In this blog, I will be listing a simple step by step guide to have your business up and ready to accept uploads and web forms via the web. These upload areas are important because they give an alternative to faxing or escripts. Read on for some interesting information that may be hard to come by. This is part 3 in a series of blogs dedicated to communication between medical professionals from an IT perspective.
Upload portal preferred features
- We want people to be able to go to diabetic-shoppe.com/upload and have that url turn to https://www.diabetic-shoppe.com/upload/
- We want people to be able to upload files to our website. We would like to be able to upload a minimum of 5 files per upload.
- We would like the file size to be a maximum of 50mb per upload.
- We would like the upload feature to give an error if the 50mb upload is surpassed.
- We would like 3rd parties to simply go on our website and drop a referral or document to our company with no usernames/passwords.
- We do not require specific or varied recipients.
- We do require that the entire process is HIPAA compliant.
What are the HIPAA requirements for a web site’s web forms?
HIPAA is an unusual law in that it makes a lot of recommendations (addressable items) and a few assertions (required items), but in the end it is up to each organization to determine for themselves what they need to do to be compliant. This creates a great deal of flexibility and also a great deal of uncertainty. In general, to be HIPAA-compliant, a web site must at a minimum ensure that all protected health information (ePHI):
- Transport Encryption: Is always encrypted as it is transmitted over the Internet
- Backup: Is never lost, i.e. should be backed up and can be recovered
- Authorization: Is only accessible by authorized personnel using unique, audited access controls
- Integrity: Is not tampered with or altered
- Storage Encryption: Should be encrypted when it is being stored or archived
- Disposal: Can be permanently disposed of when no longer needed
- Omnibus/HITECH: Is located on the web servers of a company with whom you have a HIPAA Business Associate Agreement(or it is hosted in house and those servers are properly secured per the HIPAA security rule requirements).
How does a “basic” web site stack up to these requirements?
By a “basic” web site, we refer to one setup at any old web hosting provider (e.g. GoDaddy) and written using off the shelf software or by someone without training in web site security best practices:
- Transport Encryption – Fail. Data is not encrypted during transmission
- Backups – Maybe. Most web hosts will backup and restore your data for you. However, this assumes that the data collected is in a location backed up by the host. If you have information emailed to you, you must be sure that your email record is complete and the backups are good.
- Authorization – Maybe. Depends on your implementation.
- Integrity – Fail. No way to be sure that data is not tampered with or to tell if it has been.
- Storage Encryption – Fail. Data is never encrypted
- Disposal – Maybe. Depends on your implementation. However, some web hosts and IT departments keep data backups indefinitely — and that is not “disposal”.
- Ombibus – Fail. Most of web hosting providers do not even know what a HIPAA BAA would require them to do…. and most of the rest know that they cannot both sign such an agreement and live up to its requirements without completely changing how their business works and their prices.
Overall grade — Failing. If you have a basic web site that has never explicitly been updated for HIPAA and which has anything to do with protected patient data, you can be pretty sure that it is not compliant and needs attention. If you plan on expanding your site to include protected patient data, be sure that whoever does it for you is familiar with the requirements that you need to meet.
Securing data emailed from your web site forms
The ideal procedure for securing your emailed data is basically as follows:
- Your secure web site encrypts the submitted data (using PGP or S/MIME, TLS, or a secure web-based email pickup solution) such that only one or a few of your employees can open it.
- This data is emailed to those recipients and “forgotten” by the web site (or an encrypted copy is stored on the site if you prefer).
- The recipients receive the data and it is stored on their email server (still encrypted unless TLS was used for delivery).
- The recipients can access these messages securely (over SSL) and decrypt the data either in their email program or on a Web-based interface that supports decryption.
- The email provider takes care of backups.
- Deleted messages will expire from backups after a while (get a signed statement saying this from them, if you like).
- Keep copies of all of the encrypted messages on the server instead of downloading them all, so that you are responsible for backups and so that they are all stored in a central location.
Key upgrade for most web forms:
Integrate our web forms with special scripts that will encrypt our submitted form data (using PGP, S/MIME, TLS, or SecureLine Escrow) and email it to us. Alternately use an addon to WordPress that allows for secure encrypted transmission to Office365 email service or any other one that is specifically designed for HIPAA compliance. Note that Microsoft Office 365 is a business partner of The Diabetic Shoppe, and a highly recommended service.