HIPAA Compliance And Your Dental Practice Website
One of the most often overlooked dental HIPAA compliance issues is website compliance. If HIPAA’s intent is to protect PHI then why would a dental website need to be in compliance? As long as the site doesn’t have patient photos or identifiable patient information on it, what’s the big deal?
To answer that question we’ll dive deep on dental HIPPA website compliance issues. Most of you will find that you’re in compliance and you have nothing to worry about. But you won’t know that until you cross your t’s and dot your i’s.
The format for this website HIPAA compliance guide will be to discuss ways dental websites can be in violation; second what to do if you’re in violation; and third some of the resources you have available to make sure that you stay in compliance.
Aight! Let’s get started!
How Does HIPAA Apply To Dental Websites?
The HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule state that anyone who comes in contact or has access with ePHI (electronic Protected health Information) must safeguard that information and follow specific rules for disclosure. HIPAA essentially hands the control of PHI to the consumer. PHI could be a patient in the background of a photo, dates, images with identifiable moles or tattoos, or any digital information which may identify a patient.
The breadth of compliance is staggering to the point of frustration for many medical professionals, but necessary to protect patient and improve care.
When it comes to dental website compliance, there is a short list of things you need to be aware of, it’s not too complex, and you can easily stay in compliance with a little direction.
Let’s begin with the two entities identified in HIPAA, Covered Entities and Business Associates.
Who Is The Covered Entity In HIPAA?
A covered entity is the person or organization that has direct contact with patients. The covered entity is responsible for ensuring HIPAA compliance. This is you, the dental practice.
Who Is The Business Associate In HIPAA?
A business associate is any organization that has access to the covered entities’ patient health information but does not have direct contact with the patient. A business associate is required to provide the covered entity with a signed BAA (discussed below).
Dental Websites Must Be Compliant If They, Collect, Store, or Transmit PHI?
It is the responsibility of the covered entity to ensure that their website is HIPAA compliant. The company that built your website is not legally responsible. If your website comes under scrutiny of HIPAA enforcement you won’t be able to blame your website designer, which is why it’s vital you understand if you’re in violation.
According to HIPAA regulations if your website collects, stores, or transmits any type of identifiable PHI then it must comply with the HIPAA regulations.
Is Your Dental Website Collecting PHI?
It’s common for dental websites to collect PHI information. Examples of collection would be:
- Live chat
- Online patient forms
- Contact forms
- Patient portals
Almost all dental website built in the last few years use some or all of the functionality listed above, but that doesn’t mean your website collects the PHI.
HUGH? Let me explain.
Let’s say that you have Live Chat on your site. The PHI shared in a chat session may or may not be saved on your website or with your website hosting company. If your website design company used a HIPAA compliant live chat system then the information shared in the session would be encrypted.
Another example would be when a patient fills out an appointment request form. The form may be a HIPAA compliant form. All of the information submitted may be collected in an encrypted fashion.
To ensure that you’re in compliance you’ll want to check the functionality of your website and make sure that any softwares and plugins that come in contact with PHI are HIPAA compliant.
Is Your Dental Website Storing PHI?
Once your website collects PHI you have to ask yourself, “Where is the PHI being stored?” Is it on your computer in your office? Is the PHI being sent to your hosting company? Is the data being sent to a third party server? Where is it?
HIPAA requires stored PHI to be encrypted because it ensures that the information can’t be hacked and stolen. The minimum encryption standards dictated by HIPAA is 256 AES encryption, which is pretty much unbreakable.
In addition to encrypted storage you must also ensure the following capabilites:
- Proper encryption key management
- Unique user IDs
- Audit logs
- Server Backups
- Dedicated infrastructure
- HIPAA-trained support personnel
- Automatic updates
- Data disposal
- Signed BAA
Nearly all reputable hosting companies provide the security listed above but that doesn’t mean that they are HIPAA compliant.
WPEngine, one of the most reputable hosting companies uses AWS (Amazon Web Services), which is HIPAA compliant. WPEngine does everything listed above except for signing a BAA. Why? They don’t want the liability. So, although they check all the boxes they aren’t HIPAA compliant.
But remember, you don’t need a HIPAA compliant hosting company if there is no PHI being collected or stored on the website servers.
Your job is to make sure the you have HIPAA compliant hosting or that all functionality of your website that comes in contact with PHI is HIPAA compliant.
Is Your Dental Website Transmitting PHI?
When PHI is collected it has to be sent to a server with encrypted storage. But before the PHI gets to the encrypted server there is a transmission process and the data is at risk of being hacked while in transmission. I know that it’s a bit of geek talk but HIPAA’s minimum transmission requirement is TLS 1.2. You’ve probably heard of SSL, well, TLS is the newer more awesomer version of SSL.
As long as all of the softwares and plugins on your website are compliant with transmission than you’ve checked the box.
Your Dental Website HIPAA Compliance Checklist
Staying complaint isn’t difficult as long as you know what to look for. Below are the most common dental website HIPAA compliance violations.
1) HIPAA Notice Of Privacy Practices
The HIPAA rule requires that all covered entities provide patients with a notice of how their PHI may be used or disclosed. The notice must also inform them as to their legal rights regarding their PHI.
All covered entities provide this notice to their patients during their first appointment, but what does HIPAA say about the notice and your dental practice website?
