How to Run an Online Business While Ensuring HIPAA Compliance

Many online businesses in the healthcare sector struggle when they consider how to fully integrate compliance with the Health Insurance Portability and Accountability Act (HIPAA). Understanding the parameters of the Privacy and Security Rules, key elements of the healthcare law related to patient records, is helpful to moving forward conscientiously. Specifically, reviews can often be difficult and deserve special consideration, as indicated below.

Understanding the Privacy Rule

The Privacy Rule safeguards any individually identifiable healthcare data that is stored or transferred by a HIPAA covered entity (healthcare plans, providers, and data clearinghouses) or business associate (third party acting on behalf of a covered entity). This information can be spoken or written, online or hard-copy. The way that this type of data is designated by the Health and Human Services (HHS) Department, the agency that develops regulations and enforces HIPAA, is protected health information (PHI) or electronic protected health information (ePHI), with PHI the general term for both.

An important aspect of the Privacy Rule is how it relates to use and disclosure of PHI – creating limitations for those two treatments of data. According to the HIPAA Privacy Rule, it is unlawful to use or disclose PHI outside what is allowed by the Privacy Rule or by the relevant patient(s) in writing.

There are only two scenarios in which disclosure of PHI is mandatory:

• When a patient or their agent who have asked to access the information or to get details related to any disclosures that have occurred; and
• When the Health and Human Services Department asks for the information during an enforcement action, review, or investigation.

Use and disclosure of PHI is also allowed in several other situations, without needing any authorization from the patient:

• When the individual requests it (beyond the access and accounting requirements described above);
• When conducting normal healthcare operations, processing payment, or providing treatment;
• When giving a patient the opportunity to agree or object to use or disclosure;
• When use or disclosure arises from use or disclosure that is otherwise allowed;
• When the PHI is being leveraged for benefit functions or the public interest; and
• When healthcare operations, public health, or research projects make use of a Limited Data Set.

With regards to optional use and disclosure, the HHS advises to “rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.”

Understanding the Security Rule

The Security Rule makes it necessary for healthcare firms to implement physical, technical, and administrative protections for their ePHI – addressing all “reasonably anticipated” issues. It is the responsibility of a HIPAA covered entity to:

1. Be certain that any ePHI you generate, send, receive, or store is available, confidential, and free of corruption.
2. Assess serious potential threats to your health records’ integrity and security so that you can defend against them.
3. Set up safeguards so that any improper use and disclosure that has clear potential to occur does not.
4. Make sure that your entire staff understands HIPAA compliance and knows how to safeguard information.

To maintain confidentiality according to the parameters of the Security Rule, it is necessary that there is no unauthorized availability or disclosure. This need puts the use and disclosure guidelines of the Privacy Rule into action in a digital setting. Integrity (no unauthorized destruction or changes) and availability (access to authorized parties on-demand) of records should also be upheld.

The HHS designed the Security Rule with built-in scalability and flexibility so that huge enterprises and tiny practices could put it to proper use. This part of the HIPAA standards makes it possible to look at the situation of a particular ecosystem so you can devise protections and policies that make sense.

So that the Security Rule can be modulated to fit different healthcare organizations, the HHS does not supply specific technologies or steps that must be used or taken. Instead, it mandates that a HIPAA-regulated firm should think about the following aspects when choosing security technologies:

• Sophistication and size
• IT infrastructure and software
• Expense to set up safeguards
• Chance of occurrence and potential results related to reasonably anticipated threats.

HIPAA compliance and online reviews

Online reviews and testimonials represent terrain that can be very difficult for doctors, dentists, and others involved in healthcare to traverse, since compliance becomes complicated under these circumstances.

Take one example: testimonials that were presented in August 2012 by a St. Louis cosmetic surgery practice. The Yale School of Medicine noted that the plastic surgeon uploaded photos to its website featuring before-and-after photos of the breast augmentation procedures for 30 women. The faces of the patients were not visible in the images — that part was not an issue. However, the patients still filed a negligence lawsuit because there was identifying information within the images. Disturbingly, it was possible to arrive at the site by publicly searching the names of the patients. The lawsuit, for invasion of privacy, was filed by 10 of the patients.

Whether you are building testimonial content related to your results, or are responding to user-generated online reviews, there are straightforward steps you can take to avoid infringing on individual privacy law.

Why bother? The first question many healthcare covered entities have when they consider reviews is whether they even want to reply to them at all. However, reviews are critically important to your success, with 92% of consumers, according to one survey, and 77% of patients in another reading them prior to doing business with a company or finding a healthcare provider.

It is very important to the success of any organization to engage with listings, local directories, and review sites so that they can keep bringing people through the door. Also, they are generally “thumbs-up” ratings; as an example, fully two-thirds of ratings on Yelp are four or five Stars, with the latter accounting for nearly half (47%) of all user scores.

To stay compliant, use these methods, as suggested by data analytics SaaS firm Womply:

• Do NOT use any language that suggests that the patient has been to your location, regardless if the patient mentions their visit.
• Do NOT mention any specific information, no matter whether the patient brings up the details in their review.
• Do NOT interact with negative reviews in any specific manner.
• Do write responses. For instance, with a negative review related to a long wait, thank the patient for their review, and state your policy of offering efficient care that does not undermine quality of treatment.
• Do orient your responses in a general manner, pointing to your policies. For instance, with a positive review, thank the patient and note that the practice aims to fulfill the highest standards in the provision of medical care.
• Do suggest that you can continue talking by phone. For instance, with a negative review related to poor results, think about containment and a path toward resolution: apologize, and note your policy of protecting patient information by talking about key issues offline (closing with your phone number).
• Launching your HIPAA compliant system

Are you in need of a HIPAA compliant infrastructure for your organization’s systems? HIPAA Compliant Hosting by Atlantic.Net™ is SOC 1 & SOC 2 certified and HIPAA & HITECH audited, designed to secure and protect critical data and records. See our HIPAA server hosting solutions.