Building websites for medical clients can be a lucrative niche, but it comes with HIPAA responsibilities. Web designers may qualify as business associates when PHI is involved, so it’s critical to understand what PHI is, where it appears on healthcare sites, and how to protect those data flows with reasonable safeguards and proper vendor agreements.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Always consult a qualified attorney or compliance professional when interpreting HIPAA regulations.
Websites are incredibly important for any business. Twenty-five years ago, they were a nice convenience. Now, a business will struggle to succeed without a strong online presence. This is no different for medical practices. Most people find their providers online, and a quality website will help a provider gain visibility and book more appointments.
However, building medical websites also brings important privacy implications that can be quite strict. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect sensitive patient information, and it can extend to data collected by websites. HIPAA violations may breach patient trust and possibly result in large fines, so it’s important to understand what goes into making a medical website.
This blog will cover the medical web design market, obligations for web designers, what data is protected by HIPAA, and how websites interact with this data.
Web design has become a very viable market for those with relevant skills. As previously stated, websites are more important than ever, and it takes a skilled user to maximize their benefits. This skillset is even more valuable in healthcare. Most providers simply don’t have enough time to provide great care AND maintain a website.
The proof is in the pudding. If you do a simple search for medical practices in your area and scroll to the site’s footer, there is a very high chance a web design team will be linked. This proves the market is lucrative, but it is also saturated. The best thing that designers looking to break into the space can do to combat this is educate themselves on how to properly build a medical website (especially because many design teams fall short).
HIPAA mainly classifies organizations in two ways. First, there are covered entities. These are organizations like providers, healthcare clearinghouses, and health plans. Then, there are business associates. These are vendors who interact with sensitive information on behalf of covered entities.
Medical web designers who are working with covered entities and may be processing PHI on their behalf are considered business associates and must sign a business associate agreement (BAA). These agreements are important for everyone involved. First and foremost, they protect the patients whose data is involved by stipulating exactly how their information can be handled. However, these rules also protect the covered entities AND the business associates by clarifying responsibilities if issues arise.
Still, many web designers don’t realize this is a requirement and do not sign these agreements. This does not mean they are not business associates, and it can be dangerous if they continue to operate without one. The Omnibus Rule that was enacted in 2013 extended direct liability to business associates and explained that organizations who were acting in the capacity of a business associate count as one whether an agreement is signed or not.
While all personal information should be treated with care, HIPAA explicitly defines the type of information it covers as Protected Health Information (PHI). Understanding this definition is critical for web designers who are classified as business associates because it allows them to implement proper protections for PHI flows on a covered entity’s site.
Official HIPAA documentation can often be expansive and hard to fully grasp. There’s a lot of nuance, but if the following conditions are met, data is very likely to be PHI:
AND
AND
If those three conditions are met, data is probably PHI and must be protected according to the safeguards outlined by HIPAA.
Disclaimer: If you are still unsure whether information qualifies as PHI, it is important to consult a compliance professional to evaluate your specific situation.
Since the definition of PHI is relatively broad, it’s also important to understand that context matters. This fact confuses many people because it creates the conditions for PHI in unexpected places. This simply means that data that may seem benign can become PHI in the context of care. This is especially relevant for medical websites because there is a clear connection.
It's easy to understand how a form that collects medical history is protected health information. However, even a basic appointment request form that only collects a name and phone number is generally considered PHI. This is because it contains personal identifiers, relates to the future provision of care, and is likely maintained by both a covered entity and the business associate who manages their site.
This is only one example. Tracking technologies can create even more subtle PHI disclosures. You can learn more about that here.
This is the most important question because it governs everything else. If no PHI is involved, you are not a business associate, and HIPAA does not apply. However, by the nature of building a website for a provider and the point about context, it is very likely that PHI will be present.
This should not be cause for fear. With proper precautions, you can help mitigate the risk of PHI breaches to ensure both you and your client stay safe. It’s also important to understand that the websites themselves are not necessarily governed by HIPAA, only systems where PHI flows.
This means that you can implement compliance features to protect those flows and simplify the entire process. If you’re unsure of the flows, the best option is to implement reasonable and appropriate safeguards based on risk and scale.
When it comes to implementing safe form workflows, there are many HIPAA-aligned form builders on the market. However, it’s important to evaluate which one best fits your needs and ensure that the plan you purchase actually includes compliance features (many lock them behind enterprise tiers). It’s also critical to know that simply selecting the correct plan doesn’t guarantee compliance. There are other configuration and setup obligations that may be a part of the process.
Outside of forms, there are other important steps that web developers can take to create a compliant environment. It is recommended to encrypt data both in transit and at rest. There should be no public access points for servers. Audit controls should be implemented that can track PHI access. Finally, a business associate agreement should be signed with any vendors (like hosting platforms) that are handling PHI on your behalf.
HIPAA documentation is intentionally broad because every situation is different. It's important to work with your team and if necessary, trained compliance experts to understand your exact situation. However, if you carefully evaluate possible flows of sensitive information and implement reasonable safeguards according to HIPAA, you're on the right track. Showing this kind of care is a powerful way to earn trust and build your reputation in the medical web design space. You don't need to be an expert, but being able to show that you are looking out for your clients will help you stand out.