Checklist for HIPAA Compliant Website


Having a website is highly crucial for every business counting healthcare providers. In fact, almost 93% of business decisions initiate with an online search. However, some websites need to be more precautious and must be HIPAA compliant website such as healthcare providers!

Any medical eCommerce company or practice that sells medical equipment may face HIPAA compliance issues. Any business that handles the protected or confidential health information or PHI must bear additional care.

Such practices or companies must comply with HIPAA checklist, especially eCommerce companies. If these companies fail to select the right eCommerce partner, it becomes critical for companies as they risk non-compliance fines, security breaches, situations, and penalties. They also end up losing credibility with their customer as clients’ personal medical information gets exposed or clients can’t receive advanced functionality on the basis of electronic health and medical records.

The point is simple here:  if you are integrating a new and better healthcare software, you must make it secure as well as compliant with all the HIPAA rules.

When Does Your Website need To Be HIPAA Compliant And How Do You Make It?

First, you must understand that being HIPAA compliant for any covered entity involves taking reasonable steps to ensure that the physical, administrative and technical safeguards in place in order to keep PHI safe.

For instance, if you hold PHI in cloud storage, but do not have proper policies in place in terms of sharing this information with others. Anyone can deliberately or accidentally leak or share that information although they have no right to do so. As a result, your website gets caught for HIPAA violation.

Imagine the number of violations that may occur due to a stolen Smartphone or laptop. If there are no procedures or policies in place to secure and encrypt the device, no technology can help save the data.

hipaa compliant website
If you are thinking when your website has to be HIPAA compliant, you must identify the ways in which your visitor is likely to interact with the website. Once identified, you need to work on ensuring that these interactions end up in a user-friendly, yet secure experience. This can be done by considering:

  • Do you store PHI on the server, you host?
  • Do you transmit any PHI online?

So if the answer is yes and you are handling PHI through the website, you must make sure its HIPAA compliant, regardless if it is as simple transaction as setting an appointment. Even the appointment setting is identifiable information that sets an example of transmitting PHI, used in relation to patient care.

The Requirement of HIPAA Compliance

HIPAA actually stands for Health Insurance Portability and Accessibility Act. In general, it asks for four fundamental things of an organization, handling medical records of patients in any way.

  1. You should have proper safeguards in place to fully protect the health information of the patient
  2. You must restrict the sharing or use of health information up to the extent needed for the purpose.
  3. If your medical records are being handled by any contracted service, you must have agreements to ensure they are also compliant with HIPAA regulations
  4. You must have procedures and policies that to ensure limited access while training staff related to protection of hard copy as well as ePHI – electronic Protected Health information.

So if you are associated with health tech development, make sure that there is proper technology to meet HIPAA standards. One of the best ways to ensure or accomplish this is by having a HIPAA compliance checklist. This checklist can also be used by the development team to build app/software accordingly.

Checklist for HIPAA Compliance

Once you have identified handling PHI – Protected Health Information that you must be HIPAA compliant, now it’s time to go through the HIPAA compliance checklist to ensure the privacy and security of PHI.

HIPAA Compliance Checklist
In terms of a checklist, there are four rules that must be dissected:

  • HIPAA Privacy Rule
  • HIPAA Enforcement Rule
  • HIPAA Security Rule
  • HIPAA Breach Notification Rule

In terms of action items, you must follow the HIPAA Privacy and Security Rule. Now let’s discuss each one of these rules in detail.

HIPAA Security Rule

The HIPAA Security Rule is about appropriate Physical, Administrative and Technical Safeguards to make sure the integrity, confidentiality and security of PHI.

We can divide the security rule in three fundamental aspects:

  • Physical Safeguards
  • Technical Safeguards
  • Administrative Safeguards

These parts incorporate implementation specifications. Some of them are addressable and some are required. When we say addressable implementation they can be implemented if there is an appropriate and reasonable need to do so. Similarly, required implementations are the ones that must be implemented.

  • Physical Safeguards

This set of guidelines focus on the physical PHI access and contain four standards.

  • Workstation use
  • Facility access control
  • Device and media controls
  • Workstation security

And as we further break down these 4 major standards of physical safeguards, there are ten essentials we need to implement:

Facility Access Control

Contingency Operations: Establish procedures that enable facility access to support lost data restoration under the emergency mode operation plan and disaster recovery plan in an emergent event.

Implementation of HIPAA Security Rules
Facility Security Plan: Implement procedures and policies to safeguard the equipment and facility therein from theft, tampering or unauthorized physical access.

