Photo courtesy of My Social Practice
Dental Hipaa Compliant Websites By My Social Practice 6358411a360d3

The dentists’ guide to HIPAA-compliant websites

Oct. 26, 2022
HIPAA requires websites that collect, store, or transmit electronic protected health information be compliant. Are you meeting the requirements?

When does a dental website need to be HIPAA-compliant? The short answer is “all the time.” But let's take a moment to unpack the question. 

HIPAA requires websites that collect, store, or transmit electronic protected health information (ePHI) be compliant, and there are specific encryption standards. Without getting too geeky, the standards are 256 AES bit for storage and TLD 1.2 for transmission. 

But what if your website doesn't collect, store, or transmit ePHI? In that case, you’re in compliance. Unfortunately, almost all dental website designs built in the last few years have functionality that comes in contact with ePHI. What constitutes dental HIPAA compliance regarding collection, transmission, and storage of ePHI? 

More by Adrian Lefler

Google's latest “helpful content” update and what you need to know
The future of video marketing for dentists

Collecting ePHI

If your website has any of the following functionality, then it's most likely collecting ePHI: live chat; online scheduling, payments, and forms; Contact Us forms; patient portals; teleappointments; and virtual consultations. I may have missed some, but these are the big ones. Find out whether the points where patient communication happens and ePHI is involved are encrypted and compliant.

If your website has any of the communication software mentioned here, they were developed either by your website design company or by a HIPAA-compliant third-party integration company, which HIPAA considers a sub-associate company. What do I mean by "HIPAA-compliant third-party integration company?" Here's an example. 

We build dental websites on WordPress. Many of our client practices request that live chat be integrated on the site, but WordPress doesn't have an out-of-the-box live chat software that's HIPAA-compliant. To solve the problem, we use a sub-associate company that has developed live chat software that is HIPAA-compliant. 

Their live chat software integrates with Wordpress and meets HIPAA requirements because none of the live chat information is collected, stored, or transmitted within the WordPress website. The entire live chat conversation is collected and encrypted in a separate system. In this way the website is HIPAA-compliant because all the ePHI from the live chat is encrypted through a compliant software system. 

Your task is to confirm how your website collects ePHI and whether it’s encrypted and compliant. The best way to do this is to contact your dental website design company or the company that provides third-party software integrations. Once this is confirmed, make sure that you have a signed business associate agreement (BAA) or a sub-associate BAA from all companies involved. 

Transmitting ePHI

Transmission happens after ePHI is collected on your website and then sent to be stored. In the live chat example, once the conversation is closed, it's encrypted in an end-to-end process. The data is packaged, encrypted, and transmitted to a HIPAA-compliant server that has the key to the encryption. 

What’s the point of end-to-end encryption? During transmission, data is at risk and hackers can steal ePHI. HIPAA requires that data transmission is encrypted so that it can't be hacked and stolen. The geek language for this encryption is TLS 1.2, which stands for transfer layer security. It's a high level of encryption and almost impossible to break. Dentists must ensure the ePHI that’s collected on their website and then transmitted has end-to-end encryption. 

Your task is to confirm that all the ways your website transmits data has TLS 1.2 encryption. The best way to do this is to call the company that supports the communication software and find out the level of encryption. Then ask for full compliance by receiving a signed BAA or sub-associate BAA. 

Storing ePHI

Once ePHI is collected and transmitted to its final destination, it must be encrypted again with AES 256 encryption in order to be compliant. AES 256 is the same encryption standard required for collection. ePHI storage requirements are where the rubber meets the road. Here is an example of how complicated this can get. 

In the past we’ve used WPEngine for our hosting, and WPEngine purchases server space with Amazon Web Services (AWS). Both companies have extremely high encryption and meet HIPAA requirements. But WPEngine’s policy is to not sign a sub-associate BAA, which makes the entire system noncompliant. 

Why would they not want to sign a BAA? My suspicion is that they think they’re not liable by not signing one, which is a significant misunderstanding. If a breach happens then they are still liable. I’ll leave that conversation for another article. The point is that you have to make sure you know which companies are involved in ePHI. 

There may be some website design companies that handle hosting, own their own HIPAA-compliant servers, and the entire system is encrypted, but those cases are not typical. Usually, a dentist’s website has a business associate as well as several sub-associate companies. 

Your task is to confirm that you have a BAA from your business associate website hosting company, as well as sub-associate BAAs from all companies involved in ePHI storage.

Is your website in compliance?

Hopefully this article helped give you suggestions on how to confirm whether or not you have a HIPAA-compliant dental website. Dental HIPAA compliance does not have to be confusing. If you need help beyond this article, call your website hosting company or have a HIPAA compliance professional perform a website HIPAA compliance audit.

Editor's note: This article originally appeared in DE Weekend, the newsletter that will elevate your Sunday mornings with practical and innovative practice management and clinical content from experts across the field. Subscribe here. 

About the Author

Adrian Lefler

Adrian Lefler is a dental marketing expert and the vice president of My Social Practice, a digital dental marketing agency. Lefler regularly travels to speak and educate dentists about dental marketing topics. You can book him to speak on this page. He lives in Draper, Utah, with his professional chef spouse, four  kids, and two dogs.

Sponsored Recommendations

Office Managers: A Glowing Review

Office managers are the heart of every practice, valued for their compassion, dedication, and exceptional skill. This year’s Spa Day giveaway highlighted their impact—from problem...

Care Beyond the Chair: A Trusted Provider for All Patients

Just as no treatment plan is exactly the same, neither are any two patients’ financial situations. Financial barriers can stand in the way of a patient receiving the care they...

Success in the Cloud: Benefits for Multilocation Practices

One practice, multiple locations. It sounds pretty simple, but we know it requires an intentional, multilayered strategy to be successful. Discover how implementing cloud-based...

4 Ways to Increase Case Acceptance & Practice Efficiencies

Cost limitations can be a big barrier to patients’ acceptance of dental care treatments. Click to learn more about Patterson CarePay+, a single, comprehensive financing option...