We are sometimes asked if a website is HIPAA compliant. Please note that we are not attorneys and can not provide legal advice. You should seek the services of an attorney specializing in HIPAA law and applicable state laws for guidance regarding your specific practice.
HIPAA compliance in very similar to OSHA compliance for a Dental Practice. It is the responsibility of the practice to be familiar with the laws and ensure that they are in compliance with the most current version of the laws and that they communicate with their web company regarding the information that should be posted and/or updated on the site when practice policies change. States may also have specific laws that must be adhered to as well. Your web company will not be aware, for example, when you have a staff change that affects who is acting as the HIPAA Civil Rights Coordinator for the practice. It is the responsibility of the practice to communicate this information so that the web company can update your Dental website as appropriate when these changes take place.
When working with your web company on developing your dental website please be sure to include the following information:
A copy of your HIPAA Policy Statement in an electronic format that is computer-readable, not a scanned copy of the document.
The following HIPAA Practice Contact Information
HIPAA Civil Rights Coordinator
HIPAA Civil Rights Coordinator Title
State Policies (if required)
A copy of any privacy statements specific to your state.
Any additional information required by HIPAA or your state.
If any other documentation is required it should be forwarded to your web developer.
Please keep in mind that these documents are required by law for your office independent of your website, so they are the responsibility of the practice. Once you provide the above items to your dental website developer they can add them to your website.
Collection of PHI (Protected Health Information)
If you wish to collect PHI data using your website, such as a new patient registration form, you should only do so using HIPAA compliant forms. There are a number of companies that specialize in creating HIPAA compliant forms. If this is something you are interested in adding to a site that we are developing for you, please contact us and we can provide contact information for companies that offer HIPAA compliant forms.
Email and HIPAA compliance
We always recommend that a practice uses HIPAA secure email with encryption. We can provide you with the names and contact information for some companies that offer encrypted email services. This is another area where it is important to have specific practice policies in place and to ensure that all employees are properly trained to follow the HIPAA laws as well as any specific states laws regarding health information. The ongoing daily activities of the staff and how they work within the policies of the practice will impact whether the practice is HIPAA compliant just as the proper following of the OSHA laws will dictate from moment to moment whether the office is OSHA compliant.
For further reference, the ADA and the government both provide additional information on HIPAA. You can read more on these topics using the following links.
In summary, a website itself is not HIPAA compliant, the practice must be. It is up to the dental practice to comply with HIPAA and state laws and communicate the appropriate information to their web developers for inclusion on the practice website.
This article does not constitute legal advice and is for informational purposes only. You should seek the services of an attorney specializing in HIPAA law and applicable state laws for guidance regarding your specific practice.