Is Your E-Commerce Site HIPAA Compliant?

by Nabil Badr,

Is Your E-Commerce Site HIPAA-Compliant?

With data breaches on the rise and no end in sight, protecting consumer privacy is more important than ever now. Ensuring your site meets the requirements of the Payment Card Industry Security Standards (PCI SCC) is the first step towards safeguarding payment information. But for e-commerce businesses in the medical and health industry, security requires an additional step: HIPAA compliance.

Whether you sell medical products like prescription drugs, or provide healthcare services online, your e-commerce site is subject to the same HIPAA regulations that apply at a brick-and-mortar location. Fortunately, creating a HIPAA-compliant site doesn’t have to be complicated if you start with a few important details. Here’s a checklist to help you get started.

Seven Steps to HIPAA-Compliant E-Commerce

1. Make Your E-Commerce Site PCI Compliant

If your site already meets PCI requirements, you’re off to a good start towards HIPAA compliance. Of course, PCI and HIPAA regulations aren’t the same thing. PCI compliance, for example, protects payment information. HIPAA rules, on the other hand, guard against unauthorized access to Protected Health Information (PHI).

But while the type of data may differ, the two regulations follow similar security protocols. That means it shouldn’t be too much of a stretch to bring your e-commerce site up to HIPAA standards if PCI compliance is already in place.

Start by taking inventory of all forms of PHI that your online store handles, noting every location where it sits and is in transit. From there, it’s a matter of locking down those locations.

Making your e-commerce site PCI-compliant is a good first step towards HIPAA compliance. #HIPAA #Medvantx #PharmacyFuture #FutureofHealthcare Click To Tweet

2. Choose a HIPAA-Compliant Hosting Provider

Look for a host that understands HIPAA and is willing to sign a Business Associate Agreement.

A surprising number of popular web hosts, like Shopify and Bluehost, don’t fall into this category, so if your current provider doesn’t meet HIPAA regulations, don’t panic. You have two options: switch hosts, or stay with your current provider while storing all Protected Health Information (PHI) on a HIPAA-compliant server. Each option presents its set of pros and cons to consider, so it’s up to your team to decide what’s best for your business.

A surprising number of popular web hosts are not HIPAA-compliant. #HIPAA #Medvantx #PharmacyFuture #FutureofHealthcare Click To Tweet

Microsoft Azure and Amazon Web Services (AWS) are perhaps the two most well-known providers of both HIPAA-compliant data storage and web hosting plans. Here’s a list of more HIPAA-compliant hosts.

And of course, the Medvantx platform provides an easy, drag-and-drop way to create completely HIPAA-compliant websites.

3. Encrypt User Data, Stored and in Transit

Stored Data: Information stored on a server is often referred to as data “at rest.” Whether it’s at rest locally or in the cloud, stored data should have the highest level of encryption applied.

Data in Transit: As users submit sensitive information online, that data “in motion” is susceptible to prying eyes. HIPAA regulations don’t require encryption at this step, but doing so is standard practice. The good news is it just takes a simple installation of an SSL certificate on the web server.

HIPAA regulations may not require an ecommerce site to encrypt data in transit, but it’s always wise to install an SSL certificate. #HIPAA #Medvantx #PharmacyFuture #FutureofHealthcare Click To Tweet

Whether data is at rest or in motion, encryption at every step is crucial.

4. Restrict, Authentic, Monitor, and Log Access to Sensitive Data

HIPAA compliance requires guarding PHI at the highest level of security, with access granted only after an authentication process has been completed.

It’s also essential to keep the number of individuals with access to a bare minimum, such as the patient and staff who require the information to complete their jobs. Just be sure each authorized employee signs a privacy agreement beforehand.

If a third party needs to access PHI, have them sign a Business Associate Agreement before they can receive login credentials.

Finally, be sure to monitor and log all access and changes to PHI. This means keeping a record of who viewed or modified the information and when.

HIPAA compliance means monitoring and logging ALL access to Protected Health Information. #PHI #HIPAA #Medvantx #PharmacyFuture #FutureofHealthcare Click To Tweet

5. Back Up Your Data

Failed hard drives, power outages, and software failure are inevitable events facing every IT team. That’s why secure data backups are crucial. A good practice is to create multiple, redundant backups of PHI, and to store them with the same level of security applied to the source data.

Create multiple, redundant backups of Protected health Information - all stored with the highest security. #PHI #HIPAA #Medvantx #PharmacyFuture #FutureofHealthcare Click To Tweet

6. Removal of Data

HIPAA rules around removing PHI involve more than just hitting “delete.” Just as you’d shred hard copies of sensitive records, a digital “shred” involves erasing and reformatting the drive where the data resided.

Simply deleting Protected Health Information on request isn’t enough - you also need to erase & reformat the drive where the data was stored. #PHI #HIPAA #Medvantx #PharmacyFuture #FutureofHealthcare Click To Tweet

The U.S. Department of Health and Human Services has detailed information about digital deletion on their website.

7. Vet Your Plugins

Plugins are a great way to add functionality to an e-commerce site — but if not vetted carefully, they can expose your site to risk. So be sure to examine all installed plugins against security flaws.

To ensure HIPAA compliance on your e-commerce website, vet all your plugins for security flaws, #HIPAA #Medvantx #PharmacyFuture #FutureofHealthcare Click To Tweet

HIPAA Compliance and User Experience

Adhering to HIPAA laws not only keeps your e-commerce site out of legal trouble, it also contributes to a good User Experience (UX) for the patient. Afterall, nobody enjoys learning his or her sensitive information has been exposed.

When launching your medical e-commerce site, pay as much attention to security as you do on creating a user-friendly interface. That said, it’s also important to strike a balance between the two. While a data breach creates a negative user experience, so too does a lengthy and complex authentication process.

To Sum Up

As you can see, HIPAA compliance involves more or less the same standard security practices used across all industries online. For HIPAA security, though, the key difference is in identifying and protecting all forms of data falling into the category of PHI.

Want a simpler way to get a HIPAA-compliant website up and running? Schedule your Medvantx consultation now.