I am in the process of building a web site for a medical services company. They perform drug screenings and provide vaccination services as a couple main examples. The plan for their web site is to create an area where their clients, businesses who employ fairly large numbers of workers who they want to screen, can submit a form input which authorizes the medical services company to perform a drug screening, charge the client and mail a paper copy of the results to the client. This is a basic overview of the form submission:
Client => Automatically selected field when user logs in. ie. ACME, Inc.
Employee Name => Person who will be screened, John Q Public
Screening Options => Types of screenings and tests to be performed
Work Order Number => Some arbitrary number for paperwork. ie. 283.01
Appointment Time/Date => Time and date of appointment
... so essentially the only medically significant information is the patient's name. However, the form may expand to include answers to questions such as "what medical conditions do you currently have" or "are you allergic to anything?" and so on. There will never be any social security numbers or payment information.
I plan to use the following methods to secure the login area on top of usual good development.
* SSL Certificate for front and back-end of site
* Complex password requirements
* When a submission hits the site an alert email is sent, but only to say a submission has been made. A clerk must log in using a complex password to find the information on the site's back-end under SSL.
This brings me to my question.
Does anyone know if these operations are covered under HIPAA and if there are any specific requirements the web site must adhere to therein?