While most pregnancy clinics have chosen to encrypt their website with an SSL certificate, in order to encrypt the data going in and out of their website. Many organizations have not considered the next step in encryption. The next step is to encrypt your website data at-rest, while it is stored on the server hard drive – by storing it on an encrypted hard drive.
Storing website data at rest on an encrypted hard drive is a security protocol requirement that HIPAA has promoted heavily.
Nearly all client-facing pregnancy center/clinic websites feature an appointment request form. It is reasonable to consider the data collected in this appointment request form to be at least the foreshadowing of PHI (Personal Health Information) or possibly actual PHI.
Anne O’Connor provides highly respected legal advice to pregnancy centers across the country. According to Anne O’Connor with NIFLA, a pregnancy center which does not bill or communicate electronically with health plans is not currently required to comply with HIPAA, however it is important for the center to check their state law as well. Anne goes on to say it is considered best practice to voluntarily follow guidelines established by HIPAA as part of risk management.
Melisa Clifton is the owner of Better by Design, a certified HIPAA professional and founder of the online learning platform Learning Is Created (learningiscreated.com). Melisa provides HIPAA training and certification to equip pregnancy centers and other pro-life organizations via Learning Is Created. Melisa points to the law for what someone should do in regards to HIPAA compliance. If a center provides healthcare services and either processes payment information electronically or shares PHI electronically, then they may be considered a covered entity and need to comply with HIPAA. For example, if a center provides low-cost STD testing, and reports positive tests to the health department, as required by law, then the center is likely required to comply with HIPAA. For pregnancy centers in Texas, Texas HB300 deems all pregnancy centers as covered entities and are required to comply with HIPAA. For centers outside of Texas, a future ruling defining the term “community-based support program” may include a greater number of entities based on actions/services rendered.
For those who need to comply with HIPAA or for those who decide to voluntarily follow HIPAA derived standards or for those who follow another set of standards to guide them in their security protocols, storing PHI or potential PHI on an encrypted hard drive instead of an unencrypted hard drive is reasonable.
At iRapture.com, we offer encrypted hosting for storing website data and email and the cost is higher than regular hosting that uses unencrypted hard drives. If you would like to learn more about your options to host your website files and email (while on the server) on an encrypted hard drive, please request a time to talk with Jacob.