Submission of information online: Many medical practices’ websites allow patients to schedule an appointment, fill out forms, send an email, access a patient portal and/or upload documents. These types of communications likely include PHI. Be sure your website is equipped with a security protocol (such as SSL), and encrypt all PHI that is transmitted or stored online. Set up the website to send immediate automatic notifications of newly submitted information. Also, implement policies regarding how and by whom the information will be processed. Restrict access to PHI to authorized personnel only.
Notice of Privacy Practices: Post your Notice of Privacy Practices on the website. If you choose to deliver the Notice of Privacy Practices to patients by only electronic means (as opposed to obtaining their signature on a hard copy in the office), require that the patient provide an acknowledgement of receipt.
Patient reviews: Unless you obtain the patient’s signed written consent to publicly display their name and health information, do not include any form of identifiable information about the patient on the website, such as that which may be included in patient reviews.
As you can see, being cautious with a patient’s information, even in ways you may not have initially thought necessary, is paramount. Ensuring that your practice’s online presence is compliant with HIPAA guidelines can help reduce the risk of hefty fines, lawsuits and other consequences to your medical license.