How To Build HIPAA Compliant Website from scratch and secure data

When running a business in the healthcare industry, protecting privacy is the top priority. And in case you are planning to operate a website which involves taking e-PHI data online, then you must build a HIPAA compliant website.

For example, if you created an app for the healthcare industry such as Doctor’s appointment scheduler and requires you to collect sensitive data of people, then your website has to be HIPAA compliant.

Now, this is a serious matter because if your website fails to follow any of the policies decided on HIPAA, then you will have to pay a hectic penalty. Here is a complete HIPAA Compliant checklist to follow


Today you will get a step by step guide to building a proper HIPAA compliant website where you can collect e-PHI data legally.

What Is ePHI?

Any health-related data than can be collected online and can be used to identify a person may be considered as electronic Protected Health Information (ePHI).

Following are the data that are considered as e-PHI:

  • A Person’s Name
  • Any dates related to medical activities (including it birthdate)
  • Any contact information (phone, address, email, etc)
  • Social Security number
  • Medical record number(s)
  • Images of medical treatments
  • Photographs of the person
  • Fingerprint or voice recognition data

These are all sensitive data. To ensure that the privacy of the people, who share these data, are secured and protected with utmost priority, the HIPAA exists.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a US legislation that was signed back in 1996.

It is basically a set of policies that businesses need to follow if they handle e-PHI data.

HIPAA ensures the privacy of data and security of medical information of people. It’s strict rules exist to avoid any misuse of e-PHI.

HIPAA lays down rules that businesses must abide by if they wish to collect or handle e-PHI from people. Failure to follow may result in huge legal fines or banning of the company itself.

Some Important Rules Of HIPAA

Now, before hopping into building a website, you should learn about the important rule of HIPAA.

HIPAA requires you to first make sure that your physical location of the data center is properly secured. You should follow the HIPAA compliant checklist to make sure your business is properly HIPAA compliant.

Next, HIPAA requires you to also protect the data itself with high security when collecting, transmitting or storing e-PHI.

So basically, if you collect e-PHI such as online contact forms, patient forms, live chat, etc, then you must make sure you have top-notch security to protect the data no matter what.

HIPAA also enforces certain administrative rules and business rules for higher security measures.

You may read this checklist to make sure your business is HIPAA compliant, and then you may proceed to build a HIPAA compliant website.

Now, here the steps that you need to follow to build a proper HIPAA compliant website.

What makes a website hipaa compliant

Now, a lot of security measures are required to build a website according to HIPAA requirements. Many often overlook some of these security measures and end up getting a fine, and risking people’s sensitive medical data.

Follow the steps below to make sure your website meets HIPAA requirements.

1. Hire A HIPAA Consultant

Hiring a consultant should be the first thing to do when you start your business.

But if you haven’t already, then at least before going public online for your product marketing, you must higher a HIPAA consultant to make sure you are doing everything right. Or rather, make sure you aren’t doing anything wrong.

This goes hand in hand with your website and the data you collect. The HIPAA expert will be able to point out anything you are doing wrong and help you stay on the right track.

2. Use A Hosting Service That Is HIPAA Compliant

Since your website will be dealing with e-PHI data, you must use a hosting service that is HIPAA compliant and will sign a business associate contract with you before taking their service.

Here are a few HIPAA compliant hosting providers you can look into.

3. Marketing Activities Must Be Secured

Now, for your products, any marketing activities you embrace, you have to keep in mind that any data collected has to be secured.

Hence, whether you deal with a marketing agency, or use great marketing tools, you must make sure they abide by HIPAA rules. Make sure to inspect and ensure that they are HIPAA compliant and they have set policies mentioned in their contracts. You can check out the HIPAA compliant video conferencing platforms which you can use for communication while doing marketing efforts.

4. HIPAA Trained Accountants

Accountants are some of the first employees who will handle customer data. Hence, for in-house accountants, you must educate them on HIPAA compliance. And you need to make sure to monitor them for breaching rules.

If you hire a professional accountant or an accounting firm, you must follow the rules as dealing with any other agencies and sign a business associate contract that includes HIPAA compliant policies.

