Are You Sure That Your WooCommerce Website is HIPAA-Compliant? (Video)

Webinar-HIPAA-Compliant-WordPress-Hosting-Blog-Banner

In this Article

Are you sure your site is HIPAA-compliant? Do you store Protected Health Information (PHI) securely? Find out by watching our free webinar. And if you’re looking for a HIPAA-compliant host, look no further: Convesio offers HIPAA-compliant web hosting.

Watch an insightful discussion, designed specifically for medical professionals and marketing agencies working with medical professionals. Discover how to ensure your WordPress sites meet HIPAA requirements and maintain ongoing security compliance to prevent data breaches.

Last week, Convesio CEO Tom Fanelli was joined by April Wier, Lead Educator at Medical Marketing Unlocked, to discuss HIPAA compliance and WordPress websites. In the webinar, Tom and April discussed the key provisions of the Health Insurance Portability and Accountability Act (HIPAA), the importance of protecting patient data and the legal obligations for healthcare providers and their business associates, configuring your WordPress site to meet HIPAA standards, and more.

It’s a must-watch for any business owner or webmaster that handles medical data.

Questions about HIPAA? Book a meeting with our team today.

 

Questions Answered in the Webinar

What is HIPAA?

HIPAA, the Health Insurance Portability and Accountability Act of 1996, is designed to protect healthcare information, ensuring it remains private and secure while making it accessible for patients to take with them from one provider to another. It includes rules for privacy, security, breach notifications, and enforcement.

Why are Business Associate Agreements (BAAs) important in HIPAA compliance?

BAAs are crucial because they define the responsibilities of vendors accessing patient information, ensuring they handle data securely and in compliance with HIPAA regulations. Every vendor that comes into contact with protected health information (PHI) must have a BAA with the covered entity.

What constitutes a compliance chain in HIPAA?

A compliance chain includes all parties handling PHI, from healthcare providers to marketing agencies and web hosts. Each party must have a BAA to ensure secure and compliant handling of PHI, maintaining the integrity of the compliance chain.

What are common gaps in HIPAA compliance?

Common compliance gaps include lack of data encryption (both in transit and at rest), inadequate user authentication, poor physical security at data centers, and insufficient backup and recovery processes. These gaps can lead to breaches and non-compliance penalties.

What are the best practices for maintaining HIPAA compliance on WordPress websites?

Best practices include regularly updating WordPress and its plugins, using two-factor authentication, avoiding the storage of PHI directly in WordPress, and utilizing HIPAA-compliant tools and services for forms and email communications.

How should data collection forms be handled to ensure HIPAA compliance?

Data collection forms should be encrypted, and it’s advisable to avoid storing submissions directly in WordPress. Instead, use HIPAA-compliant plugins and ensure that form data is sent securely to HIPAA-compliant email providers.

Can tracking pixels and marketing data be used under HIPAA?

No, tracking pixels like Facebook pixels and Google Analytics cannot be used to share patient browsing data with third parties, as this can disclose PHI. Recent guidelines prohibit such practices to protect patient privacy.

What responsibilities do agencies have when working with healthcare clients?

Agencies must understand HIPAA compliance, be willing to sign BAAs, follow best practices for secure user logins, handle PHI properly, and ensure their team is trained in HIPAA regulations.

How can PHI exposure be minimized in WordPress?

Minimize PHI exposure by using HIPAA-compliant external tools for forms and scheduling, embedding them on the website rather than using native WordPress forms, and ensuring that all data transmitted through WordPress is encrypted.

What resources are available for agencies and healthcare providers to ensure HIPAA compliance?

Resources include HIPAA compliance checklists and specialized training courses that cover every aspect of HIPAA compliance, helping agencies and healthcare providers navigate requirements and assess their partners’ compliance capabilities.

Transcript

Tom Fanelli: Welcome everyone. It’s great to see everybody here today. We have an awesome presentation for you on a topic that has been kind of near and dear to my heart for almost a year now, and a little bit of background on this. So April, who is our co-presenter today, and really the HIPAA person, the expert that got me involved in this and even brought it to my attention. I mean it was probably over a year ago that there was a need in the space for HIPAA compliant WordPress hosting. And so really April is the genesis and the reason why we’re even here today. So thank you, April. It feels like this is a culmination of a lot of learning and work and dialogue between us.

So it’s a great, great moment and we’re going to take you through a bunch of stuff today. We’re going to talk about an overview of HIPAA, the compliance chain, common compliance gaps, and some technical requirements of hosting.

Just a disclaimer here. You really always should do your own due diligence with your own legal team and your own compliance teams when you are dealing with any compliance, privacy, HIPAA, any of that type of stuff. So I really suggest this is a disclaimer that this is not legal advice. Really, you should consult with your experts on your team. I do want to make a point that we have a couple different audiences with us here in the group, which is some of you are from agencies and some of you are from medical professional offices. And so we’re going to tailor this into the topic and the presentation as we go. So you might hear things that are framed directly for medical professionals. You may also hear us talk about agencies.

It’s really important to both of these groups, very important actually because medical offices need really good agencies to work with and agencies need to understand what’s happening when they’re working with medical offices in terms of how to handle compliance and protected health information. Alright, so my name’s Tom Fanelli. I’m the CEO and Co-founder of Convesio. We are a scalable WordPress hosting company and many of you probably know who we are and have worked with us in the past. And so I am joined with April. I’m going to stop talking, turn it over to April. She’s going to do her introduction and we’ll get started. So April, I am going to give you control and it’s all yours.

April Wier: Yes, I love that. Yeah, I think our very first conversation we ever had when we first met HIPAA creeped in there somewhere, because I’m a little bit of a nerd when it comes to this, okay? So HIPAA can be a little overwhelming. And I heard when I first joined the greater WordPress community and marketing community that you should not touch HIPAA with a 10 foot pole. And I’m a little bit rebellious and if you tell me I can’t do something, it makes it super attractive to me. And so I picked up my first client and did a deep dive and found why people were saying that, but also there are ways to do it safely. And so just to give you kind of a quick overview, what HIPAA is, the Health Insurance Portability and Accountability Act of 1996. It’s really there to protect our healthcare information and make it more accessible so we can take it with us.

It’s portable from one doctor to another and there are rules set about to make sure that our information is private and secure. And if it becomes insecure, what do we do about it? Because we have breach notification rules and enforcement rules. So privacy, security, what happens when the horse gets out of the barn and what do we do to the people who let that happen? So that’s kind of the overview of that. Let’s see. There we go.

Oh, key terms. Okay, so the guidelines, like I said, it is just making sure we can move it, keep it safe. We’ve got a link here to you can go and see and read more about what the government has to say. The government has a lot to say about this. This is a very complex topic and there’s a lot of vagary around it, but there are, if you keep it simple, you can pretty much navigate 99% of all situations you were ever be in.

And it really starts with the covered entity. So the covered entity is the primary place where healthcare is either being, healthcare information is being generated or it’s being processed. So that would be like your healthcare providers, your health plans, people who process claims, those kinds of things. Generally it’s the ones that we’re going to encounter. It’s going to be patient health information that’s generated in the clinical setting or through lead generation. So clinical setting obviously for the medical professionals, lead generation for the agencies or the in-house marketing person. So when you’re doing business from a healthcare setting with outside vendors or anyone who’s going to be accessing that information, you need a business associate agreement. So as an agency owner, I’m a business associate, the covered entity would be my client who I’m working with. And I need to make sure that my agreement, my business associate agreement says basically, when I access your information to help you, I have certain responsibilities.

And then if I’m accessing that patient health information, do I know what that is and do I know how to protect it? And so here’s one of the things that happens when we’re dealing with medical information is there’s a lot of arguments around what is protected health information and what is not. So PHI is kind of the catchall for all the different P words that are around privacy. So we have patient health information, private health information protected health information, PHI. So you’ll hear different that describe different ways. It’s all the same idea is what is your private information that is protected when you’re interacting with a covered entity. And so here’s some examples, names, phone numbers, email addresses, your social security number, account numbers even. And Tom can go into this a little bit later, even your IP addresses. So there’s a lot that we need to make sure that we are either not touching or that we’re touching appropriately and put fences around our behavior.

Now who do you need a BAA from or who do you need to give a BAA to? So any vendor who comes in contact with that data. And so an example might be obviously your agency, your web host, your email provider, payment processor. Alright, so when you issue a BAA to someone as an agency, you establish what is in effect a compliance chain. And so let’s look at what a possible compliance chain might look like. Okay, so we have here, we have the covered entity, which would be, let’s just say the doctor’s office. Here we have the marketing agency and here we have your web host Convesio. And let’s say the covered entity has signed up with an email marketing company. So everybody needs a list. And if they don’t have it through their EMR, then maybe they’re going through something like ActiveCampaign.

So as the marketing agency, I want to access their email marketing app. I want to make sure that their templates are set up that I can help segment their list, but that information is protected. So for me to access their information, I need to issue a BAA right? And something else to think about is ActiveCampaign also needs to issue the BAA. And just because a product says it’s HIPAA compliant does not mean that your account is HIPAA compliant. You still need to, even after you sign up for the service, you need to request the BAA. Okay? So in that case, the compliance chain is the BAA is from the email marketing company to the covered entity and from the marketing agency to the covered entity. Now as a marketing agency, I also provide concierge hosting to my clients, which means that I sign up for it and I’m their liaison and I take care of everything.

My provider of choice is of course Convesio. And so when I am getting hosting from Convesio, if I am to have PHI processed on those websites, then I need to have a BAA from Convesio to me, then I need to have a BAA from me to the covered entity. The compliance flows through me, but it maintains the chain. So we don’t want to break in the chain anywhere. Now if something happens at my level, so let’s say that I have a breach, somehow something’s been hacked or there’s been some type of violation where protected health information has come out when it was under my responsibility, then I have certain things that I have to do and it is my responsibility one to notify the covered entity and to set up in motion the breach notification process because in the compliance chain, I was the link of the chain that was weak.

But if the chain is complete, then let’s say the covered entity now has responsibilities of notifying certain people. So the big thing about the compliance chain is we want to know where the PHI is flowing and who’s responsibility isn’t at the time where as it’s flowing through the chain. So one of the things you really want to do is have a visual workflow or a visual representation of where PHI is flowing in your business or if you, you’re a marketer, where are you touching it? Where are you interacting with it? So here’s one of the ways that PHI could be flowing through, let’s say a doctor’s office. So you’ve got your electronic health records, you’ve got an accounting system, billing system. They might have an app where the patients talk to their doctors and then obviously they’re going to be processing insurance, and then they’re going to hopefully have a vendor or a partner like us who’s going to be taking care of their marketing.

Now, it’s really good to know also to have a patient flow of when you’re, especially if you’re a marketer, how are you touching all the things? So you might have a flow like this, but it would look like we’re touching their email marketing, we’re touching leads that are coming in through social media. We’re touching when we manage their email list. So it’s really important to know all the ways that you as an agency, touch patient health information and as you as a healthcare provider, touch patient health information. And where do those things cross? Because that’s the way that we’re going to identify risks and put fences around things so that we can prevent breaches. And breaches can be a pretty big deal. The penalties can be pretty enormous. As you see here, this is updated for 2024 penalties. Tier one, if you had no knowledge and it didn’t really affect anybody but somebody a breach, but it didn’t really get out, it was just exposed, right?

You might only have $137 penalty if it wasn’t egregious. Now, if you didn’t have any knowledge and it affected millions and millions of people, it could go up to $2 million. Now for some of us, a $2 million violation or penalty is career ending. For some people that just might be a line item in their shareholder report, but for me, if I were to get a penalty, that would be a pretty serious deal. And the penalties, as you can see per violation, they go up depending on your level of care that you have taken, right? So most of what they’re looking for when you’re being audited or when you’re being assessed for violations is how much protections did you have in place? How much did you know? And how did you work to prevent this? If you didn’t put any work in to prevent this, we’re talking willful neglect.

Obviously your penalties are going to be much higher and willful neglect, that’s not corrected. That’s the big thing. But most of this can be prevented with just the right policies and plans and the right partners and the partners that you put in place need to know what they’re doing. And one of the things that I have found as a marketer and as somebody who’s worked really close with healthcare providers is it’s extremely difficult to find a hosting company that knows what they’re doing. There are plenty of people out there doing HIPAA, but they don’t all know what they’re doing. And so it’s really on us to make sure that we are partnering with the right people. And so I’m going to hand this off to Tom where he can talk a little bit more about what goes into being that type of partner.

Tom Fanelli: Alrighty, thanks April. Great stuff. So we see a lot of covered entity medical practices coming to us, looking for help getting their WordPress site HIPAA compliant. So there’s really three keys to HIPAA compliance from our perspective. So it’s the hosting and the infrastructure. It’s your website platform and in this case that is WordPress, and it’s ensuring that you have a continuous process in place so that you can monitor, audit, and manage everything regarding your website and your hosting infrastructure. So I’m going to rattle through some things here that we think are really important components of HIPAA compliance for medical websites. So first off, this is an infrastructure thing and infrastructure and tools that you need to have in place.

Data encryption, this is a big one, and there’s two terms here. There’s data encryption in transit and there’s data encryption at rest. And so what that means is that when data is transmitted through your website, like your forms that you might have, that data needs to be encrypted. So that needs to have an SSL or a secure socket layer in the transmission. So you have to have an SSL on your website. The more tricky one, and the less common one is having your data encrypted at rest. And so this means things like encrypting your database, encrypting your backups, those both need to be encrypted to meet the HIPAA requirements, to have encryption in both transit and arrest. In fact, interesting little sidebar here. Let’s say that your backup is exploited or your database is stolen and it’s encrypted. That’s not even considered a breach under HIPAA.

So if your data is encrypted, it is unusable, okay? So encryption really helps you avoid some of the potential breaches that you might have on your hands. Okay? Authentication. This is more of a tools and process at the site level, and this is a great recommendation for anyone using WordPress. You need to have named users and you have to have multifactor authentication or two-factor authentication. Now, why is this important? And a little bit of out of order here, but one of the things that you need to have with HIPAA is you’ve got to have audit logs. So if you have a general user like support at your company or webmaster at your company, you can’t tie that back to a user. So without a named user in your site and that user having two-factor authentication, you really don’t know if someone when they’re logging in, if it’s that person, and also if it is a person, if they’re using a generic user log and you can’t tie that back to John Smith in your organization.

So one of the first things we do when we audit sites for HIPAA is we look and see are there any of these generic users like admin, and we set up for customers multi-factor authentication. That could be email, it could be you get a code via email, your authenticator app, however you want to do it. This is a good security thing to have in place. Okay, the next one, a little more complicated, physical security at your data center. So where is the physical server being hosted? Can anyone just walk in and walk up to the box and access it? Or are there access controls? Is the data center compliant with HIPAA standards around access controls? Do they have badged entry? Are there biometrics in place? Do they have two-factor authentication, badge and biometrics to get into the security, to the actual physical presence of the server?

So that’s really important to make sure you’ve got all the physical safeguards in place that are required by HIPAA. Another really important component of HIPAA is having accessibility to your records. So this means backup redundancy and recovery processes. So having things like offsite backups that are encrypted, having a recovery process, what do you do if a meteor hits the data center? How do you get your backup of your data? You have to ensure that you’ve got accessibility of this data and that you can recover it and you have redundancy in place for this. So very important that you have good backup policies. Again, we talked about a business associate agreement. I want to unpack this a little bit more, and I think I’ve got a slide also for this, again to talk about it. But everybody that’s in that chain that April talked about has to be covered under this business associate agreement.

So if you give access to your website to a designer or a support person or an engineer, I’ll give you a really good example for those of you in the WordPress space. This is a real world example. Let’s say you’ve got a problem with a plugin on your website and you’re having an error. I mean drop in support. If you’ve ever had the plugin company say, give us a user on your website so I can troubleshoot this, that is a breach of HIPAA information. If you give a user access to a site, and that’s a medical site, of course give a user access that you don’t have a in place with. So you better have a in place with that plugin developer if you’re going to give them access. So all parties accessing this data, I’ll give you another really good example. So we’ve partnered with CloudFlare and we talked a little bit about April, had mentioned that IP addresses are considered PHI, and that is true because an IP address can be tied back to an individual visitor.

And if that visitor is on your website browsing pages about knee replacement surgery, HHS says you can vaguely infer between that browsing behavior and that IP address a medical condition with that person. And so that is considered protected health information. Well, our IP addresses all flow through CloudFlare, because CloudFlare, for security purposes and encryption purposes is in front of your website. Well, I’ve got news for you. You can’t get a BAA with CloudFlare unless you’re an enterprise client. So Convesio has that BA with CloudFlare. So we have a BAA with the data centers, with the providers that are integrated into our system that might have exposure. So we have coverage of all of your components that you need to have in place, and we ensure that we meet those. So that’s really important when you’re assessing vendors that you’re going to work with. We see security plugins all the time, and those security plugins might send your IP addresses.

Another good example of this is a lot of us love this plugin Wordfence. Okay, well, Wordfence sends a daily or weekly summary with a bunch of the top IP addresses that it blocked. Those IP addresses could be considered protected health information, and if you just got them in your company email for your webmaster, not you don’t have a BAA with, then again, you’ve broken the chain of custody of that protected health information. Then lastly, regular audits. This is something that you’ve got to have processes in place to, and if you’re a covered entity or a medical professional, this, you probably have annual training on how to handle protected health information. At Convesio, we have those same processes in place, so we train our team members on this. If you’re an agency doing this, you need to have your team members trained on how to handle protected health information, and you need a process in place to monitor what’s happening, particularly in the context of what we’re talking about your website, right? Is it secure? Have no additional unnamed users been added? So there’s a whole process to audit your website to ensure you’re not out of compliance here on any of this. So you need someone to be doing that on a regular basis. Okay? What are the best practices for WordPress?

I am a huge proponent, and this may seem like, well, gosh, Tom, it almost sounds like we don’t need to do this. I am a huge proponent of limiting risk as much as possible. So this means doing things that are the best practices, but also trying to just avoid putting PHI in WordPress. I don’t think that avoids you from the potential of having a HIPAA violation, but it certainly reduces the risk. So what do I mean by this? Okay, I’m going to tell you, alright, stay on top of all your WordPress updates and plugins and security practices. Put in two factor authentication, do all of that stuff, but how do we avoid PHI and WordPress? Well, if you have a medical record system that gives you embeddable forms, don’t use forms like gravity forms in WordPress. If you have other tools that are HIPAA compliant, like scheduling tools for instance, embed those on your website, have your BA with those tools and extend them to your website to limit any exposure you might have in your WordPress native database.

Now, if you’re doing something like, by the way, there’s a bunch of compliance around WooCommerce that you need because you might be a pharmacy, you might be a dispensary, you might be a wellness spot, you may be all sorts of commerce based. You can’t get out of having that data in WooCommerce. So you have to ensure you have things like database encryption and all of this stuff in place. But I like to avoid PHI and WordPress as the first layer of defense. There are other things that you can do. For instance, this is a real big gap that I see a lot of people love things like SendGrid, SendGrid, yeah, SendGrid, which is an email provider. SendGrid is not HIPAA compliant and will not issue a BAA. So what does that mean? Well, if you are using WordPress forms, a lot of us love to get our forms and the submission details in our email.

Well, if you have just emailed to a non covered email provider form data or you’ve emailed it through a non covered email service, SendGrid, is a violation. Alright, so how do we ensure this? I’ve got two pieces of great news for you. If you’re a medical professional and you use Google or Microsoft for your email, you can get an on demand BAA right inside their portal so you automatically have HIPAA compliance for your email. So that’s a great thing a lot of people don’t know about. The other thing that’s really interesting is you can use Microsoft Forms if you don’t have, let’s say you have a BAA, by the way, I would also recommend that if you are an agency, unless you really want to be in the middle of a BAA between your website technology and your customer, and that’s a business decision, we see agencies that are like, I’m going to specialize in HIPAA compliance and I am going to have the BAA with the hosting company and with the form providers, you could get Wufoo for example.

They have a HIPAA compliant form system that you can embed to the site. You may choose as a business, you want to have all of those things covered as the agency. You may also be like, you know what, I’m just going to cover a BAA for the work that I do, and my team and all the vendor BAAs need to go directly between the vendors. So I’m going to tell the covered entity, go get a Wufoo account, I will implement it on your site and you will have HIPAA compliance. So that’s a decision for the covered entities on how they want to maintain their information and their compliance and the agencies you work with. But to that point, you can get out of the box BAAs with Google and with Microsoft, and if you do that, implement Google your own Google account. Don’t use SendGrid because if you send from and to your own email account, you have no issue with the chain of compliance there because you’ve not used and you can send that form to yourself in email as long as you’ve got a HIPAA BAA with your email provider.

So that’s a good thing to have. Alright? And even with all of this, you still need HIPAA compliant hosting and that’s because you still have a vector of potential liability and exposure there. You’ve got people visiting your site, even if you’re not collecting patient information, your site’s picking up your IP address, it’s likely storing it in logs somewhere. So you do have that IP address thing, which is way harder to get out of with a hosting company even if you’re not collecting form data. And even if you’re not collecting form data, what are you doing about your Facebook and your marketing and your Google Analytics pixels? Who’s handling that for you that we’re going to talk about in a slide? What happens if a marketing agency does a landing page for you? What happens if you have a user that’s added to your website that might have access or a plugin was installed that’s collecting IP addresses and sending it elsewhere?

You have a sort of an area of responsibility that you have to make sure your website is HIPAA compliant if you’re a covered entity. Okay? So we’re going to talk a little bit about this and I’m going to breeze through these a little bit because we kind of covered some of these a little. But data collection forms and email is a big source of frustration for everybody that’s involved in this compliance chain. So your form data needs to be encrypted, okay? And I’m going to give you two things for this. One, it’s really easy if you use Convesio, your database is encrypted, so your form data is encrypted, but there’s also another great plugin out there called WS Forms, and this allows you to do data encryption into the database without the database being encrypted, but you can encrypt your form into the database, so it’s like double encryption, okay?

Or it’s encryption if you’re not going to encrypt your database, which you should. So you have to encrypt your form data. There’s some gravity forms if you use gravity forms or some encryption plugins that are out there. Avoid storing in submissions entirely. This is a great tip. You can disable in plugins like Formidable and Gravity Forms, disable storing this stuff. I know a lot of people like to store this in WordPress because they want to have that repository, but if you’ve got Microsoft Office and your covered entity has an office account for their email and they’ve got a B, if you send that to an inbox and Microsoft office, you basically have all of your options covered there. You’re not storing it in WordPress, you’re sending it out of WordPress, don’t store any email log of it in WordPress and you’ve basically sent that. You’re shuttling that information through in an encrypted manner because you’re submitting it encrypted and it’s being transmitted through email encrypted.

You’re now shuttling that data through the WordPress website and it’s not retaining it. And then make sure you have your BAAs in place with your email providers. So that’s some tips that I try to give folks for managing this data in their forms. Alright, this is hot off the presses everyone, by the way. Jono. Thank you. Yeah, CodeMonkeys does a really good Gravity Forms encrypted form solution that is for HIPAA compliance tracking pixels. Alright, everyone pay a lot of attention here because this is so hot off the presses. I’m going to do a video on this soon, but new guidance just came out at the beginning of July on this from HHS. So there is a lot of questions here around, can I put a Facebook pixel on my website and do retargeting? No, you cannot. And here’s why. And I’m going to explain to you why this is relevant.

