Compliance

1-practice-websites-that-benefit-everyone-in-the-practice

2-content-management-total-control-over-your-practice-website

3-responsive-design-websites-that-work-on-every-device

4-seo-helping-every-searcher-find-your-website

6-secure-forms-and-email-HIPAA-compliant-patient-communications

7-online-bill-payment-more-convenient-and-faster-bill-payments

8-practice-intranets-your-practice-info-all-together-and-online

9-hospital-practices-websites-for-hospital-acquired-practices

9.5-see-your-patients-the-complete-telehealth-solution-for-your-practice

Website Features

Contact Us Today!

Privacy, Privacy, Privacy

It’s hard for many of us to remember what the days before HIPAA were like, when access to patients’ health info was fair game for just about anyone. Medical and dental offices may grumble about the complications HIPAA added to their practices, but it was obviously a law whose time had come.

There are many aspects to the original rules, as well as those added through HITECH and Omnibus (and whatever comes next...) – our intent is to make sure that any of the requirements that apply to your practice website are followed to the letter.

The Notice of Privacy Practices

Every medical or dental practice website must have the latest copy of their Notice of Privacy Practices (NPP) published on their website. This needs to be either as a regular web page, or more commonly as a PDF document. We usually link to the NPP from the Patient Forms page, or if that’s not available on the footer of the home page.

If your practice doesn’t currently have an NPP we’ll be happy to create one for you. There’s a very patient-friendly new format that we’re using now (click on the icon at right to view) or we can use the traditional all-text format. Either one is approved for use by the HHS.

HIPAA regulations state that practices are required to provide the Notice to new patients and use their best efforts to obtain acknowledgment of receipt. This is often overlooked on practice websites; we’ll be happy to provide a secure online acknowledgement form upon request.

Patient Forms

PatientForms There are two areas where healthcare practices can get into HIPAA trouble – unsecured patient forms and email (more on email below). If all you provide are non-submittable PDF forms on your website, there’s no privacy issue. If, however, you opt for the convenience and speed of online patient forms, they must follow a rigid set of rules set forth by HIPAA.

To begin with, they must reside on a secure URL (one starting with https://) – this assures the patients that they are in fact on your website and not filling out a renegade form that’s attempting to capture their data. Next, the form should submit the patient’s entries in an encrypted format, directly to a secure server. Please note that regular email is not a secure way to send anything. And even if you employ secure email for form submittal, there are a host of conditions to fulfill regarding the way you store this info (more on this below).

Our Secure Patient Forms Program provides a fully HIPAA-compliant method of patient form submission, storage and retrieval. We know of no other way to shortcut this procedure and still be compliant.

Patient Email

Secure email This is the biggest area we’ve seen of both non-compliance and outright confusion. Although email and texting are the preferred method of communication for many patients, there are three big areas of concern here (the first two of which are not even HIPAA-related).

“I’m having chest pains...”

We always advise our customers to never allow patients to email the practice directly. Unsolicited email of an emergency nature will most likely not receive your immediate attention, and could end in an undesired result – and maybe an undesired lawsuit. If you wish to allow patients to contact you electronically, it’s best to use a secure patient form that specifically states what the patient must do in an emergency instead of using the form.

“What your doctor won’t tell you about...”

Nobody likes spam email. Ever wonder how spammers get hold of your email address, and why it’s so hard to get off?

Let’s look at a common scenario. Someone hacks into your practice’s email account and harvests all your incoming and outgoing email addresses (and maybe even the message contents themselves). They then have a list of valid email addresses that were used in connection with a physician’s or dentist’s office. All it takes now is to contact one of the unethical list brokers they work with and make a sale, and your patients start getting spam emails targeting the diseases your office treats. If your patients then put two and two together...

“We’re contacting you to notify you of a breach of your Protected Health Information...”

Here’s the direct HIPAA issue. You’ve been emailing with your patients or referring providers (or surgery centers or hospitals or...) and someone hacks your email account or the server it lives on. If your emails are not fully encrypted end-to-end (including where they’re stored), and your server is not fully protected from physical or electronic intrusion, you’re operating in violation and are susceptible to a breach of your patients’ ePHI.

You may add all the disclaimers you want to the pages your email address is shown on – good luck with that in court. The only HIPAA compliant way to communicate electronically is with a dedicated, secure email system – ideally one that’s not on your premises (otherwise you have to provide 24/7 physical security, employee training, maintain system audit logs, etc.). We offer a complete secure email program that can take all that off your back!

