How To Build A HIPAA-Compliant Patient Portal [2022]

Updated On October 19, 2022.

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA)¹ protects patients’ privacy by limiting access to Protected Health Information (PHI) and governing acceptable use of their health data. The HIPAA Privacy Rule² comprises national regulations for using and disclosing PHI in healthcare treatment, payment, and operations by covered entities, and the HIPPA Security Rule³ covers safeguarding measures to ensure the protection and integrity of electronic PHI. Patient portal HIPAA compliance can be a complicated issue to navigate, but we outline the essentials and valuable tips for building a HIPAA-compliant portal below.

What Is A HIPAA-Compliant Patient Portal?

A HIPAA-compliant patient portal is an electronic platform that enables healthcare providers to offer various online services to patients, including the ability to view their own electronic health records (EHR) and potentially features such as appointment scheduling, payment, and telehealth communications. Any features of a patient portal that include PHI and medical records must be HIPAA-compliant. Access to the portal itself, whether offered via mobile app or web platform, must be safeguarded according to the HIPAA security rule.   

Must I Have A HIPAA-Compliant Patient Portal?

Patient portals and HIPAA are inseparable for the following reasons:

• Suppose you have a patient portal developed, provided by, or on behalf of a covered entity (health plan, healthcare clearinghouses, or healthcare providers) – then it must be a HIPAA-compliant portal by law.
• Your patient portal must be HIPAA-compliant if you are a business associate that stores, collects, processes, or transmits PHI on behalf of covered entities.

What Information Does HIPAA Protect?

Protected Health Information (PHI) is any information that is held by a covered entity regarding a patient’s health status, provision of healthcare, or healthcare payment⁴.

There are 18 PHI identifiers that a HIPAA-compliant portal should take care to safeguard:

1. Names
2. All geographical subdivisions smaller than a state
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and more.
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) addresses
16. Biometric identifiers, including finger and voiceprints
17. Full-face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code (note this does not include the unique code assigned by the investigator to code the data)

Tips For Offering A HIPAA-compliant Patient Portal

• Never store Protected Health Information (PHI) on a mobile phone.
• HIPAA-compliant messaging requires you to exclude PHI from any SMS, email, push, or IVR notifications. If you include PHI in a notification, have your patients accept terms and conditions that permit you to use limited PHI in your notifications, clearly defining what PHI is included.
• Always use a HIPAA-Compliant Hosting Service.
• When working with a web design, hosting company, patient portal vendor, or healthcare app development company, always get a BAA (Business Associate Agreement). A BAA shares the responsibility for all patient information that is received by the company or handled by the patient portal they build.
• Hire or employ IT staff that is familiar with patient portals and HIPAA.
• Ensure that a HIPAA expert audits the final patient portal. 
• Have your terms and conditions created/reviewed by an attorney specializing in HIPAA law.
• Require patients to log in each time to access PHI, with an automatic logout after every 30 minutes of inactivity. To make the patient portal more convenient and secure, consider offering biometric logins using face or fingerprint recognition.
• Conduct risk assessments and review system activity records, including audit logs, access reports, and security incident tracking reports to detect any potential breaches of patient portal HIPAA compliance early. 
• Maintain ePHI (electronic personal health information) integrity requirements by implementing information systems that provide features or processes for automatically checking data integrity. These include checksum verification or digital signatures and providing electronic mechanisms to ensure the integrity of ePHI.
• Implement policies and procedures to protect ePHI from improper alteration or destruction.
• Access controls must include unique user identification, an emergency access procedure, and automatic logoff.
• According to HIPAA, the information in a medical patient portal should be encrypted at all times – both at rest and in transit.

What Are The Penalties For Not Being HIPAA-compliant? 

There are several violations based on what a covered entity did or did not do concerning patient portal HIPAA compliance. Penalties are adjusted annually according to inflation⁵, with the current figures (taking into account the OCR 2019 Notice of Enforcement Discretion) as follows.

• A covered entity that did not know and could not have reasonably known of an ePHI breach could be fined $127-$30,487 per incident and up to $30,487 per year.
• A covered entity that “knew,” or by exercising reasonable diligence, would have known of an ePHI breach but didn’t act with willful neglect could be fined $1280-$60,973 per incident and up to $121,946 per year.
• A covered entity that acted with willful neglect and corrected the problem within 30 days could be fined $12,794-$60,973 per incident and up to $304,865 per year.
• A covered entity that acted with willful neglect and failed to make a timely correction could be fined from $60,973 per incident and up to $1.9 million per year.

Offer your patients a HIPAA-compliant patient portal with Bridge. As you can see, HIPAA compliance is vital, and costly in terms of fees and reputation if disregarded. 

1. CDC (2018). Health insurance portability and accountability act of 1996 (HIPAA). [online] Centers for Disease Control and Prevention. Available at: https://www.cdc.gov/phlp/publications/topic/hipaa.html
2. Office for Civil Rights. (2022). Privacy. [online] HHS.gov. Available at: https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
3. Office for Civil Rights. (2020). The Security Rule. [online] HHS.gov. Available at: https://www.hhs.gov/hipaa/for-professionals/security/index.html
4. Office for Civil Rights. (2022). Your rights under HIPAA. [online] HHS.gov. Available at: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
5. Alder, Steve. (2022). What Are the Penalties for HIPAA Violations?. [online] HIPAA Journal. Available at: www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/