If your web store deals even partially with protected health information (PHI), then PCI Compliance isn't the only thing you need to concern yourself with. You'll also have to contend with HIPAA - here's how you can do just that.
Whether you're a healthcare agency offering online services or a digital retailer that sells healthcare products like prescriptions, HIPAA is not something your website can afford to ignore. Protected Health Information (PHI), no matter where it resides, must be treated with the utmost respect and care. This is in addition to all the other data your website needs to protect - access credentials, transaction records, transaction data, and so on.
The good news is that if your website meets the regulations set by the PCI Security Standards Council, it won't be too much of a leap to comply with HIPAA, as well. It's really just a matter of understanding the flow of data through your site and knowing where your most sensitive records are stored. We can help with that - and with overcoming some of the challenges you might encounter with implementation.
Choosing the right eCommerce platform
First thing's first, if your website is going to be compliant, you need to start with the foundation - with the platform you're using to build it. Your main focus should be to first look for a platform that does what you need it to do, then research what's necessary to secure it. In broad terms, a good platform should:
- Allow you to easily incorporate a range of digital forms and create landing pages to improve the customer experience.
- Let you create searchable product listings that include high-quality photos, descriptions, and tags.
- Enable the creation of a store template that's easy to read and navigate.
- Include security protections and safeguards that stand up to both HIPAA and PCI, including data encryption, logging and monitoring, and transport encryption.
- Be hosted with a company that understands HIPAA compliance and is willing to sign a Business Associate Contract with your agency.
The good news is that most eCommerce platforms if implemented properly, can be made compliant. It's just that some are easier than others. If you're looking for a starting point, WooCommerce and Magento are both great options - easy to use, and with a wealth of plugins to help keep your data under wraps.
Seeing to data storage and sanitization
Without a doubt, the biggest challenge of HIPAA compliance is understanding what data you need to protect, and ensuring that data is always under your control. This applies to pretty much every type of healthcare business - not just eCommerce organizations. Let's start by going over what PHI actually means.
According to HIPAA.com, there are two subsets of protected health information:
- Health Information "means any information, whether oral or recorded in any form or medium that is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and relates to the past, present, or future physical or mental health or condition of any individual, the provision of healthcare to an individual, or the past, present, or future payment for the provision of healthcare to an individual."
- Individually Identifiable Health Information "is a subset of health information, including demographic information collected from an individual."
In essence, PHI is anything that could potentially be used to identify a patient or infringe on the patient's right to privacy where their health is concerned. This includes names, dates, locations, contact information, medical records, identification numbers (ie. health plans, insurance, license plates, SSI), and - in the case of your website - transaction details. To keep this data safe, you're going to need to take measures to properly store, protect, and sanitize it.
- When transferring or disposing of PHI, the hard drive or cloud server on which it was stored needs to be wiped and reformatted. It's not enough to simply hit 'delete' - you need to get rid of everything.
- Access to PHI must be closely guarded, monitored, and logged. Whether someone is an employee or customer, they should only have access to sensitive data after going through an authentication process. Any changes they make to that data must be recorded in a digital logbook.
- As an addendum to the above, access to PHI should be severely limited. Only the individual to which the data applies (and staff who need the data to do their job) should be able to access it.
- Protect the data with the strongest encryption available - both when it's at rest and when it's in transit.
- If a third party is going to have access to the data at any point, they must sign a business associate agreement.
- Store all PHI in the same place - don't have one customer's records on one server, and another customer's on a different server. Organization is key here; if your data is not organized, you cannot hope to adequately protect it.
- Ensure you maintain multiple, redundant backups of all PHI, and that those backups have the same security controls as the primary storage medium.
Handling your APIs
One thing a lot of website owners forget is that it's not just your platform and your data that need to be secure - it's your applications, as well. Any plugins you install on your site need to be thoroughly vetted and examined for potential security flaws. If an addon has a bug that can be exploited to compromise PHI, it doesn't matter what other security measures you take.
Your website will be neither compliant nor secure.
Ensuring a positive user experience
It isn't that people don't care about security. It's that they usually place a higher priority on convenience. A patient will be angry if their healthcare data is compromised in some way, but they may not be particularly understanding of the measures you take to prevent that from happening if that impedes on your website's ease of use.
To that end, your storefront needs to maintain a delicate balance between security and convenience. Security controls and protections must be implemented in such a way that they're largely invisible to your customers. Make your authentication process as seamless as possible, and avoid forcing your users to jump through hoops.
Compliance doesn't need to be frightening
HIPAA compliance isn't all that different from PCI compliance, really. The two standards just deal with different types of data. So long as you comply with one, you can apply many of the same best practices to the other.
Now that you know the stumbling blocks you might encounter in that regard, you should be just fine.
This is a guest post by Tim Mullahy. Tim is the Executive Vice President and Managing Director at Liberty Center One, a new breed of data center located in Royal Oak, MI. Tim has a demonstrated history of working in the information technology and services industry.