Maintaining HIPAA Compliance
HIPAA compliance is required for anyone who is a "Covered Entity" as set forth in the U.S. Health Insurance Portability and Accountability Act of 1996.
Contact Forms
Messages that your visitors send through your website contact form may occasionally contain Protected Health Information (PHI) as defined in the HIPAA rules. QiSites provides a Business Associate Agreement and uses end-to-end encryption to ensure the safe transport of sensitive data, however it is your responsibility as a Covered Entity to ensure that you receive and store messages in compliance with the HIPAA Rules by using a HIPAA compliant email service provider. We recommend using Google Workspace for that purpose (Learn More).
In addition, as part of your risk mitigation strategy take steps to reasonably limit the amount and type of PHI disclosed through your contact form, e.g. avoid requesting unnecessary information and advise clients to discuss sensitive issues by phone. In addition, consider using alternative secure electronic methods for confidential communications, such as a dedicated electronic health records (EHR/EMR) system.
Third-Party Code
QiSites makes it possible to embed third-party code into your website, and users may choose to do so to enable useful features such as online appointment booking. However it is important to understand that embedded code may compromise the security of your website or the privacy of your visitors. You are fully responsible for any third-party code that is added to your website, so it is critical to read and understand the terms and conditions of any third party service you intend to use. Many third party services are not intended for use by healthcare professionals and do not offer HIPAA compliance. Additionally, most services that do offer HIPAA compliance require you to explicitly request and sign a Business Associate Agreement before using the service in conjunction with PHI.
File Uploads
All files that you upload to your website are publicly accessible. Never upload any image or document that contains sensitive information.