Web Development: Avoiding HIPAA Issues

Posted by 5x5 on December 28, 2009 under Computers | Read the First Comment

Green Days' Website

The Health Insurance Portability and Accountability Act (HIPPA) regulates health information and ensures your private health information does not end up in the hands of people you don’t wish to have it.

As a web developer, you need to be aware of the line between allowing patients to share information by way of support groups or testimonial and having private information displaying on the Internet.   Let’s use a fictitious Greener Day Vasectomy Clinic as an example.  After having a procedure performed, doctors at Greener Day ask their patients to check-in on a yearly basis to ensure there have been no slip-ups with the procedure.  At the bottom of the form, patients are given the option to share their message with other patients.  This is a great opportunity for patients to give each other support like, “You go tiger!”, but it also opens them to a disaster waiting to happen with private information only meant for the doctor, “I slept with 14 women in the past year and not one got pregnant! t14@happygolfer.com”, to end up in the public domain.

Dangerous territory

Tips for playing it safe:

1) Do not include items for testimonials or sharing type information on any page where a patient will be submitting information to the doctor.  These pages need to be secure and transmitted to the doctor in an encrypted manner. Either separate the pages or if patients select “yes”, meaning they wish to share information, take them to a second page, restating the information shared on that page will be public. This will prevent information a patient never wanted to share from becoming public due to hurrying through a form or forgetting to click “No”.

2) If clients are sharing testimonials, do not display their e-mail address or other contact information in the page.  While they may have agreed to say good things about your company, they probably did not agree to have their e-mail out there for every spam bot in the universe to pick up.

3) When collecting patient information, do not automatically generate a “hidden” web page for each submission.  There might not be any direct links off the website going to it, but search engines and any cracker trying to dig around the site can still find the information.

4) Avoid short cuts if they threaten privacy.  Having everything in one form might be convenient for the web developer, but if it opens any chance for private information to accidentally become public, scratch it and rethink it.

5) Do not rely on robots.txt to keep information private.

6) If you really want something to be kept private, do not store the information on any computer that is connected to the Internet.