Encryption and Updates Are A Must
HIPAA security is as important to your online presence as it is internally. Making sure your website visitors (patients, clients, etc) have a secure connection to a website that is up to date and free from malware or other threats is just plain good business practice.
For those who need to conform to the HIPAA rules, encryption and updates are a must. As outlined at Health and Human Services, the Health Insurance Portability and Accountability Act defines many guidelines and best practices for compliance.
These HIPAA guidelines can be frustratingly general and broad in nature, we think purposefully so it allows you the flexibility on how to apply these rules to your practice. For instance, they won’t recommend software, hardware, systems or technology as they want to leave that to your discretion.
This flexibility leads to more questions and uncertainty on what you should do – especially related to technology and systems you might not be familiar with.
So what do you have to do when it comes to websites? We recommend you start with the HIPAA Security Rule.
HIPAA Security Rule
The HHS.gov website defines the security rule as follows:
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
So what do they mean by “appropriate safeguards”?
The Summary of the HIPAA Security Rule provides a good broad stroke of the overall expectation and under their General Rules it states:
Identify and protect against reasonably anticipated threats to the security or integrity of the information;
This is better information but still a bit broad in nature.
After reviewing other resources on this and other pages, the site references an excellent PDF at HealthIT.gov (part of the ONC under HHS).
This document clearly states that your software and hardware needs to be kept up to date and you should be using encryption.
You and your staff must keep up-to-date with software upgrades and available patches. Remember, security risk analysis and mitigation is an ongoing responsibility for your
practice. Vigilance should be part of your practice’s ongoing activities.
Get Up To Date and Secure
So what would be appropriate safeguards?
The bottom line, we would highly recommend you get your website AND server software up to date and put a process in place to keep them up to date. You should also properly secure it with encryption using SSL and further protect it from attacks using a WAF (Web Application Firewall).