One of the issues we run across quite often is medical practices accepting appointments online. While there is generally nothing wrong with that, it’s important to understand that appointment data is protected health information (PHI) under HIPAA, and subject to the security and privacy rules.
There are several options to be both more secure and HIPAA compliant at the same time:
Don’t take patient data online. Patients can download forms, but they must call to make an appointment.
Use a third-party Medical Records platform that allows you to set appointments through their systems, and not your website.
Use a web hosting provider designed explicitly for hosting HIPAA-compliant websites for customers.
Run, manage, and secure your own servers (not recommended for most practices).
While this may seem like a small thing, it is also something the HHS Office of Civil Rights will fine you for if you’re audited. More importantly, keeping medical data on a shared hosting system (like your website) or in your email is not typically the most secure solution for your patients. In short, if you can avoid it, do NOT accept PHI online.
(Note: Asking patients to not submit PHI on your web form is not a solution.)