Is Your Website HIPAA-Compliant?

 HIPAA Compliance On Your Website

If you are a HIPAA-covered entity or business associate, you likely know that patient PHI may only be created, received, maintained, and transmitted as permitted by the HIPAA Security Rule and the HIPAA Privacy Rule.  Yet you may not have focused on your company’s website as a place where PHI is collected and transmitted.  If you are subject to HIPAA, you should continually assess your website data practices.  You should make sure third-party trackers like Meta Pixel are not accessing and disclosing data behind the scenes.  But common customer-facing tools should not be overlooked.

Vijay Choksi at the law firm of Fox Rothschild, put together this quick guide to help with making sure your website is compliant.

Common ways in which PHI may be collected and transmitted

  • Live Chat
  • Patient Portals
  • Online Patient Forms
  • Online Scheduling Tools
  • Reviews and Testimonials
  • Email
  • Online loyalty Programs

The HIPAA Privacy Rule requires that entities that create, receive, maintain, and/or transmit PHI take specific measures to protect it. For example, if your company keeps individually identifiable medical information on a server, that server must be encrypted and secure. Transmitting PHI includes sending information via email, text, web forms or other types of digital messaging. Storing PHI includes storing information in apps, data centers, etc. If your company website collects, stores, or transmits PHI and does not take reasonable measures to secure that data, it may violate HIPAA.

To begin remediating risks, companies should do the following

  • Purchase and implement an SSL certificate for the company website
  • Ensure all web forms on the company website are encrypted and secure
  • Only send emails containing PHI through encrypted email servers
  • Partner with web hosting companies that are HIPAA-compliant and have processes for protecting PHI
  • Execute BAAs with third parties that have access to PHI (including web hosting companies)
  • Ensure that PHI is only accessible by authorized individuals within your company

Additional Resources on HIPAA Compliance


Have questions? I’m here to help.

This field is for validation purposes and should be left unchanged.