Here’s What the Law States:

NonDiscrimination Section 1557 of the Affordable Care Act was passed into law in July of 2016. This is a wide-ranging regulation that covers many aspects of discrimination in regard to the treatment of patients – we’ll cover those aspects that affect your practice and your practice website.

Not all healthcare practices are affected by this law; only those that accept:

Federal financial assistance – includes grants, property, Medicaid, Medicare Parts A, C and D payments, and tax credits and cost-sharing subsidies under Title I of the ACA. (Medicare Part B is not included.)
All health programs and activities administered by entities created under Title I of the ACA (e.g., State-based and Federally-facilitated Health Insurance Marketplaces).

Here’s How We Get Your Website Compliant:

There are two documents that must be accessible from the home page of the practice’s website:

Notice Informing Individuals about Nondiscrimination and Accessibility Requirements.
Taglines, which are short statements in non-English languages, to notify the individual about the availability of language assistance services*.

The only information we need from you in order to create these documents is:

The legal name of the practice
The name, title and email address of the practice’s Civil Rights Coordinator (CRC)
The practice’s mailing address and phone and fax number (and TTY number, if available)

We’ve created a simple form on our website to help in furnishing this information. Once we’ve received your information we’ll create both documents, upload them to your website and link to them from your home page. At that point your website will be fully compliant.

To make your website fully readable by viewers speaking any major language, see our free Multilingual Websites option.

Here’s How We Get Your Practice Compliant:

* Did you happen to notice the requirement above about “the availability of language assistance services?”

This is where most healthcare practices fall down. How do you go about finding a reputable language service? One that can meet all the requirements of Section 1557? One that can provide phone interpretation, video interpretation (including American Sign Language), even document translation? All at a very reasonable price?

You’ve already found one. Take a look at Highland Language Services.

Website Accessibility Under Title II of the ADA

ADA Many people with disabilities use assistive technology that enables them to use computers. Some assistive technology involves separate computer programs or devices, such as screen readers, text enlargement software, and computer programs that enable people to control the computer with their voice. Other assistive technology is built into computer operating systems. For example, basic accessibility features in computer operating systems enable some people with low vision to see computer displays by simply adjusting color schemes, contrast settings, and font sizes. Operating systems enable people with limited manual dexterity to move the mouse pointer using key strokes instead of a standard mouse. Many other types of assistive technology are available, and more are still being developed.

In order to make your practice website compliant with the ADA, several areas need to be addressed, including:

Adding a text equivalent to every image (“alt tags” or “longdesc tags”)
Providing accessible versions of PDF forms
Enabling “screen reader” audio version of all text
Enabling font size adjustment
Enabling background and text color contrast adjustment

For an example of how many of these features work, see the Screen Reader element at the bottom of each page of our website. Select any text block and click on the “Play” button, click on the “Increase” button to enlarge the text, or click on any of the “Toggle High Contrast” buttons to change the color contrast.

The ADA requires that all organizations with a “public presence” make their websites accessible - current maximum penalties for non-compliance are $75K for the first offence and $150K for subsequent violations.

This could be the most valuable page on our website...

If you’ve ever had any run-ins with HIPAA, or the Americans with Disabilities Act, or even the Department of Health and Human Services, you have our sympathy. These encounters very rarely result in just a slap on the wrist, and can often chew up a great deal of your time and money.

You’d think every practice would tread very carefully in areas like this, but when you’re busy dealing with patients and providers and office staff, who has time for this stuff?

We do.

We’ve been developing medical and dental practice websites long before anyone ever heard of a Notice of Privacy Practices, and have been staying up to date with everything that’s come down the pike since then. There hasn’t been a single occasion of any of our healthcare websites causing the least little bit of regulatory or legal trouble for any of our customers in our 22 years of healhcare website development.

Pleading Ignorance Just Won’t Work

Having someone put together your practice website who has no experience with these issues is just asking for trouble. We can’t tell you how many sites we’ve seen with non-secure patient forms and email contacts, without any provision for non-English speaking or disabled website visitors. Whether these website designers know it or not, these are all very much against the rules, and it’s fairly easy for anyone to bring your website to the attention of the regulatory agencies.

Glance through the three main compliance issues shown below for a quick idea of what must be on your practice website, and how we can take care of all of it for you. So you can get back to those patients and providers and office staff...

Page 2 of 2

Start
Prev
1
2
Next
End

Website Design

Secure Forms

Practice Extranets

Business Partners