Encryption is an excellent way to protect any patient information submitted through your site, such as through forms. HIPAA requires protecting electronic patient information through the use of secure encryption whenever it is reasonable and appropriate to do so. In addition, HIPAA does not require breach notification for properly encrypted patient information (for example, if it is hacked or misdirected) as long as the decryption key or password was not compromised.
Practices that are covered entities under HIPAA are required to have any vendor with access to patients' protected health information sign a Business Associate Agreement. That document helps ensure they are aware of the sensitivity of the information they can access and that they will comply with the necessary safeguards in order to help ensure that information remains protected. More information on the U.S. Department of Health and Human Services' (HHS) regulations on covered entities and business associates is available in the agency's write-up on Covered Entities and Business Associates. The American Dental Association (ADA) offers many helpful resources, including the ADA Complete HIPAA Compliance Kit, to help dentists understand and comply with the regulations. Creating and implementing policies and procedures that clearly prohibit the improper disclosure of patient information via all mediums – such as electronic, paper and oral – is a good first step towards preventing it from happening. Make sure your next step is to train and educate your staff about the policies and procedures, including the proper use of social media, so their efforts both promote and protect the practice in the online environment. Finally, comply with all applicable federal and state privacy and data security laws, such as HIPAA and state data security and breach notification laws.
Website Security
In addition to knowing and complying with laws regarding the protection of patients' personal information, it's important to make sure your website security is up-to-date and protected against hacking, including ransomware, a type of cyber-attack that allows malicious software to encrypt a user's data and hold it for ransom. Much ransomware finds its way in through email in the form of spam, phishing messages, email attachments and links to websites. Any computer device can be affected. It's a good idea to consult the Federal Trade Commission's (FTC) website to review more information on Phishing.
Health providers of all sizes should be aware of the risks associated with ransomware, which may include interference in the ability to provide health services, the infliction of significant financial losses and/or damage to sensitive data as well as the breach of Protected Health Information (PHI). The FBI urges anyone who suspect their information has been hijacked by a ransomware attack to contact the local office of either the Federal Bureau of Investigation or the Secret Service.
The Office for Civil Rights (OCR), a branch of the U.S. Department of Health and Human Services (HHS), has created a Fact Sheet: Ransomware and HIPAA to assist HIPAA covered healthcare practitioners. Included in the recommendations are the suggestions that offices include the risk of ransomware when they conduct risk analyses to "identify threats and vulnerabilities to electronic protected health information," implement procedures to safeguard against malicious software, train users to detect and report malicious software, limit access to electronic PHI, and create contingency plans.
Accessibility
Certain disabilities can make it challenging for individuals to access or use the internet. The Department of Justice has interpreted the Americans with Disabilities Act (AwDA) as mandating the removal of barriers that limit the ability of people with disabilities to use and interact with websites. For example, someone who is blind may have “screen reader” software that uses a screen synthesizer so they can listen to text on the screen of a website. However, photos that don't have alternative text describing what's in the images cannot be conveyed to the user. Including alternative text in images is one example of removing a barrier to a website's accessibility.
The U.S. Department of Justice's (DOJ) Civil Rights Division enforces the AwDA and has interpreted Title III of the Act to require businesses to make their websites accessible to individuals with disabilities. Hyperlinks to information about accessibility under Title II of the AwDA, which applies to state and local governments, on the DOJ's website are included below. At the time this information was developed, the DOJ had not yet issued a final rule on standards for website accessibility under Title III of the AwDA. However, DOJ resources under Title II may be helpful, and dental practices covered by the HHS final rule under Section 1557 of the Affordable Care Act are required to comply with the Title II website accessibility standards. You may want to discuss the issue with your website developer and consider requiring that person or company to ensure that your practice's website meets existing standards, such as the Title II standards and/or the Web Accessibility initiative (W3C) Web Content Accessibility (WCAG) 2.0 requirements Level AA. The Web Accessibility Initiative offers helpful resources, including How to Meet WCAG 2.0.
Don't Forget! This area of law is still developing, and a dental practice's legal obligation may vary by jurisdiction. Consult a qualified attorney for information about the application of federal, state and local disabilities laws for your practice's website.
Resources:
HHS' Covered Entities and Business Associates
The ADA's ADA Complete HIPAA Compliance Kit
The FTC's information on Phishing
Local Offices of the Federal Bureau of Investigation
Local Offices of the Secret Service
OCR's Fact Sheet: Ransomware and HIPAA
HHS'; Information on Covered Entities and Business Associates
The DOJ's Website Accessibility Under Title II of the Americans with Disabilities Act
The DOJ's Chapter 5 Addendum: Title II Checklist (Website Accessibility)
Web Accessibility Initiative's How to Meet WCAG 2.0.