Medical professionals are required by U.S. law to protect sensitive patient information. The Health Insurance Portability and Accountability Act of 1996, perhaps best known as HIPAA, is a federal law that created national standards to protect patients’ information. This means medical professionals cannot disclose a patient’s health information without their patient’s consent or knowledge.
This sounds simple enough in theory, but in practice, with today’s digital age and ease of information access, it’s much easier to be in violation of HIPAA. Websites are one place where medical clinics may fall short of HIPAA’s guidelines.
OppGen Marketing is a HIPAA-trained digital marketing agency that has built landing pages and websites for medical clinics just like yours. Contact us to learn more about how we build sites that follow HIPAA guidelines.
What is Protected Health Information?
Protected health information, or PHI, is medical information that can be personally identifiable or financial information. For example:
- Demographic or genetic information related to health or medical treatments
- An individual’s physical or mental condition or information that can relate to either of those conditions
- Medical or healthcare-related financial information, such as payments
If your medical clinic website collects, stores, or transmits PHI and does not take security measures to secure that information, you may be violating HIPAA.
To learn more about websites and HIPAA, contact us today.
Types of Potential HIPAA Violations, Explained
Collecting Protected Health Information
PHI collection through websites is more common than you may think. Here are some of the most common ways websites collect PHI:
- Contact forms asking about symptoms, medical services, medications, or health-related information
- Online patient forms
- Live chats
- Patient portals
- Patient reviews and testimonials
Storing Protected Health Information
If you’re collecting PHI through your website, you should know how, where, and if you are storing that information. HIPAA requires medical clinics and other healthcare organizations that store PHI to take reasonable protective measures of that stored data.
Transmitting Protected Health Information
PHI can be transmitted via:
- Web forms
- Live chats
- Texts
- Other kinds of digital messaging services
If your medical clinic works with vendors or service providers that have access to PHI, be sure to create a business associate contract to ensure they’re meeting HIPAA guidelines. Examples of these service providers or vendors may include:
- Consultants
- Digital marketing firms
- Accountants
- Web hosting providers
- Partners with access to PHI data you collect and store
What Happens if Your Medical Clinic’s Website Violates HIPAA?
If your website violates HIPAA, your medical clinic will be penalized. In some cases, HIPAA violations are resolved with non-punitive measures, such as training to help prevent further HIPAA violations.
However, for more serious violations, violations that have persisted for a long time, or multiple areas of failing to comply with HIPAA, financial penalties may be selected instead.
HIPAA has a 4-tier penalty structure:
- Tier 1: Violations that your medical clinic was unaware of and could not have avoided, while taking a reasonable amount of care to abide by HIPAA. The financial penalty for a Tier 1 violation is a minimum fine of $117 per violation, up to $58,490, with an annual maximum penalty of $1,754,698.
- Tier 2: Violations that your medical clinic should have been aware of but could not have avoided, even with a reasonable amount of care. Essentially, Tier 2 penalties includes medical clinics and other healthcare organizations that fall short of willful neglect. The Tier 2 financial penalty is a minimum fine of $1,170 per violation, up to $58,490, with an annual maximum penalty of $1,754,698.
- Tier 3: Violations that occurred as a direct result of willful neglect, but there was an attempt to correct the violation. The Tier 3 financial penalty is a minimum fine of $11,698 per violation, up to $58,490, with an annual maximum penalty of $1,754,698.
- Tier 4: Violations that occurred due to willful neglect while there was no attempt made to correct the violations. The Tier 4 financial penalty is a minimum fine of $58,490 per violation, up to $1,754,698.
How Can You Make Sure Your Medical Clinic’s Website is Following HIPAA Compliance Guidelines?
HIPAA violations can happen, even accidentally — the key to avoiding these violations is to take the utmost care to protect your patients’ PHI. You can do this by doing the following:
- Purchasing and implementing an SSL certificate
- Encrypting all web forms on your medical clinic’s website
- Sending emails only through encrypted servers
- Partnering with HIPAA-compliant web hosting companies
- Creating and signing contracts with third-parties that have access to PHI
- Allowing PHI to be accessible only to authorized individuals
- Establishing procedures to delete, backup, and restore PHI as needed
Partner With a HIPAA-Trained Digital Marketing Agency
OppGen is a HIPAA-trained digital marketing agency that specializes in creating customized digital marketing strategies for the medical industry. Part of those strategies often includes creating encrypted, secure websites and marketing strategies that follow HIPAA compliance guidelines.
To find out if your medical clinic’s website is following HIPAA compliance guidelines, fill out our free digital audit. We’ll review your current marketing strategy, online presence, and determine how you can better protect your patients’ valuable data from accidental or malicious incidents.
Contact us today for more information. We look forward to hearing from you soon!
