The HIPAA Security Rule takes these standards a step forward by outlining parameters for the use of electronic PHI (ePHI), which includes all PHI that is stored or accessed electronically. HIPAA-beholden organizations such as covered entities and business associates must uphold strict policies and procedures to ensure that ePHI is being protected.
How to Make Web-Forms HIPAA Compliant
Some of the more popular web-forms on the market include JotForm, Ninja Forms, WuFoo, Gravity Forms, and Contact Form 7. Several of these forms are WordPress plug-ins and extensions that allow users to place web-forms directly onto their site.
So the question becomes: is there any way to use web-forms without breaching HIPAA regulation?
The answer is two-fold. Most times, you won’t find HIPAA compliant online forms, but you can use these services in a manner that conforms to HIPAA regulation.
If you find an online form that is not HIPAA compliant, follow these steps to secure the data that you’re taking in:
- First and foremost: ask your web-form service if they’ll sign a business associate agreement to legally protect your patients’ data.
- If the service allows, make sure that you’re creating encrypted forms. Encryption allows you to keep data more secure. Encrypted web-forms will guard any data entered into them so that they can only be accessed by entering a key. Like any security safeguards, there are different levels of protection depending on the type of encryption in use. Remember that end-to-end encryption is the most secure and should be your preferred choice.
- If your web-form service offers email notifications, make sure that the emails aren’t making use of sensitive data entered by patients or clients. For example, if your web-form automatically notifies the system administrator of all new entries by email, ensure that these notifications don’t include any PHI. Your administrator can then log-on to the service and manually check the data.
- If your web-form service offers composite reports of data, ensure that these reports are guarded by a strong password.
- Regularly download encrypted data, store it on a secure internal server, and then delete the data from the web-form’s servers.
- Always logout of your web-form service when you’ve completed your session.
Keep in mind that, without a business associate agreement in place, your web-form still might not be HIPAA-compliant. Depending on the nature of the information being entered and by whom, you may need to consult a HIPAA subject-matter expert for further guidance on the particular needs of your organization.
By implementing these important privacy and security measures when addressing HIPAA for web-forms, you’re making a step toward protecting patients’ PHI.
To protect your hard-fought reputation and your patients’ rights to privacy, look into a total HIPAA compliance solution for your practice or organization. The best way to eliminate the hassle of day-to-day HIPAA challenges is to become confident in your compliance now.