HIPAA-Compliant Web Apps, Website & Hosting Guide

Many organisations do not know if they are required to comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").

Why HIPAA Compliance Matters

For most the answer is that HIPAA does not apply.  HIPAA only applies to a small number of entities which are "Covered Entities" which are typically in the hospital and healthcare fields.  There are also organisations that provide services to Covered Entities and are referred to as "Business Associates". The HIPAA regulations are very clear that most Business Associates are required to comply with HIPAA. However, most companies in nonregulated industries would derive significant value from the privacy and security processes and procedures that HIPAA mandates. In today's new world of cyberthreats in the form of hacking and malware an organisation can never be too careful. The Federal Trade Commission (FTC) has sued numerous nonregulated organisations because they failed to take common security precautions such as keeping their IT systems updated and could not detect and respond to network intrusions.  The typical result of lax cybersecurity are data breaches resulting in the theft of private customer records in the tens of millions including credit card numbers.

HIPAA-Compliant Web Apps

In recent years, there has been a surge in the number of health apps being developed and there is no indication that this will slow down anytime soon. Moreover, with the spread of HIPAA compliant home speaker devices like Alexa, it has become extremely important to understand when apps are subjected to HIPAA compliance.
In a recent presentation to the Senate Cybersecurity Caucus, Jennifer Bordenick, CEO of eHealth Initiative & Foundation stated that there are many myths and misinterpretations of HIPAA. Bordenick states that one of the biggest and most problematic is the common belief that "HIPAA protects all of your healthcare data." In fact, HIPAA compliance is circumstance specific and differs from case to case. Accordingly, there are some well-established rules that help developers & providers determine whether an app must comply with HIPAA or not.

Web App HIPAA Compliance Not Needed

Compliance, or lack thereof, is determined by a number of things including the app's purpose, type of access, the way data flows through it and how it is branded.
  1. Apps that are for personal use only
    For example, if the app's purpose is to allow users to collect their own data for their personal use, it does not have to be HIPAA compliant. In such cases, the app developer is not receiving, managing or sharing that data for a covered entity or its associates.
  2. Apps that patients use to monitor their own conditions to share with their providers
    The aforementioned ruling also applies even in instances where patients download apps that monitor their health and send the reports to their healthcare provider. As long as the user is the one who initiated data access, the app developer and provider do not need to be compliant. This kind of app provides direct-to-consumer services. Some apps offer the two versions; one that must be HIPAA compliant (for example if it is offered by a health plan) and another that provides the service directly to the consumer.
  3. Apps in which the developer does not create, receive, maintain, transmit protected health information (PHI)
    As a general rule, if an app developer is not managing data as a business associate (BA) on behalf of covered entities, their app does not need to be compliant.

Web App HIPAA Compliance Needed

"Generally, HIPAA covers data in health plans with healthcare providers that are conducting transactions, like claims transactions, billing, clearing houses and business associates," states Bordenick.
  1. When an app contains protected health information (PHI)
    PHI includes data about both the physical or mental condition of a patient, data that can identify an individual, demographic data, healthcare operations and billing information.
  2. Health plans, transactions and clearing houses
    If apps that manage PHI must be HIPAA compliant, then it is only natural that the same applies to apps that are offered by health plans and apps that manage any sensitive transactions, such as clearing house apps.
  3. Business associates
    If an app developer is a business associate, they can determine their need for HIPAA compliance by answering the following questions:
    • Are your clients covered entities?
    • Are you funded or receive payment for your product by a covered entity or another BA contracted by a covered entity?
    • Do you create, receive, maintain or disclose any data related to a patient or health plan member?
    If your answer is yes to any of the above, then HIPAA compliance is a must.
Apps' Need for HIPAA Compliance vs. Non-Compliance

HIPAA Compliant Websites

In today's digital age, having a web presence is important in attracting potential patients to your health practise. Those operating within the healthcare industry must have HIPAA compliant websites to protect the information being collected from both current and future patients.

Should Your Website Be HIPAA Compliant?

If you answer yes to one or more of the questions that the Compliancy Group asks below, you should have a HIPAA compliant website.
  • Are you collecting Personal Health Information (PHI) on your website?
  • Are you transmitting PHI through your website?
  • Are you storing PHI on a server connected to your website?

How to Make Your Website HIPAA Compliant

  • Utilise SSL: Using a secure sockets layer on your website will ensure all information passing through your web server is secure.
  • Data Encryption: Data collected through web forms should be fully encrypted to avoid a risk of loss or theft during a potential breach.
  • Store data on a HIPAA compliant server: The security capability of a server plays an important role in patient data protection. HIPAA has specific requirements for server compliance, which all healthcare providers should familiarise themselves with and implement.

