Atlantic.Net Blog

How to Run an Online Business While Ensuring HIPAA Compliance

Kent Roberts
by Atlantic.Net (77 posts) under HIPAA Compliant Hosting

Many online businesses in the healthcare sector struggle when they consider how to fully integrate compliance with the Health Insurance Portability and Accountability Act (HIPAA). Understanding the parameters of the Privacy and Security Rules, key elements of the healthcare law related to patient records, is helpful to moving forward conscientiously. Specifically, reviews can often be difficult and deserve special consideration, as indicated below.

Understanding the Privacy Rule

The Privacy Rule safeguards any individually identifiable healthcare data that is stored or transferred by a HIPAA covered entity (healthcare plans, providers, and data clearinghouses) or business associate (third party acting on behalf of a covered entity). This information can be spoken or written, online or hard-copy. The way that this type of data is designated by the Health and Human Services (HHS) Department, the agency that develops regulations and enforces HIPAA, is protected health information (PHI) or electronic protected health information (ePHI), with PHI the general term for both.

An important aspect of the Privacy Rule is how it relates to use and disclosure of PHI – creating limitations for those two treatments of data. According to the HIPAA Privacy Rule, it is unlawful to use or disclose PHI outside what is allowed by the Privacy Rule or by the relevant patient(s) in writing.

There are only two scenarios in which disclosure of PHI is mandatory:

  • When a patient or their agent who have asked to access the information or to get details related to any disclosures that have occurred; and
  • When the Health and Human Services Department asks for the information during an enforcement action, review, or investigation.

Use and disclosure of PHI is also allowed in several other situations, without needing any authorization from the patient:

  • When the individual requests it (beyond the access and accounting requirements described above);
  • When conducting normal healthcare operations, processing payment, or providing treatment;
  • When giving a patient the opportunity to agree or object to use or disclosure;
  • When use or disclosure arises from use or disclosure that is otherwise allowed;
  • When the PHI is being leveraged for benefit functions or the public interest; and
  • When healthcare operations, public health, or research projects make use of a Limited Data Set.

With regards to optional use and disclosure, the HHS advises to “rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.”

Understanding the Security Rule

The Security Rule makes it necessary for healthcare firms to implement physical, technical, and administrative protections for their ePHI – addressing all “reasonably anticipated” issues. It is the responsibility of a HIPAA covered entity to:

  1. Be certain that any ePHI you generate, send, receive, or store is available, confidential, and free of corruption.
  2. Assess serious potential threats to your health records’ integrity and security so that you can defend against them.
  3. Set up safeguards so that any improper use and disclosure that has clear potential to occur does not.
  4. Make sure that your entire staff understands HIPAA compliance and knows how to safeguard information.

To maintain confidentiality according to the parameters of the Security Rule, it is necessary that there is no unauthorized availability or disclosure. This need puts the use and disclosure guidelines of the Privacy Rule into action in a digital setting. Integrity (no unauthorized destruction or changes) and availability (access to authorized parties on-demand) of records should also be upheld.

The HHS designed the Security Rule with built-in scalability and flexibility so that huge enterprises and tiny practices could put it to proper use. This part of the HIPAA standards makes it possible to look at the situation of a particular ecosystem so you can devise protections and policies that make sense.

So that the Security Rule can be modulated to fit different healthcare organizations, the HHS does not supply specific technologies or steps that must be used or taken. Instead, it mandates that a HIPAA-regulated firm should think about the following aspects when choosing security technologies:

  • Sophistication and size
  • IT infrastructure and software
  • Expense to set up safeguards
  • Chance of occurrence and potential results related to reasonably anticipated threats.

HIPAA compliance and online reviews

Online reviews and testimonials represent terrain that can be very difficult for doctors, dentists, and others involved in healthcare to traverse, since compliance becomes complicated under these circumstances.

Take one example: testimonials that were presented in August 2012 by a St. Louis cosmetic surgery practice. The Yale School of Medicine noted that the plastic surgeon uploaded photos to its website featuring before-and-after photos of the breast augmentation procedures for 30 women. The faces of the patients were not visible in the images — that part was not an issue. However, the patients still filed a negligence lawsuit because there was identifying information within the images. Disturbingly, it was possible to arrive at the site by publicly searching the names of the patients. The lawsuit, for invasion of privacy, was filed by 10 of the patients.

Whether you are building testimonial content related to your results, or are responding to user-generated online reviews, there are straightforward steps you can take to avoid infringing on individual privacy law.

Why bother? The first question many healthcare covered entities have when they consider reviews is whether they even want to reply to them at all. However, reviews are critically important to your success, with 92% of consumers, according to one survey, and 77% of patients in another reading them prior to doing business with a company or finding a healthcare provider.

It is very important to the success of any organization to engage with listings, local directories, and review sites so that they can keep bringing people through the door. Also, they are generally “thumbs-up” ratings; as an example, fully two-thirds of ratings on Yelp are four or five Stars, with the latter accounting for nearly half (47%) of all user scores.

To stay compliant, use these methods, as suggested by data analytics SaaS firm Womply:

  • Do NOT use any language that suggests that the patient has been to your location, regardless if the patient mentions their visit.
  • Do NOT mention any specific information, no matter whether the patient brings up the details in their review.
  • Do NOT interact with negative reviews in any specific manner.
  • Do write responses. For instance, with a negative review related to a long wait, thank the patient for their review, and state your policy of offering efficient care that does not undermine quality of treatment.
  • Do orient your responses in a general manner, pointing to your policies. For instance, with a positive review, thank the patient and note that the practice aims to fulfill the highest standards in the provision of medical care.
  • Do suggest that you can continue talking by phone. For instance, with a negative review related to poor results, think about containment and a path toward resolution: apologize, and note your policy of protecting patient information by talking about key issues offline (closing with your phone number).
  • Launching your HIPAA compliant system

Are you in need of a HIPAA compliant infrastructure for your organization’s systems? HIPAA Compliant Hosting by Atlantic.Net™ is SOC 1 & SOC 2 certified and HIPAA & HITECH audited, designed to secure and protect critical data and records. See our HIPAA server hosting solutions.

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award Med Tech Award

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


HIPAA Partners

Recent Posts

Getting started with Teams
What Digital Transformations Are Coming to Healthcare?
Rocky Linux Cloud VPS Hosting Is Now Available at All Seven Data Center Locations!
Top 10 Database Offerings
Should You Choose an AMD or Intel-Based Dedicated Server?

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom