Imagine this: You obtain a patient’s signed written consent to post anonymous “before” and “after” photographs on your website showing her surgical or medical results. You send the photographs to your trusted website administrator, who uploads them to your website without posting information on the patient’s identity. Months later, the patient notifies you that an online search of her name brings up the photographs. The culprit? The file name of the uploaded photographs contains the patient’s name, enabling a search engine to locate the photographs from the underlying file data. Unfortunately, this is not a hypothetical. This situation actually happened to numerous physicians, who were forced to defend costly lawsuits, and face potential HIPAA fines and complaints filed with their licensing agency.
Websites are becoming a vital part of many physicians’ marketing efforts. They also serve as an important patient communication tool. Failure to properly secure electronic Protected Health Information (PHI) can have drastic consequences.
HIPAA is intentionally vague regarding the specific safeguards required for medical practices’ websites. The regulations generally state that a covered entity must take “reasonable” steps to protect the confidentiality, integrity and availability of PHI. It is incumbent upon you to perform ongoing risk assessments as to what is feasible for your practice, and to keep current on available security measures.
The following tips provide guidance on how to start the process of ensuring your website
is HIPAA compliant:
Website and data storage vendors: You are solely responsible for ensuring the PHI you receive, transmit and store complies with HIPAA. Do research to find a reputable vendor that is familiar with HIPAA and uses up-to-date security measures. All vendors with access to PHI must sign a Business Associate Agreement, requiring compliance with the HIPAA Security Rule and HIPAA Privacy Rule regarding the disclosure, handling and use of PHI.