HIPAA-Compliant Website Checklist

Still not sure if your data protection is up to HIPAA compliance standards? Refer to this checklist:
  • All data collected and shared must be encrypted.
  • Back up all data provided by patients.
  • Patient health data needs to be recoverable.
  • Data collected should be free from alteration and should also be tamper-proof.
  • Data no longer required should be permanently deleted.
If your organisation does not store or transmit PHI, then having a HIPAA compliant website is not necessary. Taking steps to ensure compliance with HIPAA web requirements is still recommended, in the case that PHI is dealt with in the future.

HIPAA Compliant Hosting Service

Hosting a website or service that adheres to HIPAA guidelines requires HIPAA compliant hosting. The Health Information Technology for Economic and Clinical Health Act (HITECH) was signed into law in 2009 and increases the scope of protections for individuals while increasing penalties against healthcare providers that do not implement a proper system to manage electronic health records. Simply put, HIPAA compliant web hosting involves technological safeguards that include methods of protecting, storing, disseminating and sharing electronic information across multiple platforms, servers, and devices.

Can I Manage the HIPAA-Compliant Hosting Myself?

Negligence of HIPAA compliance can result in fines that range from $10,000 to $50,000 up to a maximum of $1.5 million per violation per year. These numbers can be daunting for smaller healthcare providers to shoulder. This has created a greater incentive to ensure adequate hosting is in place.
Organisation size and available resources can affect the ability to install and maintain a HIPAA compliant hosting solution in-house. In this case, these particular organisations must look to a third-party for a HIPAA compliant hosting solution that fits their budget, while meeting the requirements of the law.

HIPAA Hosting Compliance Checklist

Whether handling web hosting internally or outsourcing to a HIPAA compliant hosting service provider, HIPAA HQ provides a helpful list of areas to account for, including:
  • Documented data management, security & training plans
  • A system of developing unique user IDs, passwords and procedures for login/logout
  • Established and documented policies for the storage, transfer, disposal, and reuse of data
  • Policies in place to address data transmissions over the internet, through email, private networks, and clouds
  • Offsite backup or IT disaster recovery methods

Learn More About Giva HIPAA Compliance

HIPAA-Compliant HIPAA Basics
HIPAA Basics
HIPAA-Compliant Data Encryption
Data Encryption
HIPAA-Compliant Onsite & Offsite Encrypted Backups
Onsite & Offsite Encrypted Backups
HIPAA-Compliant Physical, Logical & Network Access Controls
Physical, Logical & Network Access Controls
HIPAA-Compliant Vulnerability Management & Logging
Vulnerability Management & Logging
HIPAA-Compliant Defined & Tested Security Policies & Procedures
Defined & Tested Security Policies & Procedures
HIPAA-Compliant SSAE 18 SOC II Type 2 Certification
SSAE 18 SOC II Type 2 Certification
HIPAA-Compliant Security Risk Assessments & Breaches
Security Risk Assessments & Breaches
HIPAA-Compliant Web Apps, Websites & Hosting
Web Apps, Websites & Hosting
HIPAA-Compliant Phone, Mobile & Computer Devices
Phone, Mobile & Computer Devices
HIPAA-Compliant Common Violations, Breaches & Mistakes
Common Violations, Breaches & Mistakes
HIPAA-Compliant Remote Work Conferencing & Telehealth
Remote Work Conferencing & Telehealth
HIPAA-Compliant HIPAA Audits
HIPAA Audits

Client Success

  • 50% reduction in time to deploy Giva's change, incident, problem, asset management and knowledgebase modules
  • 60% reduction in the 5 year Total Cost of Ownership (TCO)
  • Saved at least 1 FTE due to lower ongoing administration
  • Saved 1 week per month due to easy to use reports
  • Increased to 90% achievement in meeting service level agreements
  • 70% reduction in generating reports and admin; eliminated 35 hours/month
  • 50% faster to create/assign a service request
  • 60% increase in information captured during the initial phone call
  • 50% increase in the number of service requests created due to intuitive design
  • 80% increase in productivity by using Giva's dashboards and reports
  • 60% increase in meeting service level agreements
  • 45% increase in the number of the calls logged due to Giva's intuitiveness and ease of use
  • 50% increase in productivity by using Giva's integrated custom forms