HIPAA Compliance - Online Form Submission

We have a situation where the business owner wants to have potential patients submit their information from a web site. This information includes their social security number and personal information. When the forms are filled out on the web site, when "Submit" is hit it is being delivered to an email address.

The company that is building the site advised that it have a certificate, however left the rest of the compliance concerns up to the business owner.  If the site has a certificate then I am going to assume that the visitors session while filing out the form is secure, however when "Submit" is hit that information is being sent to an email address.

Is there a more secure way of having these forms submitted? The web site resides on a GoDaddy shared hosting account and the email address being used is on a Hosted Exchange account with Microsoft.

Any advice will be appreciated. Thanks
Poly11Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jason C. LevineDon't talk to me.Commented:
If the site has a certificate then I am going to assume that the visitors session while filing out the form is secure, however when "Submit" is hit that information is being sent to an email address. Is there a more secure way of having these forms submitted?

Don't send any PII over unencryted email, as that is an instant HIPAA violation.  What I would do is secure the entire web site, not just the form, and write the contents of the form to a database or file outside of the web root.  The email notifies the office that a new contact has been created and the office uses a secure method to access the DB or file and do something with it.  

Alternately, and possibly better, would be to pipe the form contents securely to a CRM product of some sort.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Go secure by default - All should be HTTPS (channel confidentiality) by default e.g. each form submission should be signed and fields encrypted (data encryption) via the SSL certificate of the server especially containing the transaction, and personal medical details towards the hosted exchange and will be best to use SMIME (data protection). Or even package it and send over...
https://askleo.com/just_how_secure_is_email_anyway/

Suspect likely need the code changes to do this data encryption as a whole but minimally sensitive information are not in clear but hashed, encoded with complexity... some has even stated format preservation encryption () which may be more complicated  
https://www.voltage.com/technology/data-encryption/hp-format-preserving-encryption/

Go for non-repudiation - Beside above signing by server for transaction, I am even thinking the form generating transaction id for each submission and used as form of protecting the data itself so that each field which is specific to that unique transaction for later retrieval for user and audit trails ... but may need development effort

Go for secure code development - Part of secure development lifecycle (SDLC) using secure coding (https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide). Include as part of SDLC, the site verification via web security testing using Sucuri sitecheck and scanmyserver to serve as regime for preventing SQL injection, XSS orr web vulnerability etc and checking on existence of any malware
https://sitecheck.sucuri.net//
https://www.scanmyserver.com/

Go for preventive and deterence - Consider having DDoS (with WAF) like Cloudflare or Incapsula and defacement to deter and block abuse attempts hindering site availability. Also enforce CAPTCHA to deter automated robot and web crawler for spamming the form submission, thus flooding the Exchange ...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.