HIPAA Compliant Development

Are you a Southwest Florida Medical or Healthcare provider or service? Looking for HIPAA-Compliant web design, cloud development, IT, networking and computer services? Vontainment in Port Charlotte is who you need! We are fully versed in HIPAA, and have always been above the curve in security. A digital agency with no limits to what can be done. We can satisfy your HIPAA hosting requirements.

Your HIPAA Compliant Website or cloud services will include Transport Encryption meaning your information will always be encrypted as it is transmitted over the Internet. Information will be backed up and can be recovered. Will only accessible by authorized personnel using unique, audited access controls. Medical information will be encrypted when it is being stored or archived. Unwanted files can be permanently disposed of when no longer needed. The security provisions detailed in HIPAA are exacting. Working within the scope of HIPAA places an onus on web designers to ensure that potentially sensitive medical information is kept private.

Vontainment understands web security and its critical importance in upholding the integrity and vitality of your Southwest Florida organization. Contact us today! We will not just consult with you about medical website security standards, we will also securely integrate your website with internal systems, CRM systems, ERP systems, and more. Ultimately, we will build you a system that allows you to access information as efficiently as possible without risking any integrity. The security provisions detailed in HIPAA are exacting. Working within the scope of HIPAA places an onus on web designers to ensure that potentially sensitive medical information is kept private.

HIPAA Compliant Web Design

The Health Insurance Portability and Accountability Act (HIPAA) changed how the United States works with health information. For the most part, HIPAA concerns private medical information and keeping it secure.

The act passed in 1996 and did not directly reference the Internet — but that doesn’t mean it doesn’t apply. In fact, if you plan to do anything with people’s protected health information (PTI) online, you need a website that complies with HIPAA’s high standards.

HIPAA web design starter checklist

When you’re laying the groundwork for your site, these are the major points you need to remember for HIPAA compliance.

  1. Secure sockets layer (SSL) protection
  2. Full data encryption (especially during transfers)
  3. Full data backup with encryption
  4. Permanent deletion options for all data
  5. Restricted, specific access for admins and users
  6. Regular password changes
  7. Data breach protocol
  8. Appointed HIPAA compliance officer
  9. Prominent, published HIPAA policy on site
  10. HIPAA business associate agreement with site host and other vendors

There are more precautions you need to take for a HIPAA-compliant site, but these 10 are the most important starting points for your business.

Now, let’s take a look at each quality individually.


SSL protection is a networking protocol that includes client authentication, server authentication, and encrypted communications between the two. That means whenever someone logs into your site or manages their account, everything is safely encrypted at all times.

In other words, no one could make sense of it if they stole or intercepted the information.


While SSL protection deals with user and server encryption, you also need to encrypt any data you store.

This is also important with communications between users and servers, as you must encrypt all data during transmission to make sure people can’t read it if it’s intercepted.


Once you have information from your clients, you need to store the essentials and encrypt them as well. Basically, only one person should be able to see the information they submit to your site, and that’s the user.

If there’s a clear or obvious flaw in your backup storage security, you’re not adhering to HIPAA.


HIPAA also mandates that you delete all data that’s no longer relevant to your business. So if you have a client who leaves your service for one of your competitors, you must permanently delete all of their information from your servers.

“Permanent” is a critical word here. If you delete someone’s information from your servers, you can’t have the opportunity to recover it. When someone leaves your company, their information goes too.


In a nutshell, restricted access means only your administrators can access administrative functions.

In addition, only a specific user can access their data, and they can only access their own data. Likewise, only your administrators can make changes to your site. This is especially critical since any minor change — even to a user’s profile — could constitute a breach of HIPAA’s strict regulations.


Most of the time, this is just a good idea. But with HIPAA, it’s law. You must regularly change the passwords of your administrators and users to keep your data properly protected.

Failure to regularly update or change passwords constitutes a breach of HIPAA’s standards.

Being In Compliance

Privacy Rule

Under the privacy rule, organizations are required to safeguard the privacy of patient health information. Specifically, for HIPAA-compliant website design, this means limits are set regarding who can access or disclose this information so robust security and authentication measures must be implemented healthcare websites and servers.

Enforcement Rule

The Enforcement Rule established the U.S. Department of Health & Human Services’ Office for Civil Rights, which simply enforces the guidelines and rules under HIPAA. The Enforcement Rule is in place to check the HIPAA compliance of healthcare organizations. If you don’t have a HIPAA-compliant website, then Split Reef can design one for you.

