The Challenges of HIPAA Compliance

When someone in the wider healthcare business area is thinking of launching an eCommerce platform, the first thing they should think about is HIPAA compliance. HIPAA, standing for Health Insurance Portability and Accountability Act, developed to be a very important tool for the protection of identifiable personal information, or protected health information (PHI). PHI consists of any sort of information that can be used to identify an individual. Although in principle the idea of HIPAA compliance is straightforward, making it practice in the complex world of eCommerce can be a challenge. In this article we will elaborate on the challenges towards ensuring the set-up of a HIPAA compliant website. HIPAA was first implemented in 1996, long before the “online business boom”, so initially there were no specific guidelines on how to handle situations related to healthcare eCommerce. Since then, many rules, guidelines, and updates have been introduced, trying to grasp the idea of data protection in an era where majority of people submit protected health information (PHI) online (ePHI).

Why is HIPAA compliance important through? What does HIPAA protect? HIPAA is protecting PHI (and ePHI), to ensure the confidentiality and anonymity of people submitting personal sensitive information in order to get treatments, healthcare-related procedures, insurance plans, and anything else related to healthcare. Any piece of information submitted online that could be used to identify someone, is protected from unlawful use by HIPAA. Such information can be anything we submit in online registration forms, before checkout, or before booking an appointment, on anything a business can offer which is related to healthcare. Examples of such businesses are healthcare insurance companies, private practices that offer online services, e-pharmacies where people can order their prescriptions online, or websites where people can get medical advice. All these online entities need to be HIPAA compliant, as well as their business associates who might access or handle (e)PHI in any possible way. This sounds straightforward, but it is not always that easy to implement. For example, an IT consultancy (irrelevant to healthcare), who is contracted by a health insurance company to build or maintain the eCommerce platform (healthcare-related), should be HIPAA-compliant, as a business associate of the insurance company (which should obviously be HIPAA- compliant).

Is HIPAA Compliance Needed?

HIPAA compliance is needed. Not only for the moral reason of protecting one’s privacy from unsolicited, potentially malevolent use, but also because businesses which fail to meet the HIPAA compliance requirements will face strict penalties from Health & Human Services (HSS) and the Office of Civil Rights (OCR). Furthermore, given the competitive nature of eCommerce and abundance of service or product availability, non HIPAA compliant businesses do not have a high chance of surviving in the arena.

There are several options for hosting a website, depending on ease of use, cost, availability (and compatibility) of plugins, or personal preference, among other factors. WordPress is a trusted website host around the world, with many businesses trusting their websites and eCommerce platforms to it. In order for a WordPress website to acquire the ability for electronic transactions and take a business to the next level in terms of the ability to reach (and keep) an audience, profits, growth, and the chance of securing national or international transactions, there is a necessary plugin that needs to be used, WooCommerce. WooCommerce is an open source plugin with the role of converting a website to an eCommerce platform. This means that any business, healthcare-related or not, wishing to pursue an electronic commerce avenue via WordPress, needs to use WooCommerce. As mentioned earlier, engaging with eCommerce implies the submission and use of ePHI, hence calls for HIPAA compliance not only of the business offering healthcare services, but all of its business associates. Since WordPress and WooCommerce are considered business associates facilitating eCommerce, and for that very reason being in direct contact with ePHI, the question on whether a WordPress website using WooCommerce can be a HIPAA compliant website begs for an answer.

Ensuring that a healthcare website is HIPAA compliant can be a challenge itself, and introducing more factors of compliance uncertainty makes the mission that much more difficult. There is much information available on guidelines to ensure that HIPAA rules, particularly the Security and Privacy rules, are being followed, but what happens if one or more business associates of a healthcare website are not HIPAA compliant? The main requirements towards HIPAA compliance refer to the storage, access, safety, and use of ePHI submitted by past and current clients. Towards this mission, there are a few guidelines a business should follow with regards to their eCommerce platform, such as the following:

• Engaging with data encryption and regular update of passwords
• Allowing communication between customers submitting ePHI and the server receiving it through a secure sockets layer (SSL)
• Ensuring safe physical and electronic storage of ePHI
• Preventing unauthorized access to ePHI in any format from outsiders or even admins
• Having available protocols in place in case of an information breach
• Ideally, having a “HIPAA compliance” team in place, and a widely available policy about HIPAA compliance
• Having the option for permanent deletion of data
• Having business associate agreements between the business entity and any other associates offering their services (such as the website host).

The most challenging part about following HIPAA compliance requirements for eCommerce platforms hosted on WordPress is the last one, an agreement that the website host (including plugins being used) must also be HIPAA compliant. It is known that WordPress and WooCommerce are not HIPAA compliant, as they do not obey several of the aforementioned guidelines, thus exposing healthcare businesses using them for their eCommerce to possible ePHI breach. Although this is a less-than-perfect situation, it does not mean that a healthcare provider should avoid WordPress altogether when thinking of expanding to eCommerce, especially when they already have an established website hosted by WordPress.

Tools and Guidelines Towards HIPAA Compliance

In order to create a HIPAA compliant website using WordPress, the main “threat” should be eliminated. This refers to the access of ePHI through the WordPress (or WooCommerce) portals. One might wonder on the feasibility or submitting ePHI through WordPress but simultaneously avoiding it, and the answer is simple. Bypass. There are tools towards creating a diverting route for ePHI, so that it is not stored in WordPress. Such tools involve a WooCommerce HIPAA eCommerce integration, using HIPAA compliant enterprise resource planning (ERP), or application programming interface (API) options. It could be challenging to initially set it up and it could potentially increase the website hosting cost, but a WooCommerce ERP integration could be invaluable for a healthcare business wishing to “merge” HIPAA compliance and WordPress.