HIPPA Compliance

What is HIPPA Compliance?

HIPPA Compliance refers to the practices and procedures that businesses must adopt in order to comply with the Health Information Portability and Accountability Act (HIPAA). This law clearly outlines the rights of individuals to retain control over their health information and prohibits its unauthorized disclosure and dissemination.

Who needs to be HIPPA compliant?

Companies that operate within the medical sector, such as private practices, dentists, plastic surgeons, chiropractors, and other healthcare providers have an obligation to ensure their websites are HIPAA compliant. In addition, many other businesses fall under HIPAA regulations. As a digital marketing agency, we work with our clients to safeguard all protected health information (PHI) in accordance with HIPAA regulations. Some examples of PHI include names, date of birth, address, phone number, insurance ID number, Social Security number, or full facial photographs.

You may need to evaluate your business for compliance if any of the following apply:

  • Users can submit PHI through forms on your website
  • Your website records and stores PHI
  • Your website transmits PHI to another company or individual

Examples of HIPAA Compliance Practices

Below, we’re sharing some examples of business practices designed to ensure HIPAA compliance. Please note, this list cannot be considered comprehensive and should not be interpreted as legal advice.

  1. In general, all information collected through your website must be encrypted. This includes form submissions, appointment requests, chat correspondences, and contact forms. There are a variety of HIPAA compliant CRM services available that can help with this encryption process. 
  2. All data should be stored on an encrypted server. Your website should also utilize SSL protections. This networking protocol ensures that PHI is encrypted throughout the client and server authentication process.
  3. PHI cannot be used to create digital ads, email campaigns, or print marketing materials without the explicit permission of the individual being referenced. This means that names and photos cannot be used for testimonials or marketing without authorization.
  4. Staff members must be educated on the proper handling of PHI. They must not take any photos or share any documents that could expose PHI. Furthermore, they cannot share any information over personal or corporate social media that could contain PHI.
  5. Ultimately, your business is responsible for the secure handling of PHI when working with third-party vendors and services. Marketing firms, consultants and other providers must execute business associate agreements (BAAs) to ensure HIPAA compliance.