Merrily Orsini's Thought Leadership

Making the Website Referral Form HIPAA Compliant

How we wish HIPAA Compliance worked.

Not really HIPAA Compliant!

In the old days, accepting a referral over the Internet was considered OK. That was before the Internet became so widely used, and before the HITECH ammendment to HIPAA, which came out in 2009. Requirements for technology compliance are now specific. Whenever Private Health Information (PHI) is in play, the website developer has to become a “Business Associate” and we must protect ourselves in addition to having a signed agreement with our clients for whom we created websites, to be their Business Associate.

 The fines for knowingly implementing a system which is in violation of HIPAA/HITECH are huge — to the tune of $10,000 per violation. In fact, if we don’t report something we see someone doing we can be fined for that.  So, not only the agency but also the website development firm share responsibility for making certain that a patient’s information is kept as private as possible.
Having an SSL, a security certificate, is NOT being HIPAA compliant. This encryption is only encrypted when someone fills it out. However, that simple option is in violation of HIPAA because:
–The form is stored on an unencrypted web server
–It sends an unencrypted copy of itself through email (the email can be disabled, but the following problems still exist)
–The database is not on a separate server, which it must be
–There is no audit trail detailing who accessed what information at any given time. That would have to be in place to track the agency’s actions, the website developer’s actions, and the web host’s actions. And that data must be kept for a year!
–The servers must have adequate protections including a firewall and antivirus, and remote encrypted backups taking place regularly. (This is not true of a shared or VPS server which is what most websites use.)
–There must be regular security audits performed, logged, and remedies conducted as needed. All that needs to be logged.
–A breach notification process must be in place as well.
–Anyone accessing the server needs to be trained in HIPAA compliance
So, what used to be simple, is now complex. However, corecubed has a relationship with an affordable solution, and can now offer this opportunity to our website clients: a HIPAA compliant referral form. Just another way that we continue to support our clients in the aging services industry.