Avatar of TechStudio
TechStudio
 asked on

Are there any HIPAA considerations involved with taking form submissions on a web site for a medical services company?

I am in the process of building a web site for a medical services company. They perform drug screenings and provide vaccination services as a couple main examples. The plan for their web site is to create an area where their clients, businesses who employ fairly large numbers of workers who they want to screen, can submit a form input which authorizes the medical services company to perform a drug screening, charge the client and mail a paper copy of the results to the client. This is a basic overview of the form submission:

Client => Automatically selected field when user logs in. ie. ACME, Inc.
Employee Name => Person who will be screened, John Q Public
Screening Options => Types of screenings and tests to be performed
Work Order Number => Some arbitrary number for paperwork. ie. 283.01
Appointment Time/Date => Time and date of appointment

... so essentially the only medically significant information is the patient's name. However, the form may expand to include answers to questions such as "what medical conditions do you currently have" or "are you allergic to anything?" and so on. There will never be any social security numbers or payment information.

I plan to use the following methods to secure the login area on top of usual good development.

* SSL Certificate for front and back-end of site
* Complex password requirements
* When a submission hits the site an alert email is sent, but only to say a submission has been made. A clerk must log in using a complex password to find the information on the site's back-end under SSL.

This brings me to my question.

Does anyone know if these operations are covered under HIPAA and if there are any specific requirements the web site must adhere to therein?
Web DevelopmentSecurityWeb Services

Avatar of undefined
Last Comment
David L. Hansen

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
David L. Hansen

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Dave Baldwin

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
TechStudio

ASKER
The only information stored in the site will be the actual request for the screening. That includes the patient's name and address, but not the results of their screening.

My real question is what security measures am I required to put into place?

I'm using complex passwords and forcing the site to operate under SSL. I'm also NOT emailing any of this information as email wouldn't be a secure transport method.

Is there more I need to do?
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck