HIPAA’s HITECH rule is nothing if not complicated.  Simply finding a clear and unambiguous description of what must be done to protect your website is a significant research project in itself.  Its path starts at the Federal Register, then to the Department of Health and Human Services with a brief but important detour to the National Institute of Standards and Technology.  And that’s if you don’t get sidetracked by quasi-official looking sites like hipaa.com, hipaaguide.net and hipaasurvivalguide.com.

As a Web developer with a specialty in creating and maintaining hospital websites, it is important that we fully understand where these things intersect with HIPAA.  In fact, any agency that is charged with the creation, care and maintenance of a hospital website must fully understand these things.

One of the fundamental and avoidable data exposures relates to the breach rule.  You can read our recent eHealthcare Strategy and Trends article, When is a Health Information Breach Not a Breach? but here it is in a nutshell:

If you lose custody of PHI on 500 or more patients and that PHI is not properly secure, you need to report the breach to HHS, local press and every affected individual.

Clearly, this is something to avoid.  Examples of PHI data on a website include data collected during pre-registration (maternity, outpatient, etc.) and appointment requests.  Even newsletter subscriptions and simple contact forms can connect personally identifiable information with protected health information.

The good news is that if the data is properly secured, it doesn’t matter if custody is lost.  You are exempt from the breach notification rule.

If you understand the applicable regulations and have the appropriate technical skill set, properly securing this data can be straightforward.

But is it being done?

We’ve been working hard to educate those responsible for hospital websites about these issues, but there is still more to do.  Consider this scenario:

The marketing or specialty agency that handles much of the traditional marketing has an interactive department.  They contend they are the best choice to manage the website because brand continuity is important, offline and online.  There are campaign-driven microsites to consider as well.  Plus with the emergence of social media, all of it has to be tied together.  All true but all very visual and front-end issues.

More times than not, however, the “back end” is not the focus.  Issues like database structure and encryption keys take a back seat to more visual considerations.  These back-end issues are invisible, highly technical and somewhat boring for those driven by aesthetics and communication. 

But it is here, in the back end, where improper attention and lack of knowledge can lead to unpleasantness like breach notification.

In any regulated industry – and especially in healthcare – you must fully understand the implications of data security on your website.  You need to have a competent technical team that understands the regulatory landscape and designs online systems to minimize risk.  The stakes are too high to surrender this control to a vendor more focused on design than data.