- May 19, 2020
- by Alex O'Byrne
- 4 minute read
HIPAA is an act in the United States that compels healthcare providers to safeguard patient data. If you sell certain products online, you may need to meet these standards. Here we'll explain how you can be HIPAA-compliant on Shopify.
What is HIPAA?
The purpose of the Health Insurance Portability and Accountability Act (HIPAA), introduced in 1996, is to protect healthcare coverage in the USA. However, part of the legislation compels US healthcare providers to become more efficient by digitizing patient data.
As you'd hope and expect, with the guidelines are a series of requirements for how to securely store, transmit and use patient data, also known as Protected Health Information (PHI).
What counts as Protected Health Information (PHI)?
The HIPAA journal publishes clear advice on this:
"diagnoses, treatment information, medical test results, and prescription information are considered protected health information under HIPAA, as are national identification numbers and demographic information such as birth dates, gender, ethnicity, and contact and emergency contact information."
There is an exhaustive list in the link above.
Do I need to be HIPAA-compliant?
We can't tell you this - only a lawyer can. The most common example we've seen of e-commerce brands that need to be HIPAA compliant is prescription eyewear.
Is HIPAA linked to PCI, CCPA or GDPR?
PCI is a payment industry standard for when you process payments online.
How do you make a HIPAA compliant website on Shopify?
If you need to store PHI, you can't store it on Shopify. But, there is a way around this which means you can still use Shopify as your e-commerce platform of choice. Here's how.
Shopify’s servers are not currently HIPAA-certified, so you’ll need to ensure that customer medical data is stored elsewhere. We recommend a cloud instance on Microsoft Azure. Make sure that you provision HIPPA compliant instances, more on this below.
All PHI is stored on a HIPAA-compliant server in a private web service that conforms to the guidelines and processes for secure authentication and encryption. It is essential that data is encrypted when "in motion". HIPAA doesn't stipulate encryption at rest, but that's also a good idea.
In our HIPAA-compliant Shopify architecture, the customer interacts with the front-end of the Shopify store and when they fill out their PHI, and that form is connecting to the secure private web service on Azure. So no PHI ever goes in to Shopify. As an added bonus, there is no identifiable information transmitted and stored with the PHI.
Shopify stores the customer's personal information according to PCI Level 1 standards; a different but equally vigorous set of data protection standards set by the payment industry.
Who offers HIPPA-compliant hosting?
Firstly, you need a signed "Business Associate Agreement" (BAA) between your company and Microsoft. This stipulates a series of vendor responsibilities regarding security and privacy which is something Microsoft offer.
Amazon AWS also offer BAAs and HIPAA compliant instances.
A signed Business Associate Agreement is just the first requirement for HIPAA-compliant hosting though. It's necessary to securely configure the server and to ensure that the relevant auditing it active.
Is Microsoft Azure HIPAA-compliant?
You can use Microsoft Azure for HIPAA PHI yes, providing you have a signed "Business Associate Agreement" (BAA) between your company and Microsoft.
A note about other suppliers...
Such as your Shopify agency.
If your development agency/SI needs to see the medical data too, they will need to become a “business associate”, which is defined in HIPAA a subcontractor that "creates, receives, maintains, or transmits protected health information on behalf of another business associate."
The HIPAA Rules require healthcare companies enter into contracts with their business associates to ensure they protect health information to the standards set out by HIPAA.
This can be onerous for all parties involved. The safest and easiest way for everyone is for the agency not to see the patient data or have access to the production credentials.
For debugging and development, the agency should only ever work with dummy data.
A Shopify-HIPAA example in the wild
Check out the example we built recently for client, Revant Optics. Their slick new Shopify Plus website is conversion-boosting but also follows all the rules when it comes to HIPAA, PCI and everything else.