QiSites Acupuncture Websites

Maintaining HIPAA Compliance

Contact Forms

Messages that your visitors send through your website contact form may occasionally contain Protected Health Information (PHI) as defined in the HIPAA rules. QiSites provides a Business Associate Agreement and uses end-to-end encryption to ensure the safe transport of sensitive data, however it is your responsibility as a Covered Entity to ensure that you receive and store messages in compliance with the HIPAA Rules by using a HIPAA compliant email service provider. We recommend using Google Workspace for that purpose (Learn More).

In addition, as part of your risk mitigation strategy take steps to reasonably limit the amount and type of PHI disclosed through your contact form, e.g. avoid requesting unnecessary information and advise clients to discuss sensitive issues by phone. In addition, consider using alternative secure electronic methods for confidential communications, such as a dedicated electronic health records (EHR/EMR) system.

Third-Party Code

QiSites makes it possible to embed third-party code into your website, and users may choose to do so to enable useful features such as online appointment booking. However it is important to understand that embedded code may compromise the security of your website or the privacy of your visitors. You are fully responsible for any third-party code that is added to your website, so it is critical to read and understand the terms and conditions of any third party service you intend to use. Many third party services are not intended for use by healthcare professionals and do not offer HIPAA compliance. Additionally, most services that do offer HIPAA compliance require you to explicitly request and sign a Business Associate Agreement before using the service in conjunction with PHI.

File Uploads

All files that you upload to your website are publicly accessible. Never upload any image or document that contains sensitive information.