Welcome to the MacNN Forums.

surferboy · Aug 23, 2006, 03:18 PM

I am looking for some tutorials on creating a HIPPA compliant website. I created a site for my medical group, and there is an online appointment request form. Technically if you don't go through some serious girations, you can be in violation of HIPPA. If you keep the form bland and don't request any patient information, you are more likely to be "safe".

Part of what needs to be done is the creation of a form that is transmitted in an encrypted format.

Any thoughts and advice would be much appreciated.

Thanks.

selowitch · Aug 23, 2006, 04:54 PM

Originally Posted by surferboy

I am looking for some tutorials on creating a HIPPA compliant website. I created a site for my medical group, and there is an online appointment request form. Technically if you don't go through some serious girations, you can be in violation of HIPPA. If you keep the form bland and don't request any patient information, you are more likely to be "safe".

Part of what needs to be done is the creation of a form that is transmitted in an encrypted format.

Any thoughts and advice would be much appreciated.

Thanks.

Well, first of all, it's called HIPAA (Health Insurance Portability and Accountability Act of 1996). Then go here ... and start readin'!

surferboy · Aug 23, 2006, 06:26 PM

I know what HIPPA is all about, I just don't know how to implement it on the web. That's where I am looking for tips.

selowitch · Aug 23, 2006, 06:39 PM

Originally Posted by surferboy

I know what HIPPA is all about, I just don't know how to implement it on the web. That's where I am looking for tips.

I apologize for being pedantic, but you're not going to get very far if you can't spell HIPAA (twice)!

That aside, I share your interest in designing websites for HIPAA compliance and a few minutes Googling doesn't turn up much. Do try that link I provided, though. I'll do some research, too, and report back.

surferboy · Aug 23, 2006, 08:18 PM

I googled for a while before my post today, spoke with a CEO of a medical web development company and spoke with the people who developed our old website.

The subject is complex and I was wondering if anyone else had blazed this path before.

I read an article on the subject. There are a few companies that provide email and internet services with encryption, etc. It's been a while since I read the article, and I can't seem to find it now.

HIPPA, HIPAA- c'mon it's all the same!

selowitch · Aug 23, 2006, 08:26 PM

Originally Posted by surferboy

HIPPA, HIPAA- c'mon it's all the same!

Semantics sure count when you write the code for the website. One character wrong and your HIPAA compliance goes out the window. It matters.

surferboy · Aug 23, 2006, 09:27 PM

I know. You are right. I'm just kidding to reduce the embarrasment for the mispelling. I tend to type fast on these forums, and not think much.

Anyhow, if and when I get some information I can sink my teeth into, I'll be back here to let you know.

This is not my day job- so it may take me a while....

surferboy · Aug 24, 2006, 10:42 AM

Here is some informal advice from a colleague:

HIPAA regulates "protected health information" or PHI. This means,
basically, any patient data that can be traced back to the patient.
So a chart with their name on it is PHI. However, if you remove the
identifiable elements (name, dob, ssn, etc.) it has been
"deidentified" and is no longer PHI and subject to HIPAA. (There are
a few caveats, however, like if the patient is more than 95 years old
you can't reveal their age since there are so few 95+ people around
that you could figure out who it was just by their age!). Also,
HIPAA doesn't prevent the sharing of information with other medical
professionals who "need to know".

The HIPAA regulations don't actually specify any specific method of
security, but just say that it has to be reasonable, proportional to
your size (a small clinic requires less than a major hospital) and
meets industry norms for reasonable security practices. The biggest
thing you might do for your website is to make any page that
transmits patient information, either to or from your server, use an
encrypted connection. And, obviously, have a login system that
prevents anyone other than a patient from seeing their info. If you
meet those, you are probably most, if not all the way, to "HIPAA
compliant".

If you are doing things with the information electronically at your
end with other non-medical parties (e.g. insurance companies, drug
companies, etc.), you're required to meet some additional
requirements like keeping track of everywhere the patient information
gets sent and having "business partner agreements" in place that
obliges the others to the same HIPAA regs you follow.

Hope this helps! How's the family and life in the clinic/OR?

I found this to be reasonable, straightforward advice.

ralph4208w · Sep 13, 2006, 03:08 PM

FYI: visit Google U.S. Government Search to do a search of US Gov't documents. It restricts your search to only gov't information, so it's easy to find obscure information.

Just another FYI: It sounds like you're building the site for a private organization. If it were for a gov't organization, you'd want to look into OMB approval on any public documents.

Good luck!