However, where the health information of an identifiable individual is involved, the Health Insurance Portability and Accountability Act (HIPAA) is the official compliance document. So, what do these requirements mean and how can HIPAA be followed in the context of a website?

What are the HIPAA requirements for a web site?

HIPAA is an unusual law in that it makes a lot of recommendations (addressable items) and a few assertions (required items) and in the end, it is up to each organization to determine what they need to do to be compliant. This creates a great deal of flexibility and also a great deal of uncertainty. In general, to be HIPAA-compliant, a web site must at a minimum ensure that all protected health information:

1. Is always encrypted as it is transmitted over the Internet -        We use a 2048 bit encryption certificate. The highest available.

2. Is not lost, i.e. should be backed up and can be recovered -      We backup to 2 locations one onsite and to a sister facility.

3. Is only accessible by authorized personnel -                                        We have controlled access to primary systems.

4. Is not tampered with or altered -                                                                We never access patients data. All data is only accessed by office personnel.

5. Should be encrypted if it is being stored or archived.  -                 We store data compressed and password protected  

6. Can be permanently disposed of when no longer needed. -     We use DoD level wiping to destroy any data no longer needed.

The above is the simplified basics requirements of HIPAA. We also use the HIPAA security check list. This is what has made us a certified HIPAA compliant hosting facility.  We have HIPAA security certified staff.

Related links:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

http://www.techrepublic.com/article/industry-insiders-say-dont-bother-with-hipaa-certs/5034352