Creating HIPAA-Compliant Web Solutions
Caleb Parsons 00:02
Welcome to the Parker Web Partner Show, where we find creative solutions for creative agencies.
Darryl Parker 00:10
Hi, I'm Darryl Parker and welcome to another Parker Web Partner Show. Today, we're talking with Jim Gorham from HIPAAtizer. Jim, welcome to the show.
Jim Gorham 00:19
Darryl, thank you very much for having me on.
Darryl Parker 00:22
Yeah, absolutely. Why don't you tell us a little bit about yourself and your company?
Jim Gorham 00:26
Well, I'm a pharmacist by training, and then transitioned into the business world a number of years ago. With HIPAAtizer, the software company I was working with, we were looking to develop an easy to use, easy to install, easy to understand HIPAA-compliant solution for web developers, for agencies, and for other people wanting to HIPAAtize a website for their healthcare clients.
Darryl Parker 00:54
I think that brings up a really good question, and it's something that I've run into. I've been a web developer for 25 years, and occasionally I have a client who comes to me and says: "I need the website to be HIPAA-compliant." What does that mean in your world? What does that mean?
Jim Gorham 01:12
Well, in our world, what it means is, how does HIPAA impact the website? And if we actually decompose HIPAA, and look at the aspects of HIPAA, and where the impact is on a website, everything goes back to PHI: Protected Health Information. How does your website collect, manage, transmit—not obviously on the website store—but how does it process all the protected health information that it might come in contact with? Just because you're a doctor doesn't necessarily mean your website has to be HIPAA-compliant. But if you are collecting, transmitting protected health information, then you really have to be HIPAA-compliant.
Darryl Parker 01:56
So I've seen sometimes that offices—clients of mine that have been medical—have said: "We need you to sign this HIPAA compliance statement," or that you're providing HIPAA-compliant services statement. Have you seen things like that, where we have to certify it?
Jim Gorham 02:12
Well, you don't necessarily have to certify it unless you're really doing something with PHI. If you're touching PHI, if there's PHI in the process, if the website is collecting PHI, then there has to be an understanding of the the roles and responsibility of both sides.
Darryl Parker 02:30
That would also be the storage of PHI, too, right? If you're collecting data and you're storing that data, that presents that HIPAA compliance liability, right?
Jim Gorham 02:41
Exactly. If you're holding in specific databases medical information and personal information so you can identify who a person is, and you can identify with and link them to medical conditions or medical information, then yeah, that becomes a HIPAA issue. And anybody who's holding that information on behalf of a covered entity, on behalf of a health care provider, they have to, according to HIPAA, sign a business associate agreement saying that they're in full compliance with HIPAA in their operations.
Darryl Parker 03:16
So if a marketing agency—and we're gonna jump to what your product does specifically in a minute—but if a marketing agency or a web developer is asked to sign one of those, but they aren't actually holding any information, but the client is insisting that they sign one, the reality is that if they're using a third party service and they don't actually store PHI, is there anything that they have a liability for?
Jim Gorham 03:43
The liability is always with the doctor, is always with the covered entity. And we, as a business associate, we sign a business associate agreement to make sure that the doctor is comfortable allowing us access to process and work with his PHI. The direct risk on on a business associate, especially if there's no PHI involved, there's no risk. The only risk is reputational or having to take the time to explain to your client what the problem is and why you don't have to do it, and try to go through the whole nitty gritty when they might just have a blanket policy. Everybody who works with us has a BAA.
Darryl Parker 04:25
Yeah, right. I think that's been what I've run into in the past is, "Well, if you work with us, you've got to sign this."
Jim Gorham 04:31
Yeah, and that's the tricky thing for a lot of providers. And that's, I guess, one of the reasons when we started investigating this, it seems that there is a HIPAA industrial complex out there that's existing only to make it more complex and confusing to people who aren't HIPAA specialists. And once we delved into the product we figured out, "Okay, this is how you become HIPAA-compliant. This is how you maintain HIPAA compliance." It's not that scary; it's not that difficult but there are a number of formal things that you have to go through in terms of different audits and stuff like that. But at the end of the day, if you're not touching the PHI, if you're not holding the PHI, if you're not transmitting the PHI, you're not doing anything with the PHI, there's no risk to you and there shouldn't be a risk to your covered entity partners.
Darryl Parker 05:21
Okay, so I'm a marketing agency, or I'm a web development company and I've got a doctor who's a client, and now they've asked me to put intake forms on their website, and the doctor wants that completed on the website with the results sent to his staff. So, I'm assuming this is where your tool comes in.
Jim Gorham 05:46
Exactly. The way HIPAAtizer works and other products work where there's a specific plug-in or a link to a form on a website, only that little component within the website has to be HIPAA-compliant. The rest of the website doesn't have to be HIPAA-compliant; you don't have to go for the expensive hosting on some server for hundreds of dollars a month for extra HIPAA compliance or thousands of dollars a month for extra HIPAA compliance certification for the overall server. All you need is the plug-in or the individual forms that you're putting on your website to be HIPAA-compliant. So you—and as the service providers, the person developing the website—that particular plug-in or the iframe or the code that's put onto the website, that's our code. We're responsible for that code or another provider who has HIPAA-compliant forms. And then it just pushes the data directly to a dashboard that's only accessible to the healthcare professional's staff, or himself or herself.
