In this edition of Strategy Sitdown, we answer the question: "my health care organization is redesigning its website soon and I'm concerned about HIPAA compliance. What should I be aware of?"
If you have a question for us, you can ask it here. We'll answer it in a future edition!
Thanks for joining us for today's strategy sit-down. Today's question comes from Audra in St. Louis. Audra asks: "My health care organization is redesigning its website soon and I'm concerned about HIPAA compliance. What should I be aware of?"
Audra, excellent question. We have run into this many times in our work here at SpinWeb. The thing to understand is that there's a couple different - actually more than a couple - there's numerous different ways your website can serve your constituents. There's a marketing context and there's a transactional context. There's some other ways that transactional context can be broken out.
A lot of people think when they redesign their website for, let's say, a hospital or another health care organization, that because of HIPAA compliance they have to make the entire website HIPAA-compliant. It's got to be on very expensive super-secure server. You've got to jump through a bunch of hoops. They get really, really concerned about their entire website following these guidelines.
That's not always the case because when you have to worry about HIPAA compliance, it's because you're collecting data, sensitive information from patients, and that is the kind of stuff you have to be concerned about and store it properly. However, there's a whole section of your website, perhaps even the majority of your website, that is focused on marketing and information and communication. That stuff does not have to follow the same guidelines, primarily.
It's really focused on, again, conveying information to the community, to your audience, to potential patients. As long as you're not collecting sensitive information on that side of things, you can really host your website on a more standard CMS. You don't have to worry so much about jumping through all of the HIPAA-compliant hoops that you have to on the transactional side of things.
For example: Let's say you have a hospital website and you're running an informational blog for prospects in the community; maybe you're running a podcast; maybe you're hosting videos; maybe you're putting clinic hours; you're putting physician information. You're putting all sorts of things out there that really help market your hospital to the community. That's a good thing that's the stuff that doesn't really have to worry as much about HIPAA compliance because you're just conveying information, you're getting find on search, you're publishing information so you can grow website traffic. That's all good stuff.
Now, if you are collecting patient information and you have more of a need to collect that sensitive information in a secure way that's HIPAA-compliant, that's typically handled by a third party tool. It's very, very common for the main part of your website that is focused on marketing to be built on a standard content management system. Then anything that has to be HIPAA-compliant switches over to a third party app that's designed for that security.
You can link over to it, you can embed it with iFrames. The branding typically is very easy to match and it creates a pretty seamless experience for your constituents. It's really not a huge deal. Again, it's very good to be concerned about HIPAA compliance of course and making sure you're following all the right guidelines and keeping patient information secure. But you don't have to worry so much about having the entire website following the same guidelines.
You have to understand which components are informational and which components are collecting sensitive information, and then use the right tools for each. They can coexist very well. Hope that helps.
Audra, that's a great question. I hope it eases some concerns and helps you approach this with the right perspective. Thanks again and thanks everyone for joining us today. We'll see you next time.