Healthcare organizations today face an imminent threat to securing private health information (PHI) on their websites. For this reason, HHS has released requirements to help organizations and patients stay protected. Non-compliance can result in HIPAA violations leading to costly lawsuits.
Most healthcare companies use tracking technologies for marketing and analytics. Sometimes these trackers, cookies, and pixels collect and share more health information than is necessary, leading to privacy breaches.
It is now common for lawyers to use online tools that scan your organization’s website, expose the trackers, and present a compelling case that you are misusing PHI. HIPAA-related lawsuits can cost millions and damage the reputation of your organization for years.
Whether your organization is currently in a lawsuit or would like to avoid one in the future, it is critical you know how to prepare.
In this blog post, we cover 5 things you must do now in order to remain HIPAA compliant and protect against any future lawsuits.
1. Make a List of All Website Pages Where HIPAA Rules Apply
According to HSS requirements, The first thing you must do is create a thorough list of every authenticated or unauthenticated page that may be collecting PHI.
Authenticated Pages require users to log in. An example would be a patient or health plan portal or a telehealth platform. Authenticated pages almost always collect health data.
Unauthenticated Pages do not require a user to log in and generally do not collect PHI. However, they might track the scheduling of appointments or other health information submitted via contact forms.
PHI may include an individual’s IP address, medical record number, home or email addresses, dates of appointments, or other identifying information.
When facing a lawsuit, you must do your diligence and be prepared with a complete list of any pages that has the potential to violate HIPAA rules.
2. Create an Inventory of All Tracking Technologies on Your Website
The second thing you must do is create a complete inventory of all web tracking technologies on your website.
You must be able to give an account for every tracker, pixel, and cookie that exists for any purpose. Furthermore, you should know where they are located, what information is being collected, and prove that only necessary information is being collected, especially as it relates to PHI.
3. Ensure All Tracking Vendors Are Approved
After creating an inventory of tracking technology, you must provide documentation confirming that each vendor is an approved “business associate” that abides by HIPAA rules.
According to HHS, “A ‘business associate’ is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
This means that you must have a documented Business Associate Agreement (BAA) with every technology vendor that collects PHI. All vendors must agree to your company’s privacy policies and comply with HIPAA rules. For any vendor that does not have BAA in place, you must prove that you have not shared PHI with them.
4. Create an Audit Trail
Lastly, you must create an audit trail with historical evidence of periodic security reviews and updates to your risk assessment report.
When facing a lawsuit, your website is likely to have been tracked for months, not just days or weeks.
An audit trail is the best way to self-attest and provide evidence that all historical web tracking technologies have been in compliance with your privacy policy and HIPAA rules.
When you willingly provide an audit trail dating back for as many months as required, your organization will be audit ready, have a more defensible position, also making likely a less desirable target for litigators and not worth their time and energy.
The Tool You Need to Become Audit Ready
At Feroot, we know how challenging it is to find a security tool that is both easy to use and powerful enough to keep your website HIPAA-compliant and compliant with privacy laws and anti-wiretapping statutes..
With the Feroot all-in-one website security dashboard, you can do everything we have suggested in a fraction of the time it takes other tools. In just minutes, you can make a list of pages, inventory tracking technologies, organize BAAs and vendor documentation, and create an audit trail.
When you’re ready to experience the power of the Feroot, schedule a free website assessment to discover the potential HIPAA violations on your website, and protect your healthcare organization from costly lawsuits.
