Your Health Care Website May Be Capturing PHI Without You Knowing It
WRITTEN by: Bill Sterzenbach |
Are your health care website visitors "oversharing"? Oversharing can lead to potential HIPAA violations. Sometimes visitors are guilty of TMI (Too Much Information). In this article we'll share some tips on how to detect and avoid "TMI PHI".
People Will Overshare. This Creates PHI
We run audits on our customer's websites from time to time looking for issues where visitors may have shared more information than they were asked to share. In these audits we almost always find something like the following.
My husband has been struggling with issues with his lower back for nearly 10 years...
Here is a classic overshare. What type of form was this? In this case it may have been a registration for a fun run. People tend to really overshare about their health concerns.
How Can You Find TMI?
When looking for "TMI PHI" you'll need to get creative. We generally tend to run a full-text database search for phrases such as "my wife" or "my husband" as these phrases do not typically occur in webpage content and are common in cases of TMI.
Depending upon how your website data is structured, you may be able to run a search of your webform submissions from your CMS administration area.
You can ask your web hosting provider or web development partner to do a search each month - it will provide much needed peace of mind.
How Can You Avoid TMI?
The easiest way to avoid unwanted PHI is to create your webforms without free text fields. This simply removes the ability for the visitor to start sharing.
Often the fix is as simple as replacing a comment field with a dropdown allowing the visitor to select from pre-existing categories, events, etc.
But I WANT to Collect PHI!
There are many cases where you are asking for this type of information, and in these cases of course PHI is appropriate. In these cases, I'm assuming you have a HIPAA compliant website and hosting configuration, and that you're ready for PHI.
This article is really focused on health care websites who have not established a HIPAA compliant environment due to the fact that they don't believe they have PHI on their site.
We Can Help
Are you worried that you may have some TMI PHI on your website? Give us a call - 866.824.0287 - we can help you audit your website for uninvited PHI and provide recommendations on how to either make your website HIPAA safe, or avoid collecting PHI unintentionally.