Is Your Website in Compliance With HIPAA?
by Olivia Wann, JD
Most practices maintain a website. According to the Office of Civil Rights, if you maintain a website, you are required to make available your Notice of Privacy Practices (NPP). According to 45 CFR 164.520(c)(3), "(i) A covered entity that maintains a web site that provides information about the covered entity's customer services or benefits must prominently post its notice on the web site and make the notice available electronically through the web site."
If you have a run in with a HIPAA violation, don't be surprised if the OCR peruses your website. They will want evidence that the Notice of Privacy Practices (NPP) plus the contact information.
The NPP must designate who the HIPAA Compliance Officer is. This person would receive complaints and provide additional information. Is your NPP current? Is the HIPAA Compliance Officer name current and the contact information current, such as the name and practice telephone number?
These are two very basic requirements and trust me, it comes up.
If you are collecting protected health information (PHI) through your website, this is another potentially serious issue. You must consult your webmaster about encrypting data that is in motion and at rest to prevent a breach.