Maintaining HIPAA Compliance
If you are a "Covered Entity" as defined in HIPAA, and your use of QiSites causes us to be considered a "Business Associate," then you agree to the HIPAA BAA.
Contact Forms
Contact forms are the only data collection mechanism provided by QiSites. Messages submitted through a contact form may sometimes contain Protected Health Information (PHI) as defined in the HIPAA rules. QiSites provides a Business Associate Agreement and uses end-to-end encryption to ensure the safe transport of sensitive data. It is also essential to ensure that you receive and store messages in compliance with HIPAA, by using a HIPAA compliant email service provider (we recommend Google Workspace).
As part of your HIPAA risk mitigation strategy, you should consider ways to limit the amount and type of PHI disclosed through online forms, for example avoid requesting unnecessary information and provide alternate contact methods such as a phone number. If you wish to collect electronic health records, always use a dedicated EHR/EMR system that is designed for that purpose.
Third-Party Code
QiSites makes it possible to embed third-party code into your website. Some users choose to use this functionality to embed third-party "widgets", such as an online appointment booking widget. Any data collected through a third-party widget is managed by the third-party provider. Third-party widgets do not submit data through your website or our servers, and are not covered under the QiSites BAA. Keep in mind that many third-party services are not intended for use by healthcare professionals in conjunction with PHI. You are responsible for any third-party code you host on your website.
File Uploads
All files that you upload to your website are publicly accessible. Uploaded files can be discovered and downloaded even if you don't provide a link on your website. Never upload any image or other file that contains sensitive information.