HIPAA states that covered entities must post their Notice Of Privacy Practices on their website in an obvious place that is not hidden or obscured. Specifically the rule states that it should not require multiple clicks to get to or be buried on the ‘patient forms’ section of the dental website.
Here are a few suggestions to accomplish this:
- Put the notice on your homepage.
- Put the notice in the footer of your website so that it can be found on every page.
- If you use a text link, BOLD the link
2) Dental Website Without SSL (Secure Sockets Layer)
HIPAA requires that all covered entities enable their website with SSL.
SSL (Secure Sockets Layer) is a communications security that establishes a link between a server and another system. When a web browser contacts your website the SSL enables that any information shared in the process will be encrypted. It’s a lot like sealing a letter before putting it in the mail. If your letter is sealed then it’s less likely to be read by someone in the mailing process.
An easy way to see if your website has SSL is to look at the address bar. If the address starts with http:// then you do not have SSL. If the address starts with https:// then your website is encrypted with SSL.
3) Non-HIPAA Complaint Contact Forms
Any type of form on your website, whether it’s your contact form or and appointment request form, need to be HIPAA compliant.
There are five aspects of making sure a form is compliant:
- Limited Access: Only persons who are authorized should have access to the form data.
- Data Transfer: Once a form is filled out and the submit button is clicked the information is transferred from the form to a secure server. In the transfer process the data must be encrypted with TLS 1.2 encryption standards.
- Storing The Data: Data must be stored with encryption. The standard is AES 256 encryption.
- Data Backup: In situations where systems have been broken into or destroyed in some manner, you must have a process of recovering the data.
- Deletion: All covered entities must have a way to permanently delete the information that is no longer being used.
To find out if your forms are HIPAA compliant, contact your website design company or IT Manager. if you don’t have an IT manager and your website design company can’t help, contact us.
4) Patient Photography and Reviews Without Consent
With the proliferation of social media, reputation management, online reviews, and online photography, consent to use patient phots has become essential.
There is no violation of taking a photo of a patient if that photo is to be used internally in the care of the patient. But if the photo is identifiable and used in any way for educational purposes, sent offsite, used in advertising and marketing, it requires a signed HIPAA consent form.
The same goes for using an online review from a patient. Although online reviews are submitted by the patient and it would seem that because of that the patient is forgoing the control of their information, a dental practice is not allowed to use the review in marketing purposes. Nor, is the dental practice allowed to respond to the review in a way that may verify that the person is a patient of the practice.
To keep your nose free of HIPAA problems you need to get a signed consent form from the patient.
Consent forms include specific language that gives the covered entity the legal right to use the photo for a period of time. The consent form includes the following:
- The parties involved
- A description of use
- An expiration date
- The Patients right to revoke consent
- And, that the health benefits are not conditional on consent
A detailed evaluation of HIPAA compliant consent forms can be read here.
5) Business Associates and Sub-Associates Must Provide BAA’s
A BAA is required any time a covered entity shares PHI with a business associate. Covered entities have direct contact with patients. Business associates on the other hand have access to PHI but do not see patients.
Examples of associated businesses:
- Collection agencies
- IT consultants
- Marketing consultants
- Transcription services
- Practice management softwares
- Coding companies
- Answering services
- Hosting companies
- IT contractors providing remote backup services
- Accounting services
A Sub-Associate is a company that works with a Business Associate. For example, My Social Practice is a business associate of dental practices because we offer digital marketing services and sometimes come in contact with PHI. With some of our dental marketing services we use software developed by other agencies (Sub-Associates). In situation like these a covered entity would need a signed BAA from both the Business Associate and the Sub-Associate.
Risks Of Your Dental Website Not Being HIPAA Compliant?
The HITECH Act (Health Information Technology for Economic and Clinical Care) ensures that healthcare providers use EHR’s (Electronic Health Record) systems.
If your dental website is collecting, storing, or transmitting in a non-HIPAA compliant manner you should take reasonable measures to protect and secure the data.
If you decide not to fix HIPAA compliant issues you may become subject to the enforcement process and run the risk of being fined. Depending on the magnitude of the HIPAA violation fines can range from $100 up to $50,000.
Need Help? What To Do If You’re Not Sure What To Do
Unless you’re a HIPAA geek, making sure that you’re website is compliant will take time and is frankly confusing for some.
The language around website compliance is vague. Being vague is not intentional, it’s a result of how fast the internet and digital technology changes. Because of this it often leads to uncertainty about whether or not your website is in violation.
One simple way to find out is to have a professional take a look at your website and check it for HIPAA compliance.
HIPAA compliant websites should be on a dental practice’s radar. But it’s not something to stress about. There are solutions in the industry that you can lean on.
If you’re confused or need more help contact your dental website design company and ask them about the topics discussed in this blog post. If all else fails, give us a call. We have a fantastic staff of personnel that can answer almost any questions related to dental website HIPAA compliance.
About the Author: Adrian Lefler is a dental marketing expert and a key member of the dental marketing team at My Social Practice. My Social Practice is located in Salt Lake City, Utah. Adrian is passionate about helping dental practices grow through transparent and effective dental marketing services. If you have any dental marketing questions, give us a call at 877-316-7516. And, don’t forget to read our Google My Business reviews.