Healthcare Information Portability and Accountability Act (HIPAA) sets standards for the protection of sensitive patient data, which any company dealing with protected health information (PHI) must comply with. For ecommerce businesses operating in the healthcare sector, ensuring HIPAA compliance can be quite complex.
Although Shopify itself isn’t a HIPAA compliant platform out-of-the-box, it is possible to create a HIPAA-compliant ecommerce solution using Shopify by implementing additional security measures and ensuring the proper handling of PHI. This article will provide a comprehensive guide on how you can achieve that.
Understand Your Obligations
The first step is to fully understand your obligations under HIPAA. If your ecommerce store handles PHI, such as processing orders for prescription medications, medical devices, or other regulated health products, you need to comply with HIPAA regulations. Make sure you have a clear understanding of HIPAA rules, especially the Privacy Rule, the Security Rule, and the Breach Notification Rule.
Separate your PHI (Personal Health Information) from the Shopify Ecosystem
You need to audit and evaluate what data is being store in a typical Shopify order. You then need to de-identify the data in a way that decouples all potential PHI/ePHI from the order itself.
Some examples of this may include:
- The ability to sell prescription products in Shopify using a private app that handles the submission of prescription information to an off-Shopify or 3rd-party system.
- The ability to submit prescription data to a pharmacy management system via an API.
- The ability to sell lab testing kits where you have a kit registration process to handle the collection, submission and presentation of lab results.
- The ability to conduct B2B eCommerce for clinics and practitioners where patient data is irrelevant. (e.g. A clinic may be making wholesale orders or pharmaceuticals).
Partner with a HIPAA-Compliant Hosting Provider
Shopify hosts your store data, but it doesn’t offer HIPAA-compliant hosting. If you’re dealing with PHI, it’s crucial to partner with a HIPAA-compliant hosting provider. They’ll ensure that the servers storing your data are physically secure and that access is strictly controlled and logged.
Ensure End-to-End Data Encryption
HIPAA requires that PHI be encrypted during transmission and storage. Ensure that your ecommerce site uses SSL encryption (HTTPS) for all data transmissions. Shopify provides SSL certificates for all hosted stores, which is a significant advantage.
For data storage, you might need to integrate third-party applications that provide HIPAA-compliant encryption for stored data. Discuss with your hosting provider to ensure that encryption at rest is being used.
Use HIPAA-Compliant Apps
There’s a variety of Shopify apps available for different functions like email marketing, customer service, analytics, etc. When choosing apps for your store, it’s crucial to select those that are HIPAA compliant. Non-compliant apps could lead to accidental breaches if they aren’t designed to properly handle PHI.
Before using an app, check whether the vendor signs Business Associate Agreements (BAAs), which is a requirement under HIPAA for third-party services handling PHI. Make sure you have a signed BAA with every third-party service provider you use.
Implement Access Controls
Ensure that only authorized individuals have access to PHI. This includes creating unique user IDs, implementing an automatic logoff, and establishing procedures to govern the release or disclosure of PHI.
In Shopify, you can manage staff accounts, controlling the level of access each staff member has. Ensure that only necessary individuals have access to sensitive information.
Regularly Conduct Risk Assessments
HIPAA requires regular risk assessments to identify and rectify potential vulnerabilities in your security systems. This includes analyzing processes, systems, and applications involved in storing, processing, or transmitting PHI.
You should establish a process for performing regular security audits and addressing the issues found. This may require partnering with a cybersecurity firm or consulting with a HIPAA compliance expert.
Develop a Breach Response Plan
Despite best efforts, breaches can occur. You need to have a robust breach response plan in place, detailing the steps your organization will take in the event of a breach. This includes identifying and containing the breach, assessing the risks, notifying the affected parties and the Department of Health and Human Services (HHS), and implementing measures to prevent future breaches.
In conclusion, while creating a HIPAA-compliant ecommerce solution with Shopify can be complex due to Shopify’s own limitations in HIPAA compliance, it’s certainly possible with careful planning, the right third-party integrations, and a clear understanding of your obligations
