Don’t let HIPAA scare you off of building a personalized, client-friendly, and accessible website. A dental practice website is an indispensable tool for successful marketing, so why not tailor it to provide the best possible experience for your patients? Make sure you understand how to safely communicate and handle protected health information and stay HIPAA compliant.
What HIPAA Means For Your Website
HIPAA states that anyone who comes into contact with or has access to ePHI (electronic protected health information) must safeguard that information and follow specific rules for disclosure.
So that means if you are transmitting, collecting, or storing PHI on your website, you have to have the proper security measures in place. This protects your patients and your practice should there be a data breach. It also means that you need to actively use HIPAA consent forms before you share or post anything online about your patients or you risk getting hit with hefty fines.
A costly HIPAA compliance mistake could not only put a ding in your bottom line, but can cause irreparable damage to your reputation as a dentist. So let’s make sure that you understand what goes into having a HIPAA-friendly site with this essential guide for website compliance.
Technical Terms to Know
HIPAA and website security can get technical quickly. Take a look at these commonly used terms before we move on.
Encryption: Encrypting protected health information essentially changes plaintext into ciphertext that renders it unreadable for anyone who doesn’t have access to the proper decryption key.
PHI: Protected health information includes any identifiable information about a patient that is transmitted or stored by a covered entity (your dental practice). This can include names, addresses, photos, or even patient reviews.
SSL/HTTPS: (Secure Sockets Layer) HIPAA requires that any website collecting, transmitting, or storing PHI be enabled with SSL. It’s a secure connection between a server and another system. It ensures that anything transmitted is encrypted. If your website starts with https:// then your website has SSL in place.
HIPAA Privacy Rule: Sets standards for the protection of PHI and governs how covered entities can disclose and use patient information.
HIPAA Security Rule: Establishes standards for securing ePHI and outlines safeguards for protecting patient data.
Covered Entity: Your practice
Business Associate/BAA: Third-party vendors and businesses that may have access to PHI. Could be a dental website hosting company, IT, or marketing agency.
Notice of Privacy Practices (NPP): Outlines how the covered entity (your practice) intends to use, disclose, and store PHI. You are required to provide patients with this information.
You probably covered a lot of this information in dental school or in your last HIPAA training. If you need a refresher about how HIPAA works for your practice, check out this list of dental HIPAA compliance questions.
Dental Website Security 101
It is the responsibility of the covered entity (your practice–not your web developer) to ensure that a website is HIPAA-compliant. Knowing the HIPAA website requirements is the first step to protecting your practice and your patients.
If your website collects, transmits, or stores any type of PHI then it must be compliant.
Collecting PHI
These HIPAA-compliant website suggestions for dentists can help you navigate your next steps. For example, collecting PHI is a very common function for dental websites. You might be collecting PHI if you use any of the following:
Patient Portals
Contact Forms
Live Chat
Online Patient Forms
Plugins
Remember: All forms and information collected should be encrypted in order to be HIPAA compliant.
Transmitting PHI
Whenever PHI is collected, it is sent via a server with encrypted storage. However, there’s a risk that your data could be hacked during transmission. HIPAA’s minimum requirement for transmission is TLS 1.2., which is more technical talk, but it’s the latest successor to SSL (Secure Sockets Layer). Its job is to authenticate and encrypt data securely when transferred over a network. All you need to do is to use software and plugins that are compliant with transmission protocols and you’re good to go.
Storing PHI
So if you’re collecting PHI, where are you storing it? Common places might be your in-office computer, your hosting company, or a third-party server. If you don’t know where it is, find out.
Most trustworthy website hosting companies will provide you with the necessary security to protect your website, but that does not mean that they are HIPAA compliant. The minimum encryption standard dictated by HIPAA is 256 AES encryption.
For more help, check out this dental guide to HIPAA-compliant websites.
HIPAA Website Compliance Checklist
Beyond the technical security measures required to protect your patients’ PHI, you should be familiar with the additional steps needed to keep your practice HIPAA-compliant online. Whether you’re on social media or building a website, run through these items to stay compliant.
Clearly State Your Privacy Practices
HIPAA requires that you clearly state how you (the covered entity) intend to use, store, and disclose PHI. This notice also states patients’ legal rights to this information.
It’s a requirement from HIPAA that your Notice of Privacy Practices (NPP) is clearly declared on your website—not hidden on a back page or minuscule footnotes.
The best practice would be to get a link directly to your NPP on your homepage in clear and bold print. Alternatively, it could be in the footer of every page on your website.
Always Get Patient Consent
Obviously, you need patient consent any time you plan to share or store PHI. This includes sharing patient photos or reviews on your website or social media platforms. It works strongly in your favor to have patients sign a new HIPAA consent form every time they visit you or when asking for express consent to share something. What goes into a HIPAA consent form?
Consent recorded in writing, signed, and dated
Statement of who is involved
Explanation of the purpose of the form
Clear expiration date of consent
Information about a patient’s ability to revoke consent
Positive patient experiences can be some of your greatest marketing tools, so don’t let HIPAA deter you from sharing online. Review these HIPAA-compliant website suggestions for dentists to learn how to successfully share information online.
Get a BAA in Place with Third Party Vendors
Anytime you work with a third-party business that has access to PHI, but doesn’t actually see patients, you need to have them sign a BAA (Business Associate Agreement). This ensures that they also stay HIPAA compliant when it comes to PHI.
Examples of business associates would be:
Collection agencies
IT companies
Marketing consultants
Transcription services
Practice management software
Accounting companies
Hosting services
Safely Share Photos and Reviews
HIPAA compliance isn’t just about what you do with the information you're given, it also includes how to communicate online. Take a look at how this practice was fined $23,000 for responding to a YELP review incorrectly.
Whether the review is positive or negative, you cannot disclose PHI when responding to patient comments or reviews online. This means you cannot confirm that they are, in fact, a patient at your practice if it’s not explicitly stated in the review.
You are also technically in violation of HIPAA if you share photos that identify a patient in the background. Be diligent in how you evaluate and share information online.
The most common dental HIPAA compliance violations are often accidental—don’t let comments or photos online be one of them.
Use Social Media Wisely
Dental professionals can have a lot of fun online with social media marketing. It’s a great space to connect and engage with your community, as well as show off your work and personality. Unfortunately, you can quickly run into HIPAA violations if you aren’t careful, and it will bring your efforts to a halt.
Prospective patients love seeing other people’s experiences and results before they make a decision about a dentist. Use social media to give them that behind-the-scenes look at what to expect at your practice, but use common sense to avoid a HIPAA violation.
Create A Social Media Policy For You And Your Team
Make sure whoever is in charge of your social media understands the responsibilities of staying HIPAA-compliant online. This includes the way they respond to comments and making sure they don’t inadvertently share identifiable information about a patient without their consent. We highly recommend you check out this great resource for HIPAA compliance training with your team.
One of our pro tips for success is to restrict access to your social media channels to a handful of people in your practice and make sure those select few have the proper training.
Stay HIPAA Compliant Online
Once you have a clear understanding of how HIPAA is relevant to dental website design and online presence, you can confidently build your brand’s reputation and grow your practice. If you want more support, learn how to choose a dental marketing company to help with HIPAA compliance websites and you can rest easy that your practice and PHI are always protected.