HIPAA and eCommerce: What You Need to Know

HIPAA Compliant eCommerce

HIPAA compliant eCommerce requires several measures to be in place to preserve the privacy and security of protected health information (PHI). PHI, such as a patient’s name, address, email address, and payment information, are likely things you require a purchaser to input into your store platform before they can make a purchase. If this information is connected to treatment, payment, or healthcare operations, it is considered PHI.

There are certain things to look for to make sure your eCommerce platform is HIPAA compliant.

1. End-to-end encryption (E2EE)
2. SSL certificate
3. Access controls, user authentication, audit logging
4. Data backup
5. Business associate agreement (BAA)

End-to-end Encryption

Any software you use to run your business should have end-to-end encryption (E2EE). E2EE protects data in transit and at rest. This prevents unauthorized parties from accessing data as it is transferred from one system to another.

SSL Certificate

Have you ever noticed that many websites display “HTTPS” in their URLs? These websites have an SSL certificate. SSL certificates provide an additional layer of security to your website, enabling an encrypted connection and preventing attackers from making a fake version of your site.

Access Controls, User Authentication, Audit Logging

Access controls limit who can access your data. Your employees should have different levels of access based on their job roles. The platform must also have a means of user authentication. User authentication ensures that users that access the platform are who they appear to be. Using two-factor authentication is an effective way to do this. What is two-factor authentication? It uses two forms of unique login credentials to access information. This can be a username and password in combination with a security question or a one-time PIN.

Audit logging tracks who accesses data and when they access it. Audit logging is essential to the quick detection of both internal and external breaches.

Data Backup

Data backup is an essential part of any HIPAA compliant eCommerce business. Implementing a data backup plan prevents you from losing important information if you are breached. An effective data backup plan enables you to recover quickly if your data is destroyed or stolen.

Business Associate Agreement

Business associate agreements are a crucial determinant of HIPAA compliance. Even the most secure software platform is NOT HIPAA compliant if it will not sign a business associate agreement (BAA). 

Why? 

A BAA is a legal agreement that requires each signing party to be HIPAA compliant and be responsible for maintaining compliance. As such, a BAA limits the liability for both signing parties in case of a breach or OCR audit, as only the negligent party would be held culpable. 

HIPAA Compliant eCommerce Platforms

How can you find a HIPAA compliant eCommerce platform? Look for the security measures mentioned above, and have a signed BAA with the platform provider. However, even if an eCommerce site won’t sign a BAA, its platform may still be able to be used with a HIPAA compliant web hosting service.

Popular eCommerce platforms such as Shopify and Bluehost are not inherently HIPAA compliant but can still be used with specific workarounds. 

For HIPAA compliant eCommerce using a noncompliant platform, businesses can use a web hosting provider so that no PHI goes through the eCommerce platform. The store purchaser’s data would be stored on the web server rather than in the eCommerce platform. The form the purchaser uses to input their data must also be connected to the secure private web server so that PHI is never entered into the eCommerce platform.

Some examples of HIPAA compliant web hosting services include:

• Amazon Web Services
• Microsoft Azure
• Google Cloud