By
·
5 minute read
Key Takeaway
Do contact forms on medical websites collect PHI? Often, yes. This guide explains how PHI applies to websites, why context matters, how PII can become PHI, and what HIPAA safeguards are needed to make web forms compliant, including why disclaimers are not enough.
Table of Contents
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Always consult a qualified attorney or compliance professional when interpreting HIPAA regulations.
“The forms on my website don’t collect any sensitive info. Why do I need to worry about HIPAA?” When we talk about contact forms on medical websites, that is the most common question. It’s a fair point. HIPAA concerns safeguarding protected health information (PHI). It’s logical to assume that a name and email address don’t count as health information. Instead, it seems more like personally identifiable information (PII).
This can lead to a lot of confusion when building medical websites. However, the important point is that PII is not mutually exclusive with PHI. In fact, there is a lot of overlap between the two. This creates situations where web builders may not realize data counts as sensitive information and don't implement the proper protections. Patient privacy is not only important for avoiding HIPAA violations, but also for maintaining a positive patient relationship. With that in mind, this blog will explain more about how PHI relates to websites, and which types of forms are affected.
Do Websites Collect PHI?
A common misconception in the healthcare industry is that entire medical websites are either HIPAA compliant, or they are not. This is why there are many services that are specifically marketed as HIPAA compliant web builders. However, that’s not actually the case. A website is not bound by HIPAA simply because it is operated by a covered entity. Instead, it’s the individual systems that involve PHI that are regulated. If there are zero PHI flows on a provider's site, then HIPAA does not apply to that website's functionality.
While many websites have PHI flows that are less obvious, web forms are the easiest mechanism to understand. Current or prospective patients navigate to a website and input sensitive information that is now tied to their name and contact details. When providers offer online intake forms, it’s even more straightforward. Patients input extremely sensitive info like medical history and Social Security Numbers. When that information is used in a medical context and handled by a covered entity or business associate, it can be PHI.
Many web designers attempt to circumvent HIPAA obligations by avoiding these types of forms. They limit sites to simple contact forms that collect a name and very basic contact info, without offering fields for extra details. The problem is that the data collected by these types of forms is often still classified as PHI.
What Is PHI?
Breaking down the term PHI can help explain why basic contact forms are able to collect it. Many think that protected health information must include details about specific conditions and medical history, or payment and insurance info. This is certainly part of it. Though, even those items are not always classified as PHI. This is because data is only protected health information if it is maintained by a covered entity or business associate (e.g. vaccine records maintained by a university may not be PHI because a university is not a covered entity under HIPAA).
However, that’s not the only confusing element. The actual definition of items that can become PHI is much more broad than most realize. Once data is created, transmitted, received, or maintained by a covered entity or business associate, it only has to meet two more requirements:
- It must personally identify an individual.
- It must relate to their past, present, or future provision of care.
Do Simple Contact Forms Collect PHI?
The definition of PHI is relatively simple, but do contact forms on a covered entity’s site fit? Let’s break down this example:
Does it meet the first requirement? Users enter their full name, email, and phone number. Since those are each listed as an identifier under HIPAA, the answer is yes. The second requirement is a bit more nuanced, but it can still be answered with only the information included in the example image. The giveaway is in the title. It’s an Appointment Request Form. Regardless of when the appointment takes place (or even if it never does), the information collected relates to the present or future provision of care from a covered entity.
This illustrates something that is so often overlooked when interpreting HIPAA guidelines. Context matters. The reason is simple. A user wouldn’t fill out a service request form on their mechanics website if they wanted to order a pizza. In the same way, a user who is filling out an appointment request form is doing it with the intent to receive care, making it PHI. Appointment request forms are the easiest examples, but it’s important to know that there are more situations that can still be affected. Every one is unique, but if a web form can collect data that has the potential to be classified as PHI, the safe option is to ensure it is properly protected.
How To Make Web Forms HIPAA Compliant
HIPAA is all about risk mitigation. It would be impossible to eliminate the possibility of a PHI breach, but providers are required to implement mechanisms to reduce the chance of it happening. This is why it’s very important to understand the flows of PHI on a website and consider all possible sources. It’s far safer to ensure that every available web form is compliant because it protects against users accidentally submitting PHI through channels that were not intended for it.
Can a HIPAA Disclaimer Make an Online Form Compliant?
Many web builders try to implement non-compliant form solutions with a disclaimer attached. It usually reads something like: “This form is not secure. Please do not submit any Protected Health Information (PHI).” It’s good that developers are thinking about compliance, but unfortunately this disclaimer is not as powerful as it seems. Even something as simple as a name can become PHI in the right context, like the appointment request form example. Also, a disclaimer cannot prevent someone from submitting PHI, it just warns them not to.
HIPAA requires that covered entities and business associates safeguard PHI in their possession. It generally does not matter how the data was received. When it is maintained by a provider, all the same rules apply, and that data cannot sit in a non-compliant storage solution. In the event of a breach, an HHS auditor will look at the disclaimer as one reasonable safeguard, but that will not be nearly enough if it’s the only safeguard.
The Manual Option
Most web form solutions can be manually configured for HIPAA compliance. However, there is no universal method. Each tool has different elements to consider. Ultimately, it’s a matter of properly implementing the required safeguards. Each one is important to consider, but the most relevant for this task are the technical safeguards. These include access controls, audit logs, encryption, data retention, and more. Some safeguards are mandatory, and others are addressable. However, addressable does not necessarily mean optional, it simply means that if a covered entity chooses to forgo it, they need to document the reasoning behind that choice. Ultimately, it’s important for anyone undertaking the task of manual compliance to fully understand the necessary safeguards and find the proper solutions for their specific situation.
Form Vessel Simplifies Web Form Compliance
While many solutions can be manually configured for compliance, it’s often complex and time consuming. It’s also easy to overlook required elements, which can potentially have big consequences. The simpler solution is to rely on a tool that is built specifically for the job.
Form Vessel was designed with HIPAA compliance at the forefront. There are many form building options out there, but few were built for healthcare first. Form Vessel does not hide compliance behind a bunch of convoluted plans in a confusing chart. There’s one plan, one price, and every feature is unlocked.
Not only was our system built specifically to align with HIPAA safeguards, but also to be a powerful form builder. Everything is easy to use thanks to a large collection of drag and drop elements that are packed with intuitive design controls. This allows you to break free from restrictive templates and build beautiful forms that look custom made.
Get Started Today
When you want to skip the burden of manual compliance setup for web forms, it’s important to find a web builder that fits your needs. Form Vessel was built for compliance first but won’t force you to sacrifice on design quality. While no single solution can fully ensure compliance, Form Vessel can help you take a huge step in the right direction.