5. Initiate Proper Administrative Restrictions

You might have several partners in the business, but you all must sign an agreement to follow certain administrative rules. For example

  • authentication to handle data
  • who are allowed to access data
  • what administrative decisions are not acceptable for e-PHI
  • how much access each partner will have to the data centers

Other than that, you must have a full action plan on what to do when data breach may happen, and who will handle and execute the plans.

You need to have a full action plan for your website. Even with high security, if breaches do happen, you need to have a plan of action.

Another important decision is to assign who within the company will be allowed to access PHI data. Thus, you will need extra security measures to handle data transfer in and out of the data center.

6. Implement An SSL Certificate For Your Website

Is SSL hipaa compliant ?

Make sure your website is SSL certified to ensure any data transferred through the website is encrypted. Your hosting will provide full protection, but you still should take an extra layer of protection using an SSL certificate.

7. All Web Forms On Your Site Should Be Encrypted

Any web forms you may include on your site, they must be encrypted, including the path of data transfer. As data is collected and transferred to the data center, they should be encrypted until it reaches the destination.

8. How do I make an email HIPAA compliant

Use Encrypted Email Servers

The most common communication mode nowadays is via emails. So you must use an email service that provides a high level of encryption.

You must make sure the email you send is encrypted, and your email server should support the receiving of encrypted emails.

It’s even better if you can choose an encrypted email service that is HIPAA compliant.

Here are a few email service providers that provide secured encrypted email service.

9. Have A Secured Way To Delete, Backup & Restore PHI Data

Even if you have a highly secured data center, you also need to incorporate a way to keep backups of PHI data in a secure way.

Most HIPAA compliant hosting providers will by default give you this feature. But you can also use multiple data centers to back up PHI data, as long as you can be sure that the data centers were audited for HIPAA compliance.

10. Provide Secured Customer Service

Your customer service team should be educated on HIPAA and should be monitored actively to avoid a breach of e-PHI data.

Even the live chat service you use, it should have encryption applied to every message. If it’s a tool you are using, the chat service provider should be HIPAA compliant.

11. Get Audited For HIPAA Compliance

There are many third-party firms that audit companies for HIPAA compliance. Once you set up your website, contact a third-party audit firm, and get certified for HIPAA compliance.

12. Establish Customer Priority

Keep in mind, a person sharing his/her ePHI data with you should have full control over when he/she wants to alter, remove, or request the e-PHI data that you collected.

So you need to make sure people’s privacy is respected, and their decisions with their data are met.

When someone makes a request, you have to identify that it is the right person and confirm multiple times with him/her within the next 30 days.

HIPAA states that if you do not respond to a customer’s inquiry within 30 days, he/she is eligible to file a lawsuit. None of us want that.

13. Hire An In-house HIPAA Expert

You will be able to hire professional HIPAA experts to work for your company full time. In this way, any website requests or activities that may come up, you will be able to verify real-time, the next best course of action.

Is WordPress HIPAA Compliant ?

Without any special development WordPress is not HIPAA compliant. You need to make sure to follow security and technical safeguards to make WordPress HIPAA compliant before storing e-PHI data on your servers. WordPress also doesn’t comes as BAA compliant. They have no mention on their website or parent website about signing BAA with anyone.

If you still want to work with WordPress and make it HIPAA complaint here is a guide for your how to make your WordPress HIPAA compliant.

What email services are HIPAA compliant

  Features HIPAA Price
Egress Inspect email, domain analysis, admin reporting YES £90 / User/ Per Year
Hushmail Drag and drop forms builder, ESIGN and UETA compliant YES $29.9/User/month
Barracuda Email continuity, Link Scanning, Outbound filtering YES On Request
Paubox Only 1 login Protection against SPAM, phishing attacks YES $10user / month

billed annually

NeoCertified Email monitoring, Email reminder, Microsoft Outlook YES $99/user/annually

Author’s Note

The steps above are a must to follow to create a proper HIPAA compliant website and store e-PHI data. But as simple as they are written, a lot of activities are required to make sure they are followed properly.

Usually, the HIPAA compliant consultant will help you identify any flaws and advise you on what you are missing.

The key to success is to make sure your website is prioritizing the privacy and protection of e-PHI data.

If you have any questions, feel free to ask in the comments. Good luck in creating a proper HIPAA compliant website.

What's your reaction?