPACA) or “Obamacare.” It was actually a part of the American Recovery and Reinvestment Act (ARRA). Therefore, it is important to note that as the government decides the future of the PPACA, HITECH will not be affected.
HITECH
- Increased civil penalties
- Strengthened breach notification requirements
- Business Associates are treated the same as Covered Entities, which allows the federal government to have direct authority of the BA
- Extended civil enforcement is authority given to each state’s attorney general
- Exempted breach notifications for encrypted data
HITECH further encouraged the encryption of stored, processed, and transmitted data by exempting it from required breach notifications. Encryption prevents an authorized user from reading or altering ePHI.
Fines for failure to comply, even in circumstances where it was not known there is non-compliance, were increased from $100 per violation up to $25,000 per violation. Flagrant violations could result in fines in excess of $1.5 million dollars.
Login Authentication
HIPAA relies on The National Institute of Standards and Technology (NIST) to set standards, controls, and best practices.
NIST recommends Security Tokens or Two-Factor Authentication (2FA) for all logins pertaining to an organization. The public may be familiar with 2FA through their personal accounts like online banking, Facebook, or personal email.
As 2FA becomes more common, the standard utilizes SMS or text messaging. However, in the summer of 2016, NIST recommended the depreciation, or phasing out, of this method. SMS is not encrypted and therefore, an unsecure authentication method.
Encryption
The only way to encrypt a website is the use of an SSL Certificate. The Secure Sockets Layer (SSL) technology is considered outdated and replaced by Transport Layer Security (TLS), however, it is still commonly referred to as an SSL Certificate.
The purchase and installation of an SSL certificate is the first step in encrypting a website. Additional security protocols are required to properly protect a website. An experienced professional should install the SSL Certificate to ensure the complete strength of the encryption.
Improperly installed SSL Certificates do not show a closed lock. In Chrome and Firefox, the website address also shows the HTTPS (Hyper Text Transfer Protocol Secure) portion of the website address. Unsecured websites are HTTP (Hyper Text Transfer Protocol), which transmit all data in plain, unprotected text.
Auditing
HIPAA Technical Safeguards also requires the implement of hardware, software, and/or procedural mechanisms that record and examine activity that contains or uses ePHI.
This safeguard ensures access has only been given to those authorized to access ePHI. These types of logs allow an organization to review the functions executed and accessed by the user. This can be helpful in the case of a hacking event that is not perceived on the surface.
Potential HIPAA fines are not the only reason to protect your website. Implementing Internet Protocol Security helps to limit the human factor.
3/5 of Cyber attacks are on Small Businesses
Small businesses believe they are immune to cyber attack because they do not have information worth stealing on their website. This is known as the “it won’t happen to me,” syndrome.
Security protects the organization when “Bob” hires a company in China to do his job or when a hacker surfaces after months of lurking to ruin a press push.
State and Other Regulating Factors
In addition to HIPAA, there might be other federal, state, and industry regulations that require compliance.
All but a few U.S. states and territories have laws that govern health care. The laws vary in regards to data, breach notifications, and privacy standards, and some require compliance even without physical presence in the state itself.
For instance, California has laws about protecting and encrypting numbers that can be identified with a person. This includes social security, driver’s license, state ID, and insurance policy numbers. Credit card information is also protected in California.
The credit card industry also have standards, known as Payment Card Industry (PCI). If an organization accepts any form of credit card, whether online or in person, it must comply with the PCI Data Security Standard (PCI DSS). Failure to comply could cost the business an upwards of $100,000 per month and revocation of their right to accept credit cards.
These factors need to be considered during the Risk Analysis.
P.S.
If this was article was helpful, press the ❤️ below to help others read it too.
About Prosper
We help small businesses turn their stories into customers.
Master Your Why: Complimentary 5 Day Email Course
You started your business for a purpose. When you understand what motivates you, then you will be able to resolve issues and questions about your business.
Master Your Why to start turning your story into customers.
When you MASTER your purpose — YOUR WHY — solving problems and answering questions will become easier. Your reason for starting your business matters and affects all aspects of your business. Without UNDERSTANDING your why — you will never find the success or freedom you sought at the beginning.
