Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.
Several recently exposed healthcare organizations reported use of the Facebook MetaPixelhase raised eyebrows, given that using the MetaPixel can be a HIPAA violation when it collects patient information. Since Facebook unabashedly shares data with advertisers, MetaPixel is not HIPAA compliant.
While professionals can’t use Facebook MetaPixel on their websites, well-constructed, public-facing websites can be used to accommodate patients and clients with a full range of needs. How can one be sure that a website is HIPAA-compliant?
Do Websites Need to be HIPAA-Compliant?
Before going through the process of making a website HIPAA compliant, first, one should ask these questions:
- Is protected health information (PHI) being transferred through the website?
- Is PHI being backed up on a server connected to the website?
- Is PHI being collected directly on the website?
If the answer to these questions is yes, the website must be HIPAA compliant.
Creating a HIPAA Compliant Website
The first step in creating a HIPAA-compliant website is finding a HIPAA-compliant web hosting service.
What to look for:
- Does the web hosting service provide safeguards to secure data?
- Will the provider sign a business associate agreement (BAA)?
Many popular web hosting services such as WordPress and GoDaddy are not HIPAA compliant as they will not sign business associate agreements (BAAs). However, providers such as Amazon Web Service (AWS) and Microsoft Azure are HIPAA compliant with signed BAAs and proper use.
The next step is ensuring that the service used to backup any website data is HIPAA compliant. Like a hosting web service, any data backup provider must have adequate safeguards and sign a BAA. Microsoft OneDrive and Google Drive are popular cloud storage providers that can be HIPAA compliant with proper configuration and a signed BAA.
HIPAA Compliant Website Tools
Using advertising tools to collect patient data without authorization is a HIPAA violation. While advertising tools such as Facebook MetaPixel cannot be used to collect patient data, other website tools can help to run healthcare practices efficiently and more conveniently. Such tools include online appointment schedulers, chat services, help desks, and encrypted web forms. To avoid a HIPAA violation, each add-on must be HIPAA compliant and make available a signed BAA.
This Article is Contributed by the HIPAA Compliancy Group
Need assistance with HIPAA compliance? The Compliancy Group can help!
Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!