Darryl Parker 06:55
Okay, yeah, so that's a good point. So at the end of the day, as the provider, us as the service provider, we're never seeing that data.
Jim Gorham 07:04
Exactly, and there's different ways to to give you access if you want access to maybe tweak some of the forms. We can through HIPAAtizer, you can make changes to the form, to the underlying fields on the form, but you never see the data. And it's something that's important; it provides an extra level of protection to a web designer and at the same time, this is fully HIPAA-compliant so the covered entity for the healthcare provider, they are also secure knowing that the developer can't have a look and see what's going on.
Darryl Parker 07:39
So, what kind of—from a user experience perspective, so let's say I'm the patient of the doctor—what kind of reassurance do I get when I'm completing this online form, this online early admission form or admission form? What kind of assurance am I getting that this is a HIPAA-compliant form?
Jim Gorham 07:56
Well, you're in a way beholden to the information and HIPAA practices of the individual doctors. Now most doctors, most medical professionals, they have good HIPAA notifications, they have exactly how they're processing the data and stuff like that. And a lot of that is disclosed right on the website. All of our forms have the ability to include a little watermark at the bottom: "This form is HIPAA-compliant." So, when you're filling out a HIPAAtizer form, if the doctor hasn't disabled that feature, all the forms will say at the bottom: "These are HIPAA-compliant." And, once again, to have a HIPAA certification and also for our doctor partners, it's very important that all the audits, all the data processing and everything like that is verified by third parties. So there's a certain level of security that goes into working with a company that works primarily or exclusively in a HIPAA-compliant field.
Darryl Parker 08:56
Now, does your service include the conversion of forms into the web-based form? Or is that something that the service provider might have a billing opportunity to do?
Jim Gorham 09:07
Well, that's up to the service provider. If the agency wants to do that and wants to add value to the doctor, no problem, they can do it. We have a drag-and-drop form builder where they can easily convert the existing form into a webform. Also, we do it for free, because at the end of the day, it can be labor-intensive. And we do, literally, I don't know, 10 to 15 forms a day, so we've got a team that can process these much more efficiently than a marketing agency could.
Darryl Parker 09:42
So that's a value to the service provider and the client, right? Because you can say" We have a company that will process this form at no extra cost," as long as you sign up for their service, right?
Jim Gorham 09:56
Exactly. One of the interesting things when when we started, we had all these templates and everything like that, and then as we started talking to more doctors, they go: "No, no, no, no. We don't want your template; we want our forms. We're used to looking at fields, A, B, C, D. This is what I'm looking for..." because for a doctor, it's speed, right? They're looking at the form; they're talking to the patient. So, what we really specialized in is converting for free the existing forms that a doctor uses, put them online so their response, if it's not a fillable PDF online, it's an actual web form, but then maps into a PDF, so that the doctor can receive the the information exactly as he's used to receiving it for the last 5, 10, 20 years.
Darryl Parker 10:40
And you are able to handle that mapping into the PDF.
Jim Gorham 10:43
Yeah. That's once again, one of our value added is, because we've got the team that does it all the time, we were extremely efficient. And we're developing a tool right now to actually automate that. So it's an ongoing process, we're looking at a way to make it make it faster, because it's something that—people want their forms at the end of the day. They want to process and digest the information the way they're used to digesting it for the last number of years.
Darryl Parker 11:12
Right. It's their process, and they're trying to find things that don't disrupt their process, right?
Jim Gorham 11:17
Yeah. Getting anybody to switch to anything is so difficult, right? So that's why we've really put a big focus on that.
Darryl Parker 11:26
Yeah, I think that service layer is a really big differentiator, because if you look at some of the other HIPAA-compliant form hosting services out there, it's all done by the service provider who goes to someone like a Jotform, right? We've used Jotform in the past, and they have a HIPAA-compliant section where you can make a form with a click of a button; you can make it HIPAA-compliant. But at the end of the day, you have to build that farm, and then you have to do the mapping, and you have to make sure that that data has been delivered to a secure place. And can you really guarantee where that data is being delivered? Because I think it usually shows up in like a Google sheet, or you can have it go to a dashboard. And then your client will still have to get an account in order to go in and view that information securely. And it sounds like you guys have, just by focusing in just on this particular pain point, you've really developed something that's going to be of use.
Jim Gorham 12:26
Yeah, exactly. We're developers, and we were looking for this solution. And that's how we came up with the idea. The other solutions, everything is too complicated; it's too expensive, just for a simple form, right? So, we've kind of stripped out a lot of the unnecessary features that some of the big form companies might have, and we've really just focused on: "Okay, how do we how do we convert as quickly as possible in good intake forms? How do we provide good consent forms quickly and easily? How do we make the processes as painless as possible for the agencies?"
Darryl Parker 13:01
Well, thank you very much, Jim. We're going to put a link to your website in the show notes that will run at the bottom of our podcast and at the bottom of the YouTube channel. We appreciate you coming out today.
Jim Gorham 13:14
Darryl, thank you very much. It's so nice to meet you and always a pleasure speaking with other web professionals and people in the industry.
Darryl Parker 13:21
Absolutely. Great to meet you, too, as well, Jim.
Caleb Parsons 13:26
You've been listening to the Parker Web Partner Show. If you need help in this ever-changing digital world, reach out to us at 877-321-2251 or visit our website at parkerweb.com.