Building a HIPAA compliant website

Hi all,

From time to time a pick up some freelance work. And as I’m stuck in an entirely different country with nothing better to do, I picked up an offer to build a website. But there’s a catch. The client is in the healthcare industry in the US, and they are in a rush to get the website running to collect patient info. They provide mobile treatment and I’m honestly baffled at how they managed that without having a website.

So, my issue starts here, I don’t know too much about being HIPAA compliant, and the sources I’ve found are extremely vague. Do I have to do something extra as the website builder? Does RapidWeaver have any features supporting HIPAA? I’ll also set up their hosting and new email accounts as well. Would appreciate any type of help here as I feel a little lost. Thanks!

@Dave uses RapidWeaver to build sites for the hospital/healthcare company that he works with. I am sure that he would be the best person to talk to.

My gut says that HIPPA is more about data stored about customers and patients. If you are simply building a marketing site for a HIPPA complaint business, you should not have to worry about this for the website itself. However, as I said… I do not know anything about HIPPA so take that with a bucket of salt.

Joe, that’s a HIPPA violation.

2 Likes

This client expects the site you create to collect patient information?

I certainly don’t want to tell you what to do- but I know if I were in your shoes, I’d turn that offer DOWN, immediately. HIPAA (one P) violations are unbelievably costly - we’re talking in the tens of thousands of dollars.

Joe is right - I’ve long built sites for a division of a huge integrated medical health system. But, my sites are designed not for collecting patient data…but to provide information about our services to patients and physicians. My sites collect zero PPI.

My suggestion is that if this client really wants PPI, they need to work with a company that specializes in it. Done right, there’s very little risk to the designer or the medical company. Done wrong and the risk is enormous.

2 Likes

Hi Dave,

Thanks for swooping in. The project has a very flexible deadline as it’s not their priority due to the outbreak right now. I still have the option to turn it down and probably will after this, haha. So, I was planning to add a contact form to the website so that people can register a visit. As far as I understand that will fall under patient health information.

They also asked me to set up a new email for their new website and domain. A quick search online told me that the mail serves have to be compliant as well, as they will probably send patient information such as test results etc. I found a list (the second source) of providers and according to their marketing material it should be no worries, do you think I should still walk away?
Thanks!

Sources:
HIPAA Compliance for Email
[A list of HIPAA Compliant Email Providers]

I am not in a position to say whether a potential form would include PHI or not, but for me, I would err on the side of caution. I have long used MachForm across all of my sites (I probably have 75 or more instances of it running), and in a select few, I still have it running on my medical imaging sites. But, mainly as a contact form, where there is virtually no chance someone will enter PHI. For the forms that require PHI, everything has been moved in-house using an APS.net solution. MachForm is probably the most RapidWeaver-friendly form builder available (short of any of the Stacks solutions) - and (the last time I checked), it is rated Approved for Restricted Data. This is NOT the same as Approved for Critical Data (including PHI).

If you aren’t familiar with penalties for HIPAA violations - just google “penalties for HIPAA violations” As you’ll see, we are not only talking financial penalties. To me, it’s just not worth the risk.

1 Like

Hey Dave,

Yeah, so talked with the client yesterday and seems like they don’t know if they will be collecting PHI over the website and they had no idea that emails had to be compliant either. I believe there are HIPAA compliant form builders out there but for now I’ve turned down the project. Too risky for a quarantine project :slight_smile:

Thank you so much for your input, I’d probably realize the mess I got into way too late, haha. Will check out MachForm definitely.

Cheers!

1 Like

btw, faxes and printers need to be HIPAA compliant as well.