Security Rule

Much like the Privacy Rule, the Security Rule deals with protecting patient information. However, the Security Rule covers who is protected and how exactly the information is safeguarded. Because technology is ever-evolving, The Security Rule changes to include new methods of electronic communication and information storage.

Breach Notification Rule

Under this HIPAA rule, healthcare organizations and other entities covered by HIPAA must report the breach of unsecured information. Whether this is electronically or the breach of physical information, the breach must be reported to individuals affected, to the secretary of the HHS and sometimes even to the media. With our HIPAA compliant website development services, you can minimize your risk for breaches.

Does your website need to be HIPAA compliant?

To answer that question, you must answer this one: does your website store or transmit protected health information? If so, your website needs to comply with HIPAA regulations. More details below.

What is protected health information?

Protected health information (PHI) is personally identifiable medical or payment information related to health services. That includes:

  • Identifiable demographic or genetic information related to health
  • Information relating to the physical or mental condition of an individual
  • Payment or financial information related to healthcare

Is your website collecting protected health information?

If your website collects any individually identifiable medical information, such as symptoms, conditions, or requested healthcare services, you are collecting PHI.

You might be receiving PHI through:

  • Contact forms that ask about symptoms, medical services, medications or other health-related information
  • Online patient forms
  • Live chat
  • Patient Portals
  • Patient reviews or testimonials
  • Any other information-collecting tools on your website

How do you know if you’re storing protected health information?

Once you understand what PHI is and whether you collect it through your website, you should consider how and if you are storing that information. The Privacy Rule of HIPAA requires that entities that store PHI take reasonable measures to protect it. If you keep individually identifiable medical information on a server, that server must be encrypted and secure. 

What if your website is not HIPAA compliant?

If your website collects, stores, or transmits PHI, and does not take reasonable measures to secure that data, you may be in violation of HIPAA. If you are, you run the risk of HIPAA penalty fines, which are not cheap. Depending on the scale of the violation, the number of patients affected, and the level of negligence, a fine can range from $100 to $50,000.

Sharing Patient Reviews

Written Permission Is Legally Required. Now, if you do get a glowing review, an awesome photo, or a positive candid quote, don’t post it anywhere without express written permission from the patient. This is a legal requirement—and more importantly, it’s a way to demonstrate to your patients your concern and professionalism when it comes to protecting their private information.

Social media engagement

In addition to asking your patients to leave reviews online, you should ask them to “follow” or “like” your business on Facebook, Twitter, Instagram, and LinkedIn. Engaging with your patients online increases the visibility of your business and makes your brand more personal and accessible. (A word of caution about interacting with your patients online: make sure that your online behavior is HIPAA-compliant, and frequently perform and document a risk assessment to safeguard your patient information.)

You cannot be “HIPAA certified.” 

HIPAA is a set of rules and best practices. There is no certifying body for the government that certifies software, hosting companies or health organizations on HIPAA.

HIPAA makes almost zero reference to technical specifications required for hardware or software security. And even if it did, they would be completely out of date – the law having been passed in 1996 – and surely would not contain much relevant information pertaining to new technologies like SaaS software and cloud hosting. Therefore, it’s important not to read into false claims made by companies about the use of certain brands of firewalls, servers, operating systems or server architectures.

Only Linking to Other Compliant Systems

When a current or prospective patient clicks “submit” on any form they use on your site, the information should be securely transmitted to HIPAA compliant systems only. For example, if your contact form inquiries are routed to your email, your email provider must also be HIPAA compliant. Medical Web Experts’ HIPAA compliant website design projects always account for this. If your current site has links to non-HIPAA compliant systems we will point it out and work with you on a solution, like HIPAA email hosting and web hosting, custom HIPAA compliant application development, or process redesign.

“Do no harm” includes patient information.

HIPAA regulations, in a simplified version, ask companies to do the following four things:

  • Implement rules and safeguards to protect patient health information.
  • Limit sharing of confidential data to authorized stakeholders who directly help patients in some way.
  • Ensure that any business associates or corporate partners also safeguard PHI and share information only when done so in each patient’s best interests.
  • Limit who can access PHI and train employees about security and confidentiality best practices.

Whatever sector of health care you operate in, we’ve got your patient information under strict lock and key. Focus on healing your customers, and we’ll focus on ensuring their data is protected.