Understanding HIPAA Compliance and your website
We’ve done quite a few websites for doctors and dentists over the years. (See Dr. Adams, Dr. DeWitt, or Dr. Smith for a few examples.) One of the questions always gets asked, can my patients fill out their forms online? And the answer is yes. BUT – you have to have HIPAA Compliant forms.
Doctors of course know what HIPAA is, but for those who don’t, HIPAA stands for Health Insurance Portability and Accountability Act of 1996, a law that basically mandates privacy of your medical information. It’s a good thing, but it does lead to some questions about how best to handle patient information on forms.
Let me digress here with my husband’s favorite HIPAA joke. (I hear it kills at the pharmacy.)
I can’t tell you.
First, what can you ask of a patient without the form needing to be HIPAA compliant? You can ask name, address, phone number, email. You can ask about scheduling appointments if you’d like. But you can’t ask for any medical information. For example, if your scheduling request form asks about the medical issue needing addressed, then you’ve ventured into an area where the form DOES need to be HIPAA compliant.
Most of the time, though, I’m asked about new patient forms and how to get those online. For the majority of the clients we have done websites for, they simple have us upload their forms as a PDF and make them available on the website. The patients can download and print the forms and fill them in prior to their appointment. This works fairly well and is simple and inexpensive to implement. But what if you want them to fill out and submit the form online? Then we’re talking about a whole new ballgame.
In order to be HIPAA compliant, your website would need to meet a variety of requirements, including having the form encrypted (obviously – and I generally recommend this for all websites anyway), but have also have safeguards about who is able to access that information. It has to be stored in a HIPAA compliant server, backed up so it can never be lost, and can be permanently disposed of when no longer needed just to name a few. It’s quite complicated.
For that reason, I always recommend that my clients use a HIPAA form vendor to their online forms that require medical information. These companies specialize in creating and managing forms that are HIPAA compliant. They will create your form and host it, giving you a special login to access the information. Also, they will usually skin your website so the form matches completely and your patients don’t even know they’ve left your site. This keeps your forms secure and coordinated with your website, but takes the HIPAA compliance aspect out of your (and your web developer’s) hands.
I haven’t personally used any of these companies, but I did look into options. Some include:
When it comes to HIPAA compliance, it pays to have a specialist take care of the details for you. It eliminates a lot of hassle and provides you with some piece of mind.
Join our list!
Our blog, delivered to your inbox. Never miss a post!