HIPAA Compliant Websites Require SSL/TLS Certificate

ePHI without an SSL/TLS certificate (and thus runs on unencrypted HTTP) would almost certainly be found to be in violation of HIPAA’s security standards. The HIPAA Security Rule requires covered entities and business associates to protect the confidentiality, integrity, and availability of ePHI. While HIPAA does not explicitly mention “SSL certificates,” it mandates the implementation of mechanisms to encrypt ePHI when it is being transmitted over open networks (an “addressable” implementation specification). 

Why an SSL/TLS certificate is essential for compliance

• Data in Transit Encryption: An SSL certificate enables the use of HTTPS, which encrypts the connection between a user’s browser and the web server. This is the standard method for ensuring data (like information submitted through a contact form, patient portal login credentials, or medical history) remains private and cannot be intercepted by unauthorized parties during transmission.
• Industry Standard: National Institute of Standards and Technology (NIST) guidelines, which HIPAA points to as the benchmark for compliance, recommend using Transport Layer Security (TLS) (the modern successor to SSL) 1.2 or higher for web-based communications.
• Risk Assessment: Because encryption is an addressable safeguard, an organization can choose an alternative if it is deemed unreasonable or inappropriate after a thorough risk assessment. However, with the current threat landscape, failing to use encryption (and having a secure alternative that offers equivalent protection, which is difficult to achieve) is highly likely to be considered a violation by regulators in the event of a breach. 

In practice, a website that collects, stores, or transmits ePHI without an SSL/TLS certificate (and thus runs on unencrypted HTTP) would almost certainly be found to be in violation of HIPAA’s security standards. All PatientGain websites provided for customers include SSL certificate.