Is HIPAA BAA Required For Healthcare Marketing Websites?
Patient Information Originating From Any Website Must Be Protected In Accordance With HIPAA Regulations
Whether you’ve only recently opened up your clinic/medical practice or have owned it for years, it’s important to take the next steps to make your business safe and secure for your patients. It is easy to use a web hosting servers and data centers that follow HIPAA standards, however it is expensive and there are a lot of steps involved. Such a service is provided by PatientGain.com at no extra cost for its GOLD & PLATINUM customers. At PatientGain, our applications run on secure data centers and servers, located in USA. Now that medical records, patient files, etc are all automated electronically, it is even more important to protect patient information. For these customers, PatientGain provides HIPAA secure storage of Protected Health Information (PHI).
Read more about how HIPAA and Secure architecture is implemented here. While Silicon Valley, California is home for PatientGain.com headquarters, the company employs a diverse and talented team across the USA, Canada and Asia. Our main office is located in Los Altos CA. Our servers and data centers are HIPAA compliant and are handled by Amazon HIPAA Compliance. You can read more here: https://aws.amazon.com/compliance/hipaa-compliance
HIPAA Compliant PatientGain Apps on Amazon Web Services (AWS)
PatientGain apps are hosted and run on Amazon Web Services (AWS) and our servers are located in USA. The AWS cloud infrastructure has been architected to be one of the most secure cloud computing environments available on the planet.
As well as the security features built into the AWS service, we employ:
– 128-bit SSL encryption for all data transfer on the platform and forms
– Daily backups of all your data, in case anything goes wrong
– Security protocols in all our work premises
What is SSL and Why is SSL Important?
In the world of software engineering, cryptography or cryptology is the practice and study of techniques for secure communication in the presence of third parties called adversaries.
SSL Stands for Secure Sockets Layer. This is a protocol used to communicate between 2 different computers to establish a trust relationship. A public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. These keys allow information like patient’s PHI or PII can be encrypted and sent over public networks.
This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see your patient data, credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate.
PatientGain provides BAA’s for its customers. In order to understand what is covered, let’s review the four major areas of HIPAA compliance.
As a medical practice owner or an administrator, you have determined that you are handling Protected Health Information (PHI) and that you need to be HIPAA compliant. HIPAA compliance is not a “switch” that can be simply turned on. It requires processes and technology in place to address the key requirements for your medical business.
If you have been audited for a HIPAA violationHIPAA violation, you may be asked to provide a Business Associate Agreements (BAA) from all your vendors, including your website provider, who may have transported, viewed, stored or handled PHI. As a medical business owner it is your responsibility to address BAA requirements from all providers of services to your medical practice.
PatientGain provides BAA’s for its customers. In order to understand what is covered, let’s review four major areas of HIPAA regulations and some definitions.
What is a Covered Entity: In HIPAA legal language, a Covered Entity is the medical practice providing services to patients. This would mean your clinic or medical facility.
What is a Business Associate: A business associate is a service provider or a vendor that provides services, technology, websites, software, etc. to the Covered Entity.
What is a Business Associate Agreement (BAA): A BAA is a legal document provided to the Covered Entity, that states in detail that the Business Associate has taken necessary steps, in accordance with HIPAA regulations, to provide security and other measures to protect PHI.
It is important to note that Covered Entities and their Business Associates need to protect the privacy and security of Protected Health Information (PHI). But, it gets more complicated when you start to put together a to-do list. Covered entities are required to apply the appropriate administrative, technical, and physical safeguards to protect the privacy of Protected Health Information. This applies to all forms of PHI. As such, covered entities are not permitted to abandon Protected Health Information or dispose such information so that it will be accessible to the public or unauthorized individuals. Covered entities are required to train their workforce on the proper disposal of PHI. It is important to note that under federal standards, the “workforce” includes volunteers. Covered entities should also determine what steps are reasonable to dispose of PHI while complying with the HIPAA Privacy and Security Rules.
There are four key HIPAA rules:
1. HIPAA Privacy Rule
2. HIPAA Security Rule
3. HIPAA Enforcement Rule
4. HIPAA Breach Notification Rule
As far as action items are concerned, you need to follow the HIPAA Privacy Rule and the HIPAA Security Rule. And, you need to provide notification following a breach of unsecured protected health information (the Breach Notification Rule). This article is not a definitive list of what is required for HIPAA compliance; you should assign a Privacy Officer to review each rule in its entirety. This article is intended to point you in the right direction. PatientGain will provide BAA for your clinic, if requested.
PatientGain apps for healthcare clinics save PHI information in secure servers that meets these guidelines. Contact us for more information.