WooCommerce and HIPAA Privacy Rule

Applying the HIPAA Privacy Rule to WooCommerce

Having a website is crucial for a business engaging in almost any sort of activity. Being able to advertise products and services, meet clients, attract potential customers, create a personalized shopping experience, and result into successful transactions is the new way of commerce. This does not only apply to businesses selling clothes, appliances, travel packages, or other “everyday” commodities, but it can also apply to healthcare. Having appointments online, and ordering treatments and health-related services online, has seen a drastic improvement over recent years.

A main concern with healthcare, especially in the online era, is the privacy of individually identifiable health information patients and customers submit online, towards personalization of their treatment or service. There are governmental bodies and regulations which oversee the protection of personal information, such as OCR of HSS (Office for Civil Rights, part of the Department of Health and Human Services), and HIPAA (Health Insurance Portability and Accountability Act). HIPAA has introduced several rules in place to safeguard protected health information (PHI, or ePHI if information is submitted online), the two most important of them being the HIPAA Privacy and Security rules. In this article, we will elaborate on the importance of the Privacy rule, and how it applies in healthcare-related eCommerce.

What is the Purpose of the Privacy Rule?

In order to obtain health-related services, such as treatment services or products, insurance, appointments, or anything else, users will have to supply personal information, through registration forms or questionnaires. If leaked, this information could potentially be used to identify an individual, so in order to avoid so, it should be protected and kept confidential. The HIPAA Privacy rule, also known as “Standards for Privacy of Individually Identifiable Health Information” assists with ePHI protection and confidentiality, but also allows for information flow when needed. Similar to the other HIPAA rules, the Privacy rule does not only apply to business entities offering direct services, but also to their business associates.

The information covered by the HIPAA Privacy rule is any information that can be used to identify someone, such as demographic details, social security numbers, credit card information, health-related information (hospital admissions and exits, health conditions), and handwriting samples among others. The Privacy rule covers all formats of relevant information, such as submitted online through forms, videos, photos, or over the telephone. Part of the ePHI protection as governed by HIPAA and the Privacy rule in particular, is that patients are allowed to access their ePHI and amend it or modify it as deemed necessary. Businesses have to be HIPAA compliant, meaning that basically they have to protect the confidentiality of their customers and patients by protecting their ePHI. This can be done by limiting access to ePHI from unauthorized people, encrypting ePHI, and implementing several other physical, administrative, or technical safeguards, which are stated in HIPAA Security rule.

HIPAA compliance requirements, especially with regards to the Privacy rule, could be potentially compromised by internal or external threats, such as unsolicited photographs of ePHI using smartphones, ePHI leaks through cyber-attacks, stolen portable devices (phones, laptops) where ePHI is stored. All these cases of Privacy rule breach are covered in detail by the HIPAA Security rule.

Clarity Ventures HIPAA Compliance Experts

The first step is to realize where the problem is. The problem of HIPAA eCommerce platforms hosted on WordPress is that ePHI might not be sufficiently protected from unauthorized access. The aim of HIPAA Privacy and Security rules is to protect ePHI from exposure or misuse, and it is a responsibility of the business to comply with them and protect ePHI and the identity of its clients.

In order for a health-related eCommerce platform hosted on WordPress to meet HIPAA compliance requirements, a thorough risk assessment should take place, in order to identify the main issues. Besides the risk assessment, prevention of unauthorized access and use in any format (physical or online) should be prevented. Another key point to ensure that WooCommerce will comply with the HIPAA Privacy rule, and HIPAA in general, is to avoid storing ePHI within the WooCommerce environment. Using a WooCommerce ERP Integration can help towards this direction. An ERP integration, basically the use of an Enterprise Resource Planning system to bypass WooCommerce and store ePHI elsewhere, offers the possibility to use WordPress and WooCommerce without potential and existing customers experiencing any difference on the layout of their trusted eCommerce platform, allowing for an overall seamless and HIPAA-compliant operation.