WebCitz Blog

HIPAA Compliant Web Design

HIPAA Compliant Web Design

HIPAA compliance is a very important part of website design. If you are not HIPAA compliant, then your site could be shut down or fined by the government. This blog post will teach you what it takes to make sure that your website is HIPAA compliant and how to avoid penalties for non-compliance in the future.

Related: What is Responsive Design?


What is HIPAA?

Health Insurance Portability and Accountability Act (HIPAA) is a law that was passed in 1996. The goal of HIPAA was to protect the privacy, security, and rights of Americans’ healthcare information as it’s transferred from one organization or person to another.

gavel and scale on a desk

How to Build a HIPAA Compliant Website

You can’t just put up a website without thinking about security. In fact, there are major points to remember in order to comply with HIPAA regulations. We will now take closer look at the most important precautions.

Computer with a lock on it and in text saying security

1.) Install an SSL certificate

SSL encryption is a security measure that can keep your site safe from hackers. SSL encrypts all of the data being transmitted between the user and server, which mean that even the best hackers will only see encrypted information, instead of credit card details or medical records.

image of dashboard

2.) Encrypt sensitive data

The importance of protecting all parts of security cannot be overstated – not only do you need to make sure that any information being transferred between servers is encrypted with SSL protection, but it’s vital for sensitive pieces stored in databases or caches too!

person looking at a screen encrypting Data

3.) Implement a data backup policy

One of the most important things you can do as a business owner is keeping your client’s information private. For instance, if they submit their credit card details to your online store in order to pay for an item, it should not be possible for any other person (including yourself) to see it.

HIPAA requires that organizations adhere to strict security measures when it comes to storing personal data. This applies whether you’re a hospital or an insurance company, and if there are any clear or obvious flaws in your storage practices, then HIPPA has been violated.

Person on computer next to servers working

4.) Create a policy for deleting unnecessary personally identifiable information (PII) data

HIPAA also requires deleting client’s personal information if they terminate their relationship with your company. Keeping data for longer than what’s needed is strictly against the HIPAA law.

It’s also vital that there is no way to recover the deleted information, as this would mean the information is only temporarily deleted. Once the information is gone, it must be gone forever.

top right corner of a keyboard

5.) Implement access controls and restrictions

With restricted access, only your administrators can perform administrative functions. This really helps to keep users from messing with the settings and maybe breaking something for other people who are using it. Also, only a user should be able to make changes to their own information – this is very important!

The HIPAA codes are so restrictive that any minor change, whether changing a profile picture or language settings, can constitute as an infraction.

screen showing code

6.) Enforce a secure password policy

Hackers are always on the prowl for a good chance to get into your system. This means that you need to regularly change passwords of all website administrators. You should also recommend your users to make regular password changes too.

Not changing old passwords puts customer’s health information at risk and is considered a break of HIPAA.

person with hood on typing on a computer

7.) Create a protocol for data breaches and other security incidents

The most secured sites are still at risk from data breaches, and all it takes is one breach to ruin your business. It’s important to have a contingency plan for when your data is compromised. The last thing you want is to be left unprepared and scrambling in the aftermath of an unfortunate event.

blue locks all in a line then one single red lock in the center

8.) Assign a team member as your HIPAA compliance officer

HIPAA compliance officers are the ones that make sure your website is up-to-date with any changes made to HIPAA. They also help you decide which information needs to be protected and how it should be done.

So, let’s say you’re a large company with thousands of employees. You have to be aware not only HIPAA laws but also any potential upcoming changes in the law as well as which rules no longer apply and what those are. And that’s just for starters! That sounds like it would take hours upon hours every day, right? But thankfully your compliance officer is on top of things so they can get everything done while ensuring all user data stays safe within their security measures.

Person sitting at a desk smiling and looking at at the camera

9.) Publish your HIPAA policy

Your site is safe. You comply with all HIPAA regulations and have taken steps to assure your users that their information will never be compromised, so why not tell your visitors? Doing this will not only tell your users that you know the law, but also how committed to their privacy and security you are.

Person sitting on the floor working on a laptop sitting on a coffee table

10.) Require third-party vendors to be HIPAA compliant

HIPAA regulations are stringent and often overlooked by small business owners. As a HIPPA compliant site, you must have an agreement with any vendor that your company uses – including the host of your website.

Some hosts don’t want anything to do with HIPPA-compliant websites. There’s just too much extra cost and regulation involved in maintaining a website this secure! As such, you can expect to pay more for a website that is HIPAA compliant.

two people looking at a phone together smiling

Final Thoughts on HIPAA Compliant Web Design Services

In conclusion, there are many ways to make sure your website is HIPAA compliant. The most important thing you can do, however, is establish a relationship with someone who has experience in these matters and will help guide the way for an optimal solution.

Asking your web developer if they can build HIPAA compliant websites is essential in your website’s success (if you need to be HIPAA compliant of course). This is an important question to ask during a website redesign process. If you’re looking for more great questions to to ask your web developer, we have compiled a list of questions to ask a web developer when building a new website.

Disclaimer: WebCitz, LLC does not warrant or make any representations concerning the accuracy, likely results, or reliability of the information found on this page or on any web sites linked to from this page. This blog article was written by Timothy A in his or her personal capacity. The opinion(s) expressed in this article are the author's own and may not reflect the opinion(s) of WebCitz, LLC.