Skip links

3 Must-Haves for a HIPAA-Compliant Website

Hello everybody, and welcome to the Medical Marketing Podcast from Messenger – the show where we give you actionable tips and insights to help improve your practice marketing, grow revenue, and take patient experience to the next level.

I’m your host, Crawford Ifland, and today we’re going to be talking about the three must-haves for a HIPAA-compliant website. Let’s dive in.


So here’s the thing: HIPAA is kind of a mess. Don’t get me wrong – the privacy protections in HIPAA are a very good thing. Nobody wants their sensitive information disclosed, after all.

But in my view, HIPAA puts a crazy burden on healthcare providers. There are so many regulations and rules that doctors often find themselves scrambling to comply.

Now, I’m not a healthcare attorney, and none of this is legal advice. You should always consult with an attorney who specializes in this type of thing who can give you advice that’s specific to your practice.

So let’s go back to 1996, when the law was written. The Internet was still in its infancy, and very few patients were using the web to interact with their physicians.

That has obviously changed today. 9 out of 10 patients turn to Google as their first step in selecting a doctor, and the vast majority of patients want a way to communicate with the doctors, schedule an appointment, or receive care online.

In so many ways, this is great. We’re democratizing healthcare, expanding access, and improving that patient experience.

But moving healthcare online is also a huge problem, particularly for data and privacy. Just look at the data leaks, hacks, and other scandals over the past few years alone: Cambridge Analytica. The Equifax hack. Solarwinds.

Data is everywhere, and so are opportunities to steal it. So if you want to remain secure and protect your patients (and your practice), today we’re going to look at the top 3 “must-haves” for a HIPAA-compliant practice website.

Number one, hosting.

1. HIPAA-Compliant Hosting

Now, regardless of what industry you’re in, you have to have website hosting.

If you actually want a website, all of that stuff has to have a place to live.

But if you’re in healthcare, there are some extra requirements that are layered on top. For instance, your hosting cannot be shared. So that pretty much throws all GoDaddy hosting out the window where you know you’re only paying $4/month. Those are all shared servers, so they’re not going to work, you have to have your own server.

It also has to be based in the US in order for it to be HIPAA compliant. And the data center itself actually has to be HIPAA compliant. So you need to do your research to find a provider that does have HIPAA compliance is regularly audited has all the appropriate controls in place. Those are really the only ones that you should be going with, if you want to maintain 100% HIPAA compliance.

Now that hosting environment has to have firewalls and intrusion prevention. This is true for the hosting environment, but it’s also true for your website itself. The data center where it’s stored it needs to have strong security protections, and I’m talking both digital security protections and physical, like who has access to the building

Now, there are a lot of hosting providers out there that do actually offer this type of thing – they’re regularly audited they have all the right compliance officers, they have all of these protections, that’s the one that you need to go with for your website hosting, you can’t just spin up GoDaddy and say “hey I want to pay five bucks a month” and just assume it’s good…because it will not technically be HIPAA compliant.

So the first thing you need to look at is your hosting. Number two: passwords and access.

2. Strong Passwords

So, let’s talk about passwords.

Passwords suck.

The vast majority of people use the same password for everything – that’s a terrible security practice, especially in your practice itself where you have staff that are interacting with patients, handling patient data, but also on your website.

You need to be using a password manager that can generate, and remember, very complex passwords that you’d never be able to remember, on your own. This is absolutely a must. You have to have this in process for the computers that are in your office, all of the devices you use anything that stores that protected health information (especially your website).

But passwords aren’t really enough. You also have to have multi factor authentication in place.

Now if you have an email account, you try to log in and it says “hey we don’t recognize the device that you’re using, we just sent a code to your email or we just sent you a text message with a code please input it here”. That’s multi-factor authentication.

Yes, those can get annoying, and nobody really loves using them. But multi factor authentication combines something that you know, like a password with something that you have like a physical device, whether that’s your phone, your computer, you can even use a USB security key that can issue those one time codes.

This is especially important for HIPAA compliance, because it provides an extra layer of protection against anyone who’s trying to get in and snoop where they don’t belong.

Now, this applies both to your website and applies to the first point we had earlier which was your hosting. You want to make sure that your hosting provider has this too, because even if your website is secure, somebody could potentially get access to your hosting account, and then basically have a backdoor into all of that sensitive information, and you don’t want that.

So, use a password manager, choose strong passwords and use two factor authentication, Where ever you can, across all services.

The third and final thing we need to talk about is encryption.

3. Encryption

So, encryption is a must if you want to have a HIPAA compliant website.

So, HIPAA regulations stipulate that all protected health information from patients has to be encrypted. And most importantly, it has to be encrypted while in transit. So, while an email is being sent to your front office, for instance, but also it has to be encrypted at rest, if it’s sitting in a database somewhere, whether that’s on your website with your cloud hosting provider if that information is there, it needs to be encrypted such that only the people who should have access to it can have access to it and actually read that.

Now, the best way to figure out if your website is collecting any protected health information is, honestly, if you use any contact forms: anything that has about symptoms, medical services, medication, any health related information.

If you have patient forms that people fill out and submit online. If you use live chat on your website, or a patient portal. Honestly, patient reviews and testimonials that falls under this category as well.

If you have any tool on your website that collects patient information, because you are a healthcare provider that is technically protected information.

A best practice is to use third party services for all of those needs that are HIPAA compliant, rather than trying to do it yourself. I can’t tell you the number of clients that we’ve come across that host their own contact forms or store data in the backend: “Hey somebody filled out a contact form. Well, we can just log into our website and see all of that data.”

If it’s not encrypted, it’s not HIPAA compliant.

So the best practice here is to pay for third party services that do all of that compliance for you. It has to be encrypted in transit, it has to be encrypted at rest. And honestly, if you’re not going to use all of those third party services, the next best practice is to not store any patient data at all on your website.

Don’t be putting it in the back end, don’t be having it in the database, just send it and get rid of it don’t store anything at all, because that’s really going to be a problem for you if you do have some kind of security intrusion.

And the final piece of this whole encryption thing is an SSL certificate, you absolutely have to have one of these, honestly, if you want to rank well on Google because Google will demote sites that are insecure. But also for patient trust and privacy: your patients want to see much like when you’re looking on Amazon and you’re browsing for products there, you want to see hey when I’m inputting my credit card information I want to know that this is secure. Patients expect the same thing of your practice website.

They want to know that when they’re sending their information when they’re putting themselves out there, they really want to know that all of that information is being encrypted, and that it is secure. So, an SSL certificate is a must.

So those are the three things that you must have if you want to have a HIPAA compliant website.

Number one, you got to look at your hosting and ensure that it’s up to date, that it’s HIPAA compliant that you’re using the right provider there.

Number two, you got to get your passwords into shape and use two factor authentication, wherever possible.

And number three, you have to encrypt everything, Any type of patient information, any type of patient data, no matter how inconsequential it may seem, it’s important to have it encrypted everywhere.

So that’s what you need to do for a HIPAA compliant website.

Next Week

Well, that’s all for this week’s episode of the Medical Marketing Podcast – thanks for tuning in.

You can subscribe to The Medical Marketing Podcast for free on Apple Podcasts, Spotify, or wherever you get your podcasts. And if you like the show, let us know by writing a review on Apple Podcasts – we’ll have a link in the show notes.

If you want more practice marketing resources, check out our website at www.messenger.md. We’re always sharing helpful tips and know-how to help you improve your practice marketing, grow revenue, and take your patient experience to the next level.

That’s all for today’s episode – I’m Crawford Ifland. See you next time.