Link to home
Create AccountLog in
Avatar of TechStudio
TechStudio

asked on

Are there any HIPAA considerations involved with taking form submissions on a web site for a medical services company?

I am in the process of building a web site for a medical services company. They perform drug screenings and provide vaccination services as a couple main examples. The plan for their web site is to create an area where their clients, businesses who employ fairly large numbers of workers who they want to screen, can submit a form input which authorizes the medical services company to perform a drug screening, charge the client and mail a paper copy of the results to the client. This is a basic overview of the form submission:

Client => Automatically selected field when user logs in. ie. ACME, Inc.
Employee Name => Person who will be screened, John Q Public
Screening Options => Types of screenings and tests to be performed
Work Order Number => Some arbitrary number for paperwork. ie. 283.01
Appointment Time/Date => Time and date of appointment

... so essentially the only medically significant information is the patient's name. However, the form may expand to include answers to questions such as "what medical conditions do you currently have" or "are you allergic to anything?" and so on. There will never be any social security numbers or payment information.

I plan to use the following methods to secure the login area on top of usual good development.

* SSL Certificate for front and back-end of site
* Complex password requirements
* When a submission hits the site an alert email is sent, but only to say a submission has been made. A clerk must log in using a complex password to find the information on the site's back-end under SSL.

This brings me to my question.

Does anyone know if these operations are covered under HIPAA and if there are any specific requirements the web site must adhere to therein?
ASKER CERTIFIED SOLUTION
Avatar of David L. Hansen
David L. Hansen
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of TechStudio
TechStudio

ASKER

The only information stored in the site will be the actual request for the screening. That includes the patient's name and address, but not the results of their screening.

My real question is what security measures am I required to put into place?

I'm using complex passwords and forcing the site to operate under SSL. I'm also NOT emailing any of this information as email wouldn't be a secure transport method.

Is there more I need to do?
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account