RON: Yeah. As a little background, in the 15 years we've been in business, we've done over 1300 websites, and our largest vertical is medical. So a lot of the information I'll be providing is what I've seen in doing a significant number of these medical websites for many of our clients, and we're happy to talk to you guys at any time about that. But to answer your question specifically, Chris, for example, let's say a client has a...well, here's a real scenario. One of our clients, they do therapeutic services. So for child development services in the first three years of their life, they do developmental like occupational therapy, physical therapy, speech therapy, things like that. And so we built a website for them a number of years ago, and it was just a simple non-secure website. It was many years ago when SSLs weren't really even a thing.
And so they had that, and it was really a website to help drive business to bring new therapists to work there. So it didn't have to be HIPAA compliant. And so we built the website, it ran really well. Then he had to start doing some SEO, and it started driving a lot of traffic to the website, so much so that patient started coming and going, well, hey, can I sign up directly with you rather than being prescribed from a doctor, and they said, yes. So the next call to us was, okay, we need to be able to onboard our clients.
Well, when they onboard a client, that's obviously going to gather some of this protected information, information about diagnoses and things that might be wrong with their children that they need help with, and so we had to start collecting data. Well, the client didn't have enough money to go back and migrate the website to a whole new HIPAA compliant hosted website and redo the whole website, so one of the things you can do is not store any of the PHI data. So Chris, you know what we did with that client, how would I have a secure onboarding form on this website, however, not violate PHI and store that data?
CHRIS: Yeah, that's a great question. And it's something that might be overwhelming for folks. So there are forms that we can embed that you can work with a SaaS-based HIPAA form company and embed a form in the site, but the data for the form isn't actually persisted into the website itself, it's persisted into that form provider's data center, essentially. And so they're managing all of the HIPAA compliance through this SaaS-based service. And so we'll talk about this later, but you can essentially get a BAA with them, because your organization will be referred to as a covered entity, a CE, and you want to get a BAA, a business associate agreement, which is essentially, without going into a lot of detail, it's basically this agreement between the CE and the other providers about what is actually being covered, and what is the responsibility of this partner with this HIPAA data. And so anyway, long story short, that's one flavor of doing this. There are many other flavors, but for a simple form, that's a great solution, isn't it?
RON: Yeah. And one thing to really understand about when HIPAA does not apply is that, it doesn't apply like people think. I mean, I've seen so many videos and TikToks lately, and everybody's just like, you can't ask me my height or weight, you can't ask me my birth date, that's a HIPAA violation, and it's not. People don't understand that HIPAA doesn't apply to us as individuals. For example, I go to the doctor patient portal, and I can log in, and as a patient, I can see all of my medical records, I can see my lab test results, I can do anything I want. And if I was applying for life insurance, they may say, hey, we need these lab results or whatever, and I have every right to go into patient-doctor portals, download those files, extracting that PHI information out of that portal, and I can turn around and hand it to anybody I want.
And that doesn't violate HIPAA, because I own the data, I have the right. What it really protects is, the life insurance person could not pick up the phone and call my doctor and say, hey, by the way, can you tell me Ron's last blood results, because that is protected healthcare information about a patient, and the patient has not given consent to give and distribute that information out. That's why a lot of times if you go to a doc, and you have to go to a specialist, what do they do?
They refer you to the specialist, so you can go and share whatever, and then you have to sign that form that they make you say that you're able to share your information with another doctor, and you have to list that doctor, because you're the only one that can share that information. So if anybody asks you for HIPAA, they can ask you anything they want, you don't have to give it, but that does not violate. And that's probably the one thing I hear most from people, is they think if somebody asks them any question about their health, that they're violating HIPAA, and that's just not the case.
CHRIS: That's right. And so I think the summary here is that HIPAA doesn't apply if you're not storing this ePHI data, and in particular for online scenarios in general, this PHI, protected health healthcare information. And so that's really the bottom line in general, and there are a lot of nuances to this, but let's get into when it does apply, and let's start by talking about one of the tenants of software and online HIPAA, which is the security rule.