Welcome to Healthcare Marketing Rx, where our goal is to help your healthcare marketing get healthy and stay that way. This video focuses on making sure that you’re using HIPAA compliant website forms.
This is for General Information! We are not Attorneys
We are a HIPAA compliant healthcare marketing agency, but we are not lawyers. We’re providing this information based on our experience as a HIPAA compliant agency. It’s general information about getting HIPAA compliant online reviews for our clients based only on our experience. Please do not construe this as legal advice.
Please do consult with your healthcare attorney for specific questions. And throughout this video, you’re going to hear me refer to healthcare attorneys a few times. They’re really good to have. They’re different from a general business attorney. Healthcare laws are much more specific. If you do not have a healthcare attorney, we highly recommend that you find a good one.
What’s a Website Form?
We’re pretty sure that you have forms on your website that you want people to fill out. The most common example is a contact us form.
You ask for the name, an email, maybe a phone number, and then you’ve got a box in which people can type in pretty much whatever they want. The other type of forms that we see commonly are patient forms or new patient forms. And what we almost always see is that they’re PDFs that you would like the patient to download, print out, fill out, and then bring with them to their next appointment. It’s very safe from a HIPAA point of view. Unfortunately, very few patients actually take the time to do all of that.
Example – Where PHI can get into a Form on a Website
Let’s go back to that Contact Us form, and let’s start over on the right where it says “How Can We Help”, depending on what somebody types into this form, they can be really deep dive PHI.
For example, if you are a podiatrist, when somebody describes their diabetic foot ulcers that are getting worse or they’ve had ingrown toenails, et cetera, et cetera. That’s definitely PHI. If they also put in any of their contact information that now counts as PHI also because it’s paired with clinical information. You have a responsibility to protect that information, just like you do all the other Phi that you collect.
So what are your choices to get HIPAA compliant?
One way to have a HIPAA compliant website form is to change the form. The easiest way is to get rid of the form completely. Instead, just list your contact information (phone number, email) so that prospective patients can contact you. As a marketing agency we prefer not to do that. We want to make things as easy as possible for people to contact you. And if they can just fill out a simple form online, it’s much easier for them. That’s even more true if they do it after hours. One of the truisms of marketing is to make it as easy as possible for potential patients to contact you.
We also prefer to have the box where patients can put in more information. Healthcare practice like to have that information because they want to know what’s going on. It helps when somebody in the practice calls them back. They’ve got a little bit of information about the reason that that prospective patient contacted you in the first place.
Your other option is to get HIPAA compliant website forms in one way or another, and then pair it with HIPAA compliant website hosting. HIPAA compliant website hosting is a separate Healthcare Marketing Rx topic.
Seriously? A Contact Us Form Needs to be HIPAA Compliant?
We get this question. “But that person isn’t a patient when they fill out the contact form!”
Our opinion is that your contact form should be HIPAA compliant. Here’s the scenario: your prospective patient fills out a contact form on your website. So far so good. What if they become an actual patient? That’s what you want, isn’t it? You want these people to become actual patients. That’s why you opened up your practice.
What tends to happen is that all that information that’s on the contact us form stays in the website. Nobody ever gets rid of it. Your risk is a data breach or an audit. In fact, nobody has to steal any data. If your contact forms hold PHI that others can see (for example, your website developer or your website hosting provider who can just log in and look around), then you’ve got all the risk you need. We see contact forms in websites that go back months or years.
Your other option is to make sure somebody is going into your website, scrubbing that data and deleting old contact forms. We just never see that happen.
How do you Tell if You’re Using HIPAA Compliant Website Forms?
Generally speaking, two things have to be true:
- They sign a BAA with you
- They talk the talk
Signing a BAA
BAA stands for business associate agreement. BAAs are required by HIPAA. They’re very dense, legal documents. They can be a dozen pages, but generally speaking, here’s what they cover with respect to PHI:
- What’s required of you as the Covered Entity
- What’s required of the Business Associate (your marketing agency or an online forms provider, for example). If you’re using a marketing agency and they are using a third party forms company, you need to have a separate BAA with both of them.
- How each of you stores it
- How each of you protects it from theft and theft and loss
- How each of you transmits it
- What happens if there’s a breach, God forbid, which party does what, how long do they have, who pays for what who’s responsible for?
- Much more
With a BAA in place, the Office of Civil Rights (OCR) is much happier because they see a BAA. OCR is the federal agency that will investigate a breach or conduct an audit. There are usually state agencies as well.
They Talk the Talk
The other broad category of things that you want to see is that they talk the talk. They use appropriate wording on their website or their materials like:
- encrypted systems
- log in to get your data
- secure storage
- HIPAA compliant website forms or HIPAA compliant online forms
You don’t have to see all of these terms. But you want to see terms that at least sound like these. Inside each term are more specific descriptions of how they do each one, not to great levels of detail, but they give you some assurances that they’ve thought this through and that they’re doing these things.
How do you find out if the online forms you’re using is already HIPAA compliant?
If you’re going to do it on your own, start easy. Go to their website, go to the homepage, scroll down to the bottom, look for their privacy policy or their terms, or, or both click on them, open it up and scan. You’re looking for the words, HIPAA compliant or HIPAA. If they say they are great, if they don’t, then either call them yourself, or even easier, go to whoever developed your website and ask them. Usually whoever built your website, also plugged in the forms and designed the forms for you. They’ll at least know who they’re using, and then you can ask them to research it, or they can give you the name and you can do it yourself. But one way or the other, we really do think you ought to find out if the online forums provider that you’re using is HIPAA compliant.
What if your Online Forms Provider doesn’t offer HIPAA Compliant Website Forms?
In our opinion you should switch to one that is HIPAA compliant. To find good alternatives,
- Google “HIPAA compliant online forms companies”
- Ask around – your IT support, your peers, your network.
Once you find one or two and you start evaluating them, part of your evaluation should be with your health care attorney. Have them review the business associate agreement if they give you one.
Wrapping Up
We hope this has helped you and opened your eyes a bit to an issue that could be a problem but it’s pretty easy to solve.
At MarketVisory Group we offer website design services as part of our healthcare marketing systems and as a standalone service. If you have questions about our services or about us, please contact us using MarketVisory Group’s contact page.