HIPAA Compliant Website "Contact Us" Form
Websites are designed to be marketing tools, not HIPAA compliant patient communication platforms. As you know, this doesn't stop patients, or prospective patients, from sharing all kinds of personal information via your website. While you can't control what people submit, you can control how you respond.
This article focuses on the scenario in which patients use your website's contact form to submit health information and/or makes clinical inquires.
The technical problem
The typical website sends you an email containing whatever information the person submits. If the email service used to capture the website submission is not an EHR patient portal or HIPAA compliant email application (meaning, you don't have a business associate agreement), then you shouldn't use the email to carry on a conversation.
The problem escalates if your website hosting service stores submitted data (i.e., archives messages) outside of the email service itself.
The information problem
As soon as someone sends information considered protected health information (PHI) you have a responsibility to safeguard said information, especially if you continue the conversation. Patient inquires mentioning symptoms or treatment is PHI, as are questions regarding appointments (more on this later).
When the patient initiates a communication containing PHI, your best bet would be to transfer the communication to a secure channel, such as a phone call. Do this and you'll be in good graces with the HIPAA.
Note: Make sure your Contact Us form requires a phone number so you always have the ability to call the person in lieu of responding with an email message.
The appointment problem
People love to schedule appointments online, but appointment information is clinical in nature so you should treat it in the same manner you would other clinical PHI. Therefore, if a patient tries to schedule an appointment using your website, don't email the patient back, call instead.
Better yet, integrate a HIPAA compliant online appointment scheduling service into your website.
The HIPAA does not intend to limit people's ability to contact your business, nor does it state you cannot have a Contact Us feature on your website. The law requires only that you take reasonable measures to safeguard PHI, in whatever form you receive it.
by Dr. Jeff Brown
Jeff Brown, DC, is CEO at HIPAAMATE and dedicated to making HIPAA compliance comfortable for small- and medium-sized healthcare practices and business associates. Dr. Brown’s career spans private practice, compliance consulting, and software product management for three healthcare technology companies.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.