HIPAA Compliance on the Web – A Guide for Therapists

For any mental health professional, HIPAA, or the Health Insurance Portability and Accountability Act of 1996, has undoubtedly impacted the way you handle patient information. Written to safeguard patient information, HIPAA has served as an essential tool to ensure privacy. In the mental health space, this information is even more sacred, with clients often only trusting their providers with this delicate look into their life.

Unfortunately, lawmakers created HIPAA over two decades ago, and for many, it is unclear what obligations they need to take in the digital age to meet compliance. We created this guide as a tool for therapists, licensed social workers, psychologists, psychiatrists – but ultimately it is up to the provider to ensure that they are meeting HIPAA compliance.

So, does my website need to be HIPAA compliant?

It’s a good question! As platforms like Psychology Today and GoodTherapy have made it easier for patients to reach mental health providers online, many mental health professionals have created their own web pages, to intake clients and provide information seamlessly. In a separate article, we will outline the importance of having a website for your practice, but today, let’s make sure that you are not at risk of violating HIPAA compliance.

Unfortunately, there isn’t a one-size fit all definition for meeting HIPAA compliance, but if you handle any PHI (protected health information) on your website – you must meet strict HIPAA standards. PHI includes any information that can be used to identify current or future patients. This includes names, emails, phone numbers, addresses, social security numbers, and much more.

Many therapists collect PHI through contact forms and emails before establishing care. While this often conducted carefully, it is still a violation of HIPAA compliance, and any data breach can set you up for liability.

Common HIPAA Points of Concern:

Business Associate Agreements:

Therapists must obtain a BAA, or Business Associate Agreement, for each provider that ever touches the data of their patients. For many, this would require a BAA from your email provider, contact form provider, and depending on data storage, your web host.

How do I meet HIPAA Compliance?

To meet HIPAA compliance, we need to look at the places where you handle patient information. For the majority of therapists and mental health professionals, there are two areas where we should look: the contact form and email service.

For contact forms, patient information needs to be encrypted throughout the journey. HIPAA requires encryption when data is “in motion” and “at rest”. This means that your contact form must securely encrypt patient information when they hit submit, stay encrypted as it transmits to your inbox, and remain encrypted as a record. This is often referred to as end-to-end encryption.

Additionally, best practices would ensure that the content and connection of your website is secure through an SSL certificate (you can check any website’s security through the lock icon or https:// in your browser)

This leads to the second point of concern – email. All of your emails containing PHI must be encrypted. This is difficult to accomplish through traditional email providers such as Gmail. Service providers like Hushmail and Paubox specialize in data encryption and provide solutions to ensure you are meeting HIPAA compliance.

An Easy, Affordable, HIPAA-Compliant Solution

Patient data security is essential, but modern day HIPAA standard are often difficult or expensive for therapists to meet. Fuerza Design specializes in creating HIPAA-compliant solutions at an affordable rate. You do not need a new website to ensure HIPAA compliance. We would love to discuss an affordable and accessible solution for compliance.