One of the first places an auditor will look when a HIPAA investigation begins is a covered entity’s website. Sole practitioners, medium size clinics, large hospital systems and health plans are all covered entities and their websites must comply with HIPAA. When a website does not have the basic requirements it raises red flags and invites more scrutiny.

HIPAA and Websites: Three Basics

Beware website builder and marketing companies’ advice about how to create a website. In our experience, nine out of ten covered entity websites we’ve reviewed do not comply, including ones built by well known health care marketing advisers. Many websites are artfully designed and provide lots of good information. But they’re missing key ingredients of HIPAA.

The responsibility for website HIPAA compliance belongs to the covered entity. A website builder who creates the website does not own the legal responsibility for compliance with the HIPAA Privacy Rule. Only the covered entity is responsible.

Notice of Privacy Practices on the Homepage

The HIPAA Privacy Rule requires that covered entities must prominently post their Notice of Privacy Practices (NPP) in an obvious place on the website. It should be easy to find, not hidden or obscured, and shouldn’t require multiple clicks to find in full. It shouldn’t be buried in the “patient forms” section.

It doesn’t need to written out in full on the homepage – there can be a button that links to the full NPP on a different page. OCR has explained in its HIPAA Desk Audit Guidance that “an example of prominent posting of the notice would include a direct link from homepage with a clear description that the link is to the HIPAA Notice of Privacy Practices.”

NPP Must be Available Electronically

Be sure the Notice of Privacy Practices is downloadable so patients and clients can save or print it. It must be up to date – current on the law, and current with your organization’s information.

Beware the Use of Testimonials

One of the best ways to build a practice is to let prospective patients know what current patients think of your services. Testimonials, reviews and endorsements have become a key ingredient of healthcare marketing, and website builders can easily create a testimonials page.

A patient’s endorsement is “protected health information” or PHI. The HIPAA Privacy Rule permits testimonials, but you must obtain a patient’s written Authorization, in advance, before using their testimonial.

Under HIPAA, patients cannot voluntarily provide an endorsement for your use or disclosure without authorizing it in writing. The Authorization itself must comply with HIPAA – a general release, written for other purposes likely does not comply with HIPAA.

Facebook is a Website

Although Facebook and Instagram are also popular ways to connect with clients and patients, they present special privacy problems that conflict with the HIPAA Privacy Rule. Many covered entities  use Facebook, where patients offer their own recommendations and reviews. But the “Terms and Conditions” of Facebook make clear that you own and are legally responsible for all of the content posted:

A Covered Entity that has a Facebook page agrees to the following terms:

“You own all of the content and information you post on FaceBook, and you can control how is is shared through your privacy and application settings.”

“By ‘Information’ we (Facebook) mean facts and other information about you, including actions taken by users and non-users who interact with Facebook. By ‘content’, we mean anything you or other users post, provide or share using Facebook services.”

This means that everything on your page is your responsibility, whether you post it or someone else does. If you want to have a Facebook page, be sure to adjust your privacy settings to avoid patients voluntarily posting endorsements or reviews without giving a written HIPAA compliant Authorization in advance.

Independent Review Sites, like Yelp, are Safer

If reviews or endorsements appear on an independent review site, as long as you DO NOT publicly respond or comment, they can remain, and are not your responsibility under HIPAA.

The HIPAA E-Tool^® is a One Stop Shop

Everything needed for full HIPAA compliance is at your fingertips in The HIPAA E-Tool^®.

Policies are up to date with current law. Forms, like Authorizations, the Notice of Privacy Practices, and a Business Associate Agreement template, ready to go, are all included, along with dozens more for every aspect of HIPAA compliance in 2020. We have answers and are ready to help.