When it comes to eCommerce security, there are countless considerations to take into account, namely where customer information is concerned. Protecting customer payment information through PCI Compliance is a big undertaking, but one that is imperative to ensure that your site is secure and safe for customers to use. But what about when your eCommerce site also involves personal medical information for your customers? In those sensitive cases, your site must be HIPAA Compliant.
What is HIPAA?
HIPAA, the Health Insurance Portability and Accountability Act, dictates how patient data and information can be digitally transmitted and accessed, ensuring security for all patients. HIPAA compliance is made up of four different rules:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Enforcement Rule
- HIPAA Breach Notification Rule
Each of these rules is necessary for achieving HIPAA compliance, but the most important aspect for eCommerce development is the Security Rule.
HIPAA Security Rule
The HIPAA Security Rule consists of three parts:
- Technical Safeguards
- Physical Safeguards
- Administrative Safeguards
As TrueVault explains in their HIPAA Compliance Checklist, each of those three parts includes implementation specifications that are either required or addressable. Required implementation specifications, obviously, must be implemented. The addressable implementation specifications must be implemented when deemed reasonable and appropriate. Keep in mind that addressable does NOT mean optional. These implementation specifications must be implemented in the appropriate situations.
How Does My Site Become HIPAA Compliant?
While all aspects of HIPAA must be addressed before your site can be deemed compliant, your development team will be referencing the Technical and Physical Safeguards of the Security Rule more often than not. These Safeguards need to be in place in order to protect and control access to the PHI (protected health information).
Technical Safeguards include things like Access Control, Authentication, and Transmission Security. These aspects can be addressed through secure access control with unique user names and strong passwords, a secure web server with SSL (Secure Sockets Layer) eCommerce programming, and encrypted data, whether it is being transmitted or stored. All of these techniques will help ensure that no unauthorized user or computer can access sensitive information.
Physical Safeguards pertain more to the way the digital information is used and includes details like Workstation Security and Use and Device and Media Controls. Workstation Security and Use includes policies for functions that are performed on a device as well as physical safeguards for a workstation to ensure that only authorized users can access it. For Device and Media Controls, it is important to have a secure way of disposing of information that is no longer needed, among other things.
All of these details are just the tip of the iceberg when it comes to HIPAA Compliance. For more information, check out TrueVault’s HIPAA Compliance checklist or the US Department of Health and Human Services.