What exactly IS a HIPAA COMPLIANT WEBSITE and do you even need one?

By the way HIPAA stands for HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT so it's spelled "HIPAA", not "HIPPA". If you've been spelling it wrong don't worry, we still type it wrong ourselves sometimes.

The term "HIPAA compliant website" is a little ambiguous. There's really no such thing as a turn-key one size fits all website that is HIPAA compliant. What makes one site compliant might not relate to another website.

For example, "Website A" may have SSL enabled, have an encrypted database and have a BAA in place with their hosting company and accept E-PHI over encrypted forms on their website that saves to their database accessible through a login protected portal and be in perfect compliance. "Website B" may have the exact same setup but accept E-PHI over forms on their website which in turn emails the data and not be compliant.

Any time you're discussing HIPAA compliance you're really talking about process and practice as opposed to technology. No single piece of technology will make you HIPAA compliant, it's all about how you implement technology into your process and practice.

Another good example of working technology into your process is our HIPAA Forms API & Wordpress plugin. Yes, our HIPAA Forms solution will make your form submissions HIPAA compliant but if you print one of those submitted forms out and leave it laying out on your reception counter for other patients to see you're not HIPAA compliant.

If you're wondering if your website is HIPAA compliant and already work with a web designer or web design agency then you should simply ask them what they're doing to make it compliant. If you don't have a BAA in place with your web designer or web design agency then by default you're not compliant regardless of what they've done to try and make it compliant. If you accept E-PHI that gets stored in your hosting account's database without a BAA in place with your hosting company then you're not HIPAA compliant. It's your responsibility as a covered entity to ensure you have a BAA in place with any 3rd party contractors you hire that may have access to E-PHI and the failure to do so is one of the biggest causes of HIPAA violations and subsequent fines.

Now, do you even NEED a HIPAA compliant website?

I'm a little surprised by the number of phone calls I get from people simply asking if they or their client needs to be HIPAA compliant or thinking they need to be HIPAA compliant but don't.

If you're going to accept health information over your website then the answer is almost always yes. That said, if you or your client runs an assisted living facility and they want to be able to schedule work orders to clean or fix items in a residents room then no, probably not. However, if you also want to attach the residents name and health conditions with that work order then definitely yes you need to be HIPAA compliant.

When in doubt feel free to give us a call and ask, we're always happy to advise people one way or the other. That said, even if we advise you that you probably don't need to be HIPAA compliant for what you want to do you should still ask a legal professional or HIPAA compliance officer if you have one. We don't always understand the full scope of what you're asking from a single phone call and while we don't want to push anyone into using products they don't need, our recommendations are just that and not intended to be legal advice.

If you're looking for someone to build a HIPAA compliant website for you and aren't currently working with a web design professional feel free to give us a call at 715.941.1040. We would be happy to have a conversation with you to see if Code Monkeys would be a good fit for your new build. While each website build is different and needs to be scoped accordingly, our minimum charge for a new website build is $6,000.