6 Things to Consider For HIPAA Compliant Web Design

Gretchen Kalthoff

Gretchen Kalthoff

Posted on July 26, 2017


Healthcare website design is a unique field in that visual appeal and excellent UI/UX aren’t the only considerations. Websites must also be HIPAA compliant. To avoid penalties, it’s important to recognize that attention to the protection of personal health information (PHI) is as important in healthcare web development as it is in securely storing and transferring patient records.
Whether you are developing a brand new HIPAA compliant website, or simply want peace of mind regarding your current website and HIPAA laws, here are the six most important factors to consider with regard to healthcare web development and hosting:

1. Collecting and Sharing Information

Will the website share patient information online, such as records and appointments, or simply collect information about prospective patients inquiring about services? Whether you are collecting information through a healthcare application like a contact form, sharing patient records through a patient portal, or engaging secure messaging with patients online, you must meet critical HIPAA standards.

2. SSL Protection

The role of the SSL is to encrypt patient information. Sometimes, during healthcare website development, SSL encryption is only activated on certain pages. This can cause problems further down the road if pages or content are moved around, disrupting settings on which information should be protected. Making your entire website SSL protected from the beginning can often be much more beneficial in the long run.

3. Emailing Without Encryption

No private patient information should ever be emailed over a standard email connection. It’s important to remember to follow defined protocols to keep your email communication with your patients secure and HIPAA compliant.

4. Storage of Information

Storing patient information is of critical importance in healthcare web development and healthcare website design. The database that stores information must be secure and encrypted. Often, this can best be achieved by utilizing a separate, external database. You also need to make sure that you take special precautions with backups, and that these are secured as well.
[related_content]

5. Website Security Testing

To be HIPAA compliant, your website and the server where it is hosted must pass rigorous intrusion detection tests on a regular basis. Start this process early, during healthcare website development, to be sure that your hospital web design passes the test, or to determine what vulnerable areas need to be improved.
It’s also critically important to make sure your server host is aware of HIPAA and their obligations in hosting your website. If a security issue arises, there is usually a deadline of 48 hours to resolve it, according to the guidelines. Vigorous intrusion scans must be consistently met, so undertake due diligence as to who hosts your website and that HIPAA compliant hosting practices are implemented.

6. Mind the Details

Take care to make sure that your website has all the written policies in place that HIPAA requires, such as the HIPAA Privacy Policy. Other important details that can affect healthcare web design for hospitals is that passwords must be regularly changed, and that only certain personnel can have login access to PHI.
Editor’s Note: This post was originally published in May 2016, and has been revised and updated with links to recent resources.


Gretchen Kalthoff

Gretchen Kalthoff

Gretchen Kalthoff is a writer and marketing specialist for MWE. She is an expert in healthcare marketing and health IT with a special interest in increasing patient engagement through social media and healthcare technologies.

Related Posts

Illustration. Middle: computer screen. Right: girl holding a key. Left, boy holding a cell phone.

Posted on October 06, 2021 by Pablo Bullian

Walgreens’ Poor Security Measures Exposed Patient Data and Covid-19 Test Results Patients who got a Covid-19 test at Walgreens, possibly as far back as July 2020, were vulnerable to data…Read more


Posted on September 02, 2021 by Pablo Bullian

Infusion Pump Hack Could Allow Attackers to Change Meds Administered to Patients Researchers at McAfee uncovered a hack that allows attackers to take control of B. Braun infusion pumps, which…Read more