Having a compliant healthcare website

Learn how screenshots can help you stay compliant and avoid paying the $75,000+ HIPAA fine.

Healthcare organizations are supposed to comply with different regulations both internally as well as when interacting with patients. Let’s go through some of the main regulations affecting the healthcare industry.

HIPAA

HIPAA stands for the Healthcare Insurance Portability and Accountability Act. Established in 1996, these are the standards concerned with the disclosure and regulation of the patients’ information, such as their name, address, medical records, and other necessary information.

Any company that is associated with the healthcare field, referred to as “covered entities”, must comply with HIPAA regulations, as well as any business that might be associated with access to a patient’s information.

HIPAA rules

HIPAA comprehends a set of rules which include:

  • Privacy rule: A HIPAA compliant website deals with how to handle any information that can be traced to a patient’s or their privacy and confidentiality policies.
  • Security rule: To protect and secure Patient Health Information, otherwise known as PHI.
  • Breach notification rule: Healthcare website compliance requires covered entities to notify the Office of Civil Rights when any personal information has been breached.
  • Enforcement rule: This allows the US Department of Health and Human Services the power to enforce the privacy or security rule.

How to comply with HIPAA

In order to be compliant with HIPAA, you should take these elements into account:

  • Periodic risk assessments: To detect weaknesses on time.
  • Policies and procedures: This is in reference to protecting patients’ personal information, like confidentiality agreements for employees. If your website is collecting patient information or relevant data, make sure all the used forms are HIPAA compliant, that the information collected is encrypted and protected, and the SSL certificate is in place. Depending on the website and whether your patients perform actions there, you can turn on two-factor authentication too.
  • Breach protocol: Breaches are mostly unintentional, so you must be prepared beforehand. Remember to notify immediately in case of any security breaches. Not doing so can worsen the situation.
  • Employee training: Periodic training on how to handle information is key, and shows effort towards compliance.
  • Business associate agreements: Making sure other companies or providers you’re working with are HIPAA-compliant. Website-wise, you could check whether your host is HIPAA compliant.

Documenting HIPAA efforts

Always remember to document every evidence of your HIPAA compliance efforts and other documents, especially if there is an OCR audit. This includes training, protocols, policies, and everything else necessary to protect the patient’s information. Using Stillio, you can automate this task and make it so much easier. Take screenshots of all the necessary policies, of your employees’ training completion, and archive versions of your website. These screenshots can be automatically stored in your cloud of choice, helping you to ensure everything is properly in place.

Sometimes, an employee might breach information without your awareness. Therefore, you should take periodic screenshots of your social media mentions to control and make sure there are no videos, images, or pieces of patient information navigating the internet. This is also related to the press. You can take screenshots of mentions in online newspapers to check if any patient’s information has been mentioned or not.

HIPAA fines

HIPAA violations are expensive. The non-compliance penalties are based on the levels of negligence and can range from just $100 to a whopping $50,000 per violation or record, with a maximum penalty of $1.5 million per year for violations of an identical provision.

In severe cases, these violations can also be accompanied by criminal charges or jail time.

HITECH

HITECH is also a standard concerned with protecting patient information. It requires digitization and the electronic sharing of information with patients and doctors. HITECH stands for The Health Information Technology for Economic and Clinical Health Act. Established in 2009, HITECH compliance encourages organizations to “promote the adoption and meaningful use” of Electronic Health Records (EHR). This act has also strengthened penalties and altered enforcements of HIPAA violations. There are four levels of violations with increasing penalties, up to a maximum fine of $1.5 million.

How to comply with HITECH

In order to maintain proper compliance, HITECH has established 3 stages of meaningful use:

  1. Data capturing and sharing: This is related to electronically capturing health information like vitals, blood pressure, weight, and other parameters. It also provides patients with an electronic copy and access to their records, keeping electronic records and clinical history.
  2. Advanced Clinical Process: This is related to improving patient care through e-prescribing, using secure electronic messaging to communicate, and electronic transmission of patient care summaries across multiple settings.
  3. Improved outcomes: This deals with improving quality, safety, and efficiency by giving patients the proper access to self-management tools. This will lead to improved healthcare outcomes.

When it comes to website compliance standards, you can comply with the HITECH standards in a similar way to that of HIPAA by the following:

  • Using HIPAA compliant forms
  • Encryption of information
  • Having SSL certificate
  • Using a proper two-factor authentication
  • Working with a HITECH-compliant host

Just like with HIPAA, it’s important to document all efforts regarding HITECH.

Accessibility standards - ADA

These accessibility standards are not specific to healthcare, but as an organization that appeals to the entire population, it should be made accessible to everyone. Also, given the nature of your business, not having an accessible website can end up in fines and penalties. Since both HIPAA and HITECH are based on American systems, we shall talk about the Americans with Disabilities Act. If your organization is based anywhere else in the world, you should check out our masterlist on accessibility standards around the world.

The federal Americans with Disabilities Act (ADA) is often associated with physical locations and accommodations that certain businesses must necessarily make for people who have disabilities, but this also extends to the digital world. In 2010, the US Department of Justice passed the ADA for accessible design, mandating all kinds of e-information be visible to those with disabilities like vision impairment or hearing loss.

The entities that are obligated to comply with ADA are the ones that fall under these titles:

  • Title I - Employment practices of private employers with 15 or more employees, state or local organizations, employment agencies, and labor unions.
  • Title II - Programs and activities of state and local government entities
  • Title III - Private entities that cater to public accommodation like hotels, banks, or public transports

However, even if your organization doesn’t match these descriptions, being ADA compliant is advised given the industry you’re operating in.

How to comply with ADA

Unfortunately, there are no clear guidelines on ADA so many organizations turn to the Web Content Accessibility Guidelines (WCAG), which are applicable worldwide. Following WCAG standards in its A and AA levels should keep you away from ADA trouble. Make sure you follow the four principles of accessibility and keep an eye on:

  • Alt-texts on images,
  • Font contrast and size,
  • Colors,
  • Accessible files,
  • Audio descriptions and subtitles.

Failure to comply with these guidelines could make your business prone to lawsuits, financial liabilities, and damage to your brand reputation. To keep yourself safe, use Stillio to save screenshots and keep an archive of your website as proof of compliance. ADA violations, both physical and digital can cost up to $75,000 for a single violation and the fine can be $150,000 for additional violations.

Conclusion

Having a compliant healthcare system is definitely possible. Remember to follow the regulations and keep all necessary evidence handy. If you need it, seek legal advice. Also, feel free to book a demo with Stillio to learn more about screenshot-capturing and saving data.


Starting at $29/m

Start capturing website screenshots automatically and save a lot of grunt work. You'll be set up in minutes. No credit card required.