Validation and Access Control Procedures: Implement policies to validate and control the access of a person to facilities based on their function and role. This may also include visitor control and access control to various software programs in terms of revision and testing.

Maintenance Records: Implement procedures and policies to document modifications and repairs to the facility’s physical component, related to security like doors, walls, hardware, and locks

Workstation Security: Implement physical safeguards in terms of all workstations that restrict authorized users access by accessing ePHI.

Workstation Use: Implement procedures and policies that state the functions that need to be performed and the manner in which they must be performed including the physical attributes of the specific workstation surrounding or class of workstation that must access ePHI.

Device and Media Controls

Disposal: Implement policies to address the ePHI final disposition and the electronic and hardware media on which it is actually stored.

Accountability: Maintain the electronic media and hardware movement records including any person responsible thereof.

Media Re-Use: Implement policies for ePHI removal from electronic media and before the media are available for re-use.

Data Backup and Storage:  Create an exact retrievable copy of ePHI, before equipment movement and when needed.

  • Administrative Safeguards

These are the set of policies that govern the workforce code of conduct along with security measures implemented to protect ePHI. This is the most important component when implementing HIPAA compliance program.

We have nine standards under this section:

  • Assigned Security Responsibility
  • Security Management Process
  • Training and Security Awareness
  • Information Access Management
  • Workforce Security
  • Business Associate Contracts and Other Arrangements
  • Evaluation
  • Contingency Plan
  • Security Incident Procedures

Compliance with this section of safeguards requires the complete evaluation of the implemented security controls, a thorough and accurate risk analysis along with a series of documented solutions.

These nine standards are further broken down into 18 areas that must be ensured:

Security Management Process

Risk Analysis: Document the performed risk analysis to ascertain where PHI is being stored and used to figure out the ways in which HIPAA can be violated.

Sanction Policy: Apply sanction policies for individuals failing to comply

Risk Management: Implement adequate measure to cut down these risks up to an acceptable level

Information Systems Activity Reviews: Frequently review logs, system activity, audit trails etc.

Officers: Designate Officers for HIPAA Security and Privacy

HIPAA Security and Privacy

Workforce Security

Employee Oversight: Implement policies to supervise and authorize employees working with PHI and for removing and granting PHI access to employees.

Information Access Management

ePHI Access: Implement policies for granting ePHI access that document ePHI access, or to systems and services that grant ePHI access

Multiple Organizations: Make sure PHI is inaccessible by parent organizations or parent or subcontractors which are unauthorized for access.

Security Awareness and Training

Protection against Malware: Implement procedures to guard detecting, against and reporting malevolent software.

Login Monitoring: Establish discrepancies reporting and monitoring of systems logins

Security Reminders: Periodically send reminders and updates about privacy and security policies to employees

Response and Reporting: Document, identify, and respond to security incidents.

Password Management: Make sure there are procedures for changing, creating and protecting passwords

Contingency Plan

Contingency Plans: Make sure there are proper accessible ePHI backups as well as procedures to restore the lost data.

Emergency Mode: Establish procedures and enable critical business processes continuation for the protection of ePHI security when operating in an emergency mode

Contingency Plans Updates and Analysis: Have policies for frequent testing and contingency plans revision. Assess the criticality of particular data and applications in support of some other contingency plan components

Business Associate Agreements: if any business partner access the ePHI, have specific contracts to make sure they are compliant. Select partners that also have similar agreements with their partners to which they are extending access.

Evaluations: Conduct periodic evaluations to observe if any changes in the law or business need changes in the HIPAA compliance procedures.

HIPAA Privacy Rule

This section relates to the disclosure and use of electronic patient health information and is applicable to the different healthcare organization. It is also applicable to those who offer health insurance plans along with eh enterprises’ business associates.

In this section, patients get the right to get copies of their relevant health records. Also, the EMR and EHR implications are obvious, especially to ensure that every patient identifiers are also secure.

Business associates are liable for the disclosure and use of PHI which is not covered under their HIPAA Privacy Rule or the BAA. This rule asks the business associated with the following actions:

  • Provide adequate breach notification to the Covered Entity
  • Don’t allow any impermissible disclosure or use of PHI
  • Offer an accounting of disclosures
  • Be compliant with the HIPAA Security Rule requirements
  • If needed, the disclosure of PHI to the HHS Secretary
  • Provide either the Covered Entity or individual access to PHI.

HIPAA Privacy

HIPAA Enforcement Rules

Rules under this section govern the policies and procedures for the assignment and investigation of penalties when there is a breach of electronic patient health information. Here the biggest issue is to avoid the breach and this has implications for EMR/EHR software development. Remember the ignorance of these requirements may carry greater fines and penalties.

HIPAA Breach Notification Rules

In this HIPAA Rule, it is necessary for healthcare providers to inform patients in case of an unsecured PHI breach. The Breach Notification Rule also necessitates entities to instantly notify HHS in case of any unsecured PHI breach. Also, the healthcare provider must notify the public and media if the breach directly affects 500 or more patients.

Small security breaches can be reported to Health and Human Services Office of civil rights. But larger breaches should be reported to media. In both of the scenarios, the patients need to be informed and notified of steps that they must take to reduce the potential damage.

The reporting should be complete and must mention all the relevant details of the breach including the current level of loss or damage. This must also mention the measures taken to mitigate any further damage.

In the bottom line

The above-discussed checklist is not all. In fact, you can call it a brief summary of the most fundamental and major points. If you need a more comprehensive understanding about HIPAA then you must get the legal documents.

However, you need to interpret these rules and requirements as they apply to your particular organization. Since prevention is inevitable in any EMR/EHR system, prevention starts from the basic development phase. It continues through implementation and testing and ends with regular and consistent monitoring. Thus, the checklist starts right from the development phase.

So if you want to be HIPAA compliant and avoid any legal penalties, you need to work with professional and well-versed developers who understand the requirements and have the expertise to implement them.

Do You Want to Know Successful Metrics of Your Project ?
Our clients say
Vikas Singla, COO at Teknas Inc
Vikas Singla
COO Teknas

Collaboration with CodeIT gave my business great prospects for its expansion and scaling. Together with CodeIT professionals, we grew our product line from three to fourteen products within only one year. I can rely on these guys to get a high-quality product on time.

Thanks, V

Mikael Svensson, CIO at SST Net
Mikael Svensson
CIO SST NET

This was the biggest project I’ve made so far and CodeIT helped me and our company through it in a perfect way.

Working with one very skilled project manager and multiple developers and testers with him made our project fly in a very short period of time, and with a super high quality!

Andrew Pickin
CEO Stilgiyin.com

CodeIT has been working for us for one and a half years. We are ending the project now because it is complete. CodeIT built our platform from scratch and also provided further development and support for the rest of the contract. They are very strong in several areas: back-end development (specialising in Zend Framework); front-end development; server administration; project management. Their project managers speak excellent English and are courteous and professional. Their developers are fast and skilled, and up to date with the latest technologies. Their expertise helped us to build a highly reliable website which can serve a heavy load of traffic. Finally, they are all very nice people, and I cannot recommend them highly enough.

Esteban Cascante
Project Manager Sweet Rush

I wanted to personally thank you for your hard work on this. Working with CodeIT turned out to be a really pleasant experience for us.

Since the beginning, your team seemed to be really well structured and everyone understood its role and responsibilities.
Also, the quality of the work CodeIt delivered was exactly what we expected it to be.
This really facilitated our daily work and help us to keep the client happy.
I hope this first experience working together help us to build a long-term partnership.

Paul Marcus
CEO PitchPersonal

I have worked with CodeIT for over a year now on a complex application development project and they have been excellent. They have been flexible with scaling resources up and down as I’ve needed it, their project managers have been extremely responsive and I hear from them every day and never have to wonder where they are as I have with past outsourcing projects. Highly recommended if you’re considering outsourcing software development.

Misha Milshtein
Director of Engineering and Development Sweet Rush

This was our first project, and I am so happy that it had a smooth run and a successful resolution.
I sincerely hope that this is just the first step in our long and mutually amiable partnership.

Thank you CodeIT team for being so thorough and professional.

Keith Lammon
VP Urethanesupply

I posted this project and within minutes guys from CodeIT bid on the project. I asked a few questions through Skype to feel confident that they could do the job. I felt comfortable with the knowledge and skills and accepted their offer. I am usually hesitant to hire from offshore. Not because of the work quality but, usually the language barrier and working hours. Guys from CodeIT was available during NY working hours and after pre-screening on Skype, I could tell they know English well.

Quote Request

Feel free to contact us. We will answer all your questions and provide you with fast and thorough feedback.

To attach a file click BROWSE button.
* .doc(x), .pages, .xls(x), .numbers, .pdf, .jpg, .png file types are supported.