If your online store deals in health-related products or services, you’ll need to make sure it meets standards laid out by the Health Insurance Portability and Accountability Act (HIPAA) to protect sensitive health data. Many of the same privacy and security measures covered by measures like PCI compliance apply here, including implementing strong access control, physical security, and network protections.

What is PHI?

Protected health information (PHI) covers any patient information associated with health insurance, diagnosis, billing, lab or test results, care, and more. Though hospitals and other healthcare providers tend to handle the most PHI, this kind of data can definitely be used or saved by ecommerce websites that work with healthcare providers.

Who needs to be HIPAA compliant?

If your online store deals with PHI in any way, HIPAA compliance is a necessity for your business. As mentioned above, HIPAA compliance bears strong similarities to PCI compliance, so your online store should already be pretty close to meeting the requirements. There may be some improvements you want to make, like extending encryption to customer names if you don’t already do this.

How do you make sure your online store is HIPAA compliant?

Generally, HIPAA compliance requires your online store to follow best practices for protecting customer data you should be following anyway considering you process payment information every day. Many of the security requirements for HIPAA compliance may already be built into your shopping cart software (like data encryption and SSL). Others may require you to invest in security infrastructure for the safety of your data.

Here are a few recommendations to make sure your website is compliant with HIPAA regulations.

• Access logs: Installing a firewall or some other program for tracking access to customer data is a crucial part of staying compliant. Recording access can help track who has seen or altered data and when, making it easier to identify an unauthorized breach.
• Tokenization: With this strategy, you can create unique identifiers that represent and reference certain types of customer data without storing the actual information. Tokenization makes it much more difficult for hackers or other unauthorized people to view or steal information.
• Access control: A strong, tiered system of access control that limits who can access or interact with customer data is essential for a HIPAA compliant ecommerce business. Access control measures should be built on strong passwords and well-defined reasons for accessing sensitive personal information.
• Central administration: Access control and role definition should be managed by an administrator with the power to add or remove permissions as necessary.
• Deletion: You should have the ability to delete data from the phone of a former employee, for example. You should also have a strong policy around deleting information you no longer need.