Access Controls, User Authentication, Audit Logging
Access controls limit who can access your data. Your employees should have different levels of access based on their job roles. The platform must also have a means of user authentication. User authentication ensures that users that access the platform are who they appear to be. Using two-factor authentication is an effective way to do this. What is two-factor authentication? It uses two forms of unique login credentials to access information. This can be a username and password in combination with a security question or a one-time PIN.
Audit logging tracks who accesses data and when they access it. Audit logging is essential to the quick detection of both internal and external breaches.
Data backup is an essential part of any HIPAA compliant eCommerce business. Implementing a data backup plan prevents you from losing important information if you are breached. An effective data backup plan enables you to recover quickly if your data is destroyed or stolen.
Business Associate Agreement
Business associate agreements are a crucial determinant of HIPAA compliance. Even the most secure software platform is NOT HIPAA compliant if it will not sign a business associate agreement (BAA).
A BAA is a legal agreement that requires each signing party to be HIPAA compliant and be responsible for maintaining compliance. As such, a BAA limits the liability for both signing parties in case of a breach or OCR audit, as only the negligent party would be held culpable.
HIPAA Compliant eCommerce Platforms
How can you find a HIPAA compliant eCommerce platform? Look for the security measures mentioned above, and have a signed BAA with the platform provider. However, even if an eCommerce site won’t sign a BAA, its platform may still be able to be used with a HIPAA compliant web hosting service.
Popular eCommerce platforms such as Shopify and Bluehost are not inherently HIPAA compliant but can still be used with specific workarounds.
For HIPAA compliant eCommerce using a noncompliant platform, businesses can use a web hosting provider so that no PHI goes through the eCommerce platform. The store purchaser’s data would be stored on the web server rather than in the eCommerce platform. The form the purchaser uses to input their data must also be connected to the secure private web server so that PHI is never entered into the eCommerce platform.
Some examples of HIPAA compliant web hosting services include: