Can’t believe it!

Last Saturday morning I spent 2 hours browsing different pharmacy websites. I was amazed how many of them were not secure or compliant. I would say a good 60% of pharmacy websites are in violation of HIPAA. In addition, 75% of the websites I visited were not secure with SSL. As a website design company that specializes in pharmacy and healthcare websites I cannot stress enough the importance of security and compliance with websites.

In this article I will discuss the reasons why your pharmacy website must be compliant and secure. Many owners don’t put much thought into the security of their website when they independently start a pharmacy of their own. Websites are often overlooked and never touched again after completion. However, with more and more security incidents involving pharmacies it is essential you lock down your pharmacy website.


What is HIPAA and ADA?

HIPAA (Health Insurance Portability and Accountability Act)  was passed by Congress in 1996, is a set of HIPAA guidelines for protecting the privacy of your medical records. The act mandates standards for healthcare companies including pharmacies to abide by. HIPAA requires the protection and confidential handling of protected health information. A HIPAA website is a must for any company that wants to stay on the right side of their regulations. This will not only protect them from fines but can also help with sales and branding, as well!

ADA (Americans with Disabilities Act) of 1990 prohibits discrimination against individuals with disabilities. This includes pharmacies and their website presence. Employers are prohibited from discriminating against applicants or employees with disabilities in any aspect of employment, including hiring, pay, promotions as well as firing and dismissal.


Why do I need to make a HIPAA Compliance Website ?

The website is a HIPAA compliant website, meaning that it can withstand the high-security standards set by healthcare organizations“. So What makes a website HIPAA compliant and how to be HIPAA compliant ? The answer to why is simple, patients are entering PHI (personal health information) on your website. It only makes sense to have this information secure is all forms. If a patient types in their RX Number that is considered PHI info and needs to be protected. From when the user first types their information to the time it’s submitted into the pharmacy software system, e-mail or fax — this data should be 100% secure and protected.

Not only do patients send PHI information through refills request but also through contact forms. All contact forms should be 100% HIPAA compliant. Patients often send RX numbers and other PII (personal identifiable information) through contact forms. “Don’t think just because your website is managed or hosted through a marketing/IVR company that it is secure and complaint.”

Also understand what is HIPAA Compliant Web Hosting? HIPAA Compliant Web site Hosting is a solution for web hosting that exceeds and meets the requirements for administrative, physical and technical security measures required in the HIPAA regulations in 1996, as well as the Security Rule, which followed, and Privacy Rule Amendments in 2003.


How to be HIPAA Compliant ?

The Security Rule of HIPAA clearly defines the rules in secure storage and transfer of sensitive patient information. While the transfer of patient data online has led to an efficient and mobile management of healthcare but it also increases the risks to security for medical experts. When designing a website for a healthcare facility (HIPAA compliant website design), HIPAA compliance regulations must be considered. Some of the most essential aspects of a HIPAA compliant websites include:

  • Use of an SSL certificate
  • Web forms that are encrypted
  • Complete encryption of all data
  • Secure storage and location for data and servers
  • Possession of the signed BAAs
  • Utilization of secure user authentication
  • Regular backups of data as well as secure removal of unwanted PHI

Make sure all of your forms (contact, refill, transfer etc) are HIPAA compliant. There are a few form providers like Jotform that provide HIPAA protection. Jotform is the form company we use for all of our healthcare websites we create.

SSL certificate encryption (TLS) / HIPAA SSL certificate requirements
HIPAA compliant website is a priority for many businesses, and the use of SSL encryption to protect patient records has become industry standard. It’s important that your website meet these HIPAA SSL requirements in order to maintain its integrity as well!

It is essential to install the secure sockets layer (SSL) encryption certificate for your website. It is necessary to transition between HTTP and HTTPS to secure HTTPS protocol. The SSL protocol secures every data being transferred between the device of the client with the server.

Webmasters should be aware of how to set up SSL certificates. However, you are able to work in conjunction with service providers to work on SSL-encrypting your site as it requires the (relatively easy) installation of the server.

Off-site Backups
It is a good idea to keep a duplicate offsite copy of your backups daily to ensure continuity of business and ability to recover from disasters.

Offsite backups that are replicated can be easily retrieved and, if restoration is required it is incredibly easy and can be done at the hosting facilities. Flexible retention times and backup intervals are available like five minutes, fifteen minutes, or hourly backups.

What is the Privacy Rule?
You should be aware of the Privacy Rule since it is the foundation of HIPAA compliant website. The Privacy Rule is applicable to all health plans, providers and clearinghouses and also to their business partners (any companies that handle health information on behalf of their clients).

The Privacy Rule requires that there be safeguards that protect the privacy of medical information. The law also provides rights that patients enjoy in relation to their personal information including the right to request copies of their health information and the right to examine it and also to request for changes.

Insist on a business associate contract
A contract with a business associate demands that third-party companies are HIPAA certified in their practices in addition.

This means that a collector who is pursuing late payments must adhere to the same guidelines for private health information that the nurse who monitors the blood pressure of a patient.

Provide HIPAA compliance training to everyone with access
HIPPA Compliance training for employees is vital. You cannot expect your employees to understand and follow all aspects of the sometimes-complicated Privacy Rules of HIPAA without appropriate training. Remember the procedures you established in step 6? Make sure that employees are aware and are aware of how to implement them.

The training should also cover the fundamentals of protecting passwords as well as how to deal with complaints from patients. HIPAA regulations require that training takes place “periodically,” so offer annually scheduled refreshers for all staff.


Pharmacy Website ADA Compliance

ADA compliance has recently became a large issue for independent pharmacies thanks to the Winn-Dixie lawsuit. The lawsuit which awarded the plaintiffs lawyers $100,000 stated Winn-Dixies’ website was not compliant for the blind.

To be ADA compliant your pharmacy website should be able to be read back to the user clearly. All videos on your website should have text transcripts. All images should have their “alt” tag field filled in. The website should be organized clearly and delineated from one another and are easily navigated throughout the entire site.



By having HIPAA and ADA compliance on your pharmacy website you can rest assured that you are providing a safe and compliant virtual extension of your pharmacy. Now more than ever, cyber security is becoming more and more prevalent. With security breaches happening every day your pharmacy website must be secure and provide a safe place to enter PHI info. As an independent owner looking to open a pharmacy with an website, building a HIPAA compliant website is the most important thing to focus on.

Healthcare organizations have a responsibility to protect patient data (protected health information phi) / medical records, data center and the organization itself. That’s why it is so important that they hire someone who understands all of their security measures, risk assessments measures including HIPAA privacy rule violations when hosting services like Google Cloud Environment which provides cloud storage for Medical Records.

ConfigRX specializes in pharmacy and healthcare websites. We manage our clients websites after design completion to ensure a safe environment of the pharmacies patients. If you are interested in our pharmacy web design service check out our HIPAA compliant website design page. We invite you to check out our “Start A Pharmacy” package that includes our pharmacy design service. Our clients also receive discounts from various pharmacy design companies. If you have additional questions about pharmacy design or your pharmacies layout, contact us. Our pharmacy consultant will take care of all your requirements.


Frequently Asked Questions 


  1. Does a website need to be a HIPAA compliant website ?

    A HIPAA compliant website is necessary if the site is designed to collect or display, keep and process or transmit PHI. If your site is merely a showcase of your business, lists contact details and lists the types of services you offer, then there aren’t any HIPAA requirements or HIPAA guidelines for your site.

  2. What is a HIPAA privacy rule ?

    The HIPAA Privacy Rule defines guidelines regarding the disclosure and use of PHI. The Privacy Rule is only applicable to organizations that are covered entities, such as physicians.
  3. What happens if I violate HIPAA regulations?

    If you violate HIPAA Rules, there are outcomes that could occur like the offence may be addressed internally by your employer, and you may be dismissed, you may be subject to penalties from boards of professional employees, or you could be charged with a criminal offense that could result in fines and even imprisonment.
  4. How are breaches of HIPAA website identified and discovered?

    Breaches of HIPAA can be identified in several ways. Covered Entity or Business Associate may be able to spot them in an analysis of risk, the HHS Office for Civil Rights will be able to identify them in a HIPAA audit or patient(s) who’s information has been released without authorization may be notified. Third parties who search the Internet for potentially vulnerable applications and storage volumes are also able to find the violations of HIPAA.