Failure to properly secure electronic Protected Health Information (PHI) can have drastic consequences.
Imagine this: You obtain a patient’s signed written consent to post anonymous “before” and “after” photographs on your website showing her surgical or medical results. You send the photographs to your trusted website administrator, who uploads them to your website without posting information on the patient’s identity. Months later, the patient notifies you that an online search of her name brings up the photographs. The culprit? The file name of the uploaded photographs contains the patient’s name, enabling a search engine to locate the photographs from the underlying file data. Unfortunately, this is not a hypothetical. This situation actually happened to numerous physicians, who were forced to defend costly lawsuits, and face potential HIPAA fines and complaints filed with their licensing agency.
Websites are becoming a vital part of many physicians’ marketing efforts. They also serve as an important patient communication tool. Failure to properly secure electronic Protected Health Information (PHI) can have drastic consequences.
HIPAA is intentionally vague regarding the specific safeguards required for medical practices’ websites. The regulations generally state that a covered entity must take “reasonable” steps to protect the confidentiality, integrity and availability of PHI. It is incumbent upon you to perform ongoing risk assessments as to what is feasible for your practice, and to keep current on available security measures.
The following tips provide guidance on how to start the process of ensuring your website
is HIPAA compliant:
Website and data storage vendors: You are solely responsible for ensuring the PHI you receive, transmit and store complies with HIPAA. Do research to find a reputable vendor that is familiar with HIPAA and uses up-to-date security measures. All vendors with access to PHI must sign a Business Associate Agreement, requiring compliance with the HIPAA Security Rule and HIPAA Privacy Rule regarding the disclosure, handling and use of PHI.
Submission of information online: Many medical practices’ websites allow patients to schedule an appointment, fill out forms, send an email, access a patient portal and/or upload documents. These types of communications likely include PHI. Be sure your website is equipped with a security protocol (such as SSL), and encrypt all PHI that is transmitted or stored online. Set up the website to send immediate automatic notifications of newly submitted information. Also, implement policies regarding how and by whom the information will be processed. Restrict access to PHI to authorized personnel only.
Notice of Privacy Practices: Post your Notice of Privacy Practices on the website. If you choose to deliver the Notice of Privacy Practices to patients by only electronic means (as opposed to obtaining their signature on a hard copy in the office), require that the patient provide an acknowledgement of receipt.
Patient reviews: Unless you obtain the patient’s signed written consent to publicly display their name and health information, do not include any form of identifiable information about the patient on the website, such as that which may be included in patient reviews.
As you can see, being cautious with a patient’s information, even in ways you may not have initially thought necessary, is paramount. Ensuring that your practice’s online presence is compliant with HIPAA guidelines can help reduce the risk of hefty fines, lawsuits and other consequences to your medical license.