Do medical websites need to be HIPAA compliant?

The simple answer is “yes”.

The first thing is to determine what experience you want visitors to have when they visit your website. If your website is just an online “brochure” then no, you don’t need to be HIPAA worried! But, if you want your visitors to send emails, request appointments, fill out forms, upload documents, or access a patient portal, then you need to comply with HIPAA. If you are handling any protected health information (ePHI) on or through your website, then you need to be aware of how that information is handled.

• Pass-through – Most ePHI is collected through online forms and is simply forwarded to an email inbox. In this case you would often need to use enterprise software in order to make all electronic communications HIPAA compliant. This can be very costly for most doctors. Most email providers we use for free are not designed to provide this level of security and therefore are not HIPAA compliant.
• Server based – If you collect and store any patient information (ePHI) from your website, then you really need to pay attention. When you add data storage into the mix, you need to ensure that your host as well is HIPAA compliant. HIPAA is very clear on this issue and has in place a set of mandatory guidelines addressing protected health information collection, and storage.