I was recently asked by a therapist to completely redo her existing site, which is currently on WordPress. My plan was to keep it on WP, just update the theme, install some plugins, etc.
She asked me the other day about the possibility of allowing her clients to schedule appointments, fill out paperwork, and settle their accounts on the site. She added that all of this needs to be HIPAA-compliant.
I know only a little about HIPAA, but I read a few posts over the weekend that cautioned against using a standard host such as GoDaddy and using WordPress on the site.
I have a general idea of what needs to be done for the hosting but I wanted to know if I should give up the notion of WP while I can and not even waste my time. Does anyone have experience trying to make a WP site HIPPA-compliant?
I was wondering if it would it be very much different from creating a site that takes payment. credit cards and or personal info? a quick web search got me this blog
I would use a paid 3rd party CMS so that if something went wrong and it was exploited then they take the blame. Of course you have to make sure they don’t specifically state that they aren’t liable for their security flaws in their TOS/Contract/etc.
HIPAA violations are no joke and should be taken seriously. If the therapist wants to have sensitive information on their website and they don’t want to pay big money to have sensitive information on their website, they shouldn’t have sensitive information on their website. It’s that simple.
You should also seek out a HIPAA complaint host. I don’t know any off the top of my head.
In all truthfulness, this is not something that should be taken on by a single freelancer, it should be done by a established shop who understands the laws, has their own lawyers, and has plenty of staff for round the clock maintenance. Again, lots of money. And again… HIPAA is no joke. If they can’t afford an established shop, then they can’t afford a website that does these things.
The HIPAA stuff is just one part of this project. There is also design work and a shopping cart and blog to put together. But I’ve done all of those things before. The HIPAA component is definitely my one unknown and the only thing that gave me pause when I did the initial gathering of requirements.
I’ve worked with this person in the past, so we haven’t signed anything official yet. I suppose my next step should be determining the feasibility and cost of outsourcing that one part of the site and then decide how to proceed.
Update: So I took the advice given here and asked the therapist to reconsider the HIPAA-compliant features she was hoping for. To my surprise she agreed…
But she is saying she wants to post blank forms on her site and ask patients to download them, fill them out, and (snail) mail them to her.
Assuming this is way we eventually handle it, I wouldn’t be liable for any violations at all, would I? Since I am only helping her post blank forms and I’m not involved in the handling of any data directly.
Let’s say the forms I am paid to put on the site are faxed with PHI (patient health information) and this somehow gets discovered, the site owner would be liable and not me?
They faxed them, not you. You should be fine. If you include a button that says “Fill out this form and fax it” then proceeds to fax it from the website, then that’s on you.
Also, I think faxing is under different regulations than email. Not sure on that one, but I think I remember that being something weird.
Can data sent via FAX be “secure enough” for HIPAA?
You might think that the answer is simple “no”, unless the FAX is sent over some type of secured phone line. Why? Because anyone with physical access to the phone lines and some technical expertise can eavesdrop on phone calls and FAXes and thus obtain any protected health information by fax. It is acknowledged that sending email messages containing PHI insecurely is prohibited, so it follows that FAXing might also be “not a good idea”.
But, it turns out that “no” is too simple an answer and not practical or accurate.
It explains it in a little more detail if you follow the link.
Having rebuilt a neurosurgery practice from the ground up last year, I learned a few things about HIPAA that your client may or may not know, and a few things you and your client may or may not want to consider (though I make no claims of being an expert):
In addition to the federal rules, each state has its own rules regarding the acquisition, storage, retrieval and disposal of medical records. In some states, the fines for mismanagement of medical records exceeds the federal penalties, which can run from $100 to $50,000 PER violation, and even jail time.
While the use of email is not prohibited by the legislation, there are risks. Health professionals are encouraged to encourage their patients not to share patient health information (PHI) via e-mail, and most medical practices discourage their physicians from responding to medical issues via email and/or the practice takes the added precaution of encrypting emails when initiating or responding to patient inquiries that involve PHI.