Even with Google Analytics, if you put a Facebook pixel on your website and your potential patients are browsing your website, that data is being sent back to Facebook and it is now married with that person’s identity. So you have shared browsing data relevant to potential symptoms, causes medical conditions to Facebook that they can now identify because they know that that’s John Smith browsing your website. So that is a no-go because Facebook will not issue a BAA. So you cannot disclose browsing data on your site. Now you can disclose it if they’re like employees or non symptom pages, but we’re splitting hairs at that point. That’s what just came down from HHS. They just said if they are potential patients browsing information on your website about medical conditions, you cannot share that pixel data with third parties. That’s any retargeting pixels, Google ad pixels, any third party marketing platforms that are enriching data.

That is a big proceed with caution sign for marketers. Here’s the other thing, Google Analytics. Google Analytics has a feature that allows them to tie the people’s browsing data from their desktop because they’re logged into Google to their cross device session data on their phone. So if they’re browsing your site on your phone, then they come on your desktop. Google can tie those two together because that user was logged in to their mobile device and their Google account when they browsed your site, that is also a no-go. You have to turn that ability off. And Daryl can share that in the chat what that’s actually called. But there’s advanced attribution tracking and all this stuff in Google and what is tricky about it is they were really forced to do this through GDPR, I believe, but they didn’t use to do it then they did it on new accounts.

And so you have to check your Google account to see if it’s compliant. Alright, BAAs and agencies, this is another important topic and I think it’s really important because as a medical professional, you need a really good agency to rely on for all things WordPress updates, marketing tools. You need agencies that know the type of stuff we’re talking about here. So you need to make sure, ask your agency, are you going to sign a BA? Because you’ve got to have that if you’re going to have access to my website because you’re going to have access to IP addresses at the least. Okay? You need to make sure that they know how to follow the best practices. Don’t ask agencies, don’t put in webmaster support these generic things. Make sure you’ve got two-factor authentication. Make sure your agencies are trained in how to handle and dispose of the protected health information in proper ways.

And so that’s all really important for you as an agency. Just because you do not provide HIPAA compliant services does not mean that you are not on the hook for responsibility from HHS if it ever comes down, just because if you work with medical professionals and you’re an agency, you really need to understand you have responsibility here, even if you don’t offer HIPAA compliant agency services. And even if you have not signed a BA. Okay, well that wraps up my part. We’re going to transition into some Q and A here, which I think we’ll let Daryl moderate to the group here and put your questions into chat. We’ll be happy to answer. We’ve got 20 minutes here to talk. We do have some free offers for you. We have a HIPAA compliance checklist. And then April, I’ve been through this by the way. April offers a course called Medical Marketing Unlocked. It’s really four agencies. I don’t know if you mind if I give a little pitch on this April, but she’s offering a tremendous value, a discount on this. If you’re an agency on the phone with us and you’re interested in offering HIPAA compliance services and you want training on how to do every aspect of that soup to nuts, this training is world-class. I’ve been through it and it’s really, really great. So that’s awesome. April, I don’t know if you want to say anything else about your course. Oh, you’re muted. I think

April Wier: Mostly it is, it’s really hard to learn all of this on your own because there’s so much information and it seems like a big hill to climb. And what I did was took my experience of having learned it on my own and distilled it into an easy to understand, easy to digest a plan of getting just a really good overview so you can feel safe and secure going out and knowing how to navigate this and how to even find good providers and knowing how to assess them. And that’s how I know that I feel comfortable sitting here with Convesio because I’ve learned how to assess my providers.

About the Author

In this Article

Convesio Hosting Dashboard
Related Articles
Get WordPress Performance Tips
Subscribe to our monthly newsletter covering performance, innovation & running WordPress at scale.
[gravityform id="44" title="false"]