Having a general inquiry email (form) on the website and responding to general inquiries that do not involve PHI has a low risk factor (ex. Do you have physicians who specialize in XYZ condition? Yes, we have several physicians who specialize in XYZ. Please review the bios for Dr Y, Dr P, Dr Z linked on our website)… We took the email off the neurosurgery practice’s website because too many potential patients wanted to share far too much PHI. This information was not solicited so there was no violation on the practice’s part, but we decided it wasn’t a good way to initiate a healthy relationship with patients.
Placing blank forms on a website for download is not a violation as it does not involve an exchange of any information. Should the forms be faxed into the office, the doctor/medical practice could be in violation of HIPAA depending on where their fax machine is located and who has access to it (rules governing fax servers are more complex but I’m assuming the practice is too small for its own fax server). Receiving an email with the forms attached is, generally, higher in risk to the doctor/practice than faxes. The safest delivery method is for the patient to bring the forms on the first visit. As the website developer, however, you are NOT responsible for the the completed forms (though you would come under some scrutiny in a data breach if you maintain the doctor’s email service or server and she accepted forms via email). My suggestion would be to include a HIPAA privacy policy statement as part of the download; the statement should include the doctor’s email policy, as well as a “consent for use and disclosure” clause if the doctor bills insurance companies directly. Most states and medical associations offer templates with which the doctor can work. (This is not to protect you; this is to protect the doctor and make you look good for looking after her).
The storage of completed forms and the PHI is the doctor’s responsibility. Whether she keeps them in a locked cabinet; scans and encrypts the forms; enters the information into an encrypted database (or uses them to level her desk or start a bon fire), it will not affect you.
Regarding scheduling appointments: There are some online third-party scheduling services that offer appropriate security, do not involve PHI or too much patient demographics, and can be integrated into websites. The doctor may be interested in something like that for existing patients; she should schedule new patients herself or have her staff do so. As a third-party solution, you would not have responsibility for any data breaches (let the doctor sign up for the service directly) and it would extend the functionality of the website in the direction the doctor wanted to move…
There are an astounding number of Electronic Medical Records (EMR), Electronic Health Records (EHR), Practice Management (PM) and Patient Portal applications available (more than 600 when I last looked). Most have spent hundreds of thousands and, in some cases, millions of dollars to build and manage HIPAA compliant systems. And still, data breaches in health care accounted for 36% of known identity data breaches in 2013. This is because there has been a sharp rise in the number of attempted hacks on the health care industry since 2010.
A general third-party CMS will not be HIPAA compliant and you may not be able to avoid a law suite if you offer one up as a solution; the government may not come after you but the doctor may well sue you if the government comes after her. Most EMR/EHR/Patient Portal and PM applications are truly HIPAA compliant; the “good” ones are CCHIT, Drummond and ONC HIT certified.
What’s all the blather above mean: Anyone should think long and hard before creating any application – web-based or local – to collect and store patient data. The risks at this point seem to outweigh the rewards. …
As a developer, business consultant, IT project manager and occasional patient, I would not want to have my health care information collected through a WP site. …
Here’s a brief checklist on how to be HIPAA compliant practice that you may want to share with your client (again, just so she can see you’re looking out for her). It’s not exhaustive but it’s a solid start; common sense can fill in the blanks: https://www.truevault.com/blog/how-do-i-become-hipaa-compliant.html#.U9xgiIBdVCs
Now put all this aside and go design a site that says professional, capable, caring therapist ready to listen and help, and let the doctor worry about the patient and their data.
Update to my update: So it turns out I was looking at potential HIPAA issues with another one of my clients as well. I was talking with a chiropractor about moving him off of his iMatrix site to self-hosted. He told me he was paying them a ton of cash for hosting and at the time (few months back) neither of us could understand why.
Lo and behold he does indeed currently collect PHI on his site and iMatrix is a HIPAA-compliant host. I told him I was fairly certain this is what the expense was for. I advised he stay with them.
And the therapist is moving away from collecting any PHI through the site altogether, so I am proceeding with my plan to move her to a self-hosted WP.
I have learned a great deal about HIPAA and some potentially nasty headaches. Thanks very much to all who gave me advice. I think of this forum as world-class and the go-to place for speaking to experts and getting the best advice. This has been validated yet again.
