Drupal and HIPAA: Everything You Need to Know

What Is HIPAA?

Your medical information is highly personal. To protect its confidentiality, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996, setting national standards for the exchange and security of protected health information (PHI).

In 2000, Congress took this a step further and added the Privacy Rule, which further protected patients by requiring certain safeguards of personal health information and setting conditions on how information can be used without patient authorization—for example, doctors can only share a patient’s medical records with written (signed) permission from the patient, even when sharing with other medical professionals.

The Privacy Rule gives patients even more control over their health information, such as granting them rights to obtain a copy of their medical records and request corrections. Overall, the aim is to reduce the red tape previously preventing patients from accessing their own data and having authority over how it is used.

For healthcare and other medical providers, the challenge with these new regulations is ensuring that their websites are compliant with them, and adequately protect patients in accordance with these rules. A Drupal site is one of the most secure options for organizations dealing with highly secure data.

Understanding PHI

PHI refers to individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations. This includes:

  • Personal identification, such as an individual’s name, address, phone number, email address, social security number, medical record and account numbers, emergency contacts, and health insurance beneficiary information
  • Health diagnoses, treatment information, medical test results, and prescriptions
  • Demographic information, such as birth dates, gender, and ethnicity

PHI only relates to patient or health plan information, and does not pertain to information contained in educational and employment records. In addition, health information that has been de-identified—which requires that providers remove all of the identifiers—can be used or disclosed.

Make Your Website HIPAA Compliant

Under HIPAA, healthcare providers as well as vendors that have access to PHI are mandated to comply with HIPAA. It’s easy to understand that medical professionals must be HIPAA compliant—after all, they’re handling private patient data that should remain only between them, their patients, and any other authorized medical personnel—but vendors that provide products or services to medical professionals may be affected by HIPAA rules as well.

To adhere to HIPAA rules, your website must have certain security features. First, acquire and implement a Secure Sockets Layer (SSL) certificate for your website, which creates a secure link between your website and a visitor's browser and ensures that data passed between the two is private.

Then, use encrypted web forms, email, or any other digital messaging. HIPAA compliant web forms, for example, securely capture and transmit PHI without fear of a data breach. Be sure to also use HIPAA-compliant storage, backup, restoring, and deletion processes. Data must be kept private through the course of its use as well as deletion.

Finally, restrict access to PHI to authorized individuals only on your team as well as your business associates. Choose a HIPAA-compliant web hosting company and vet third-party vendors and service providers by making sure they adhere to HIPAA rules and by signing a contract that states they will remain compliant through your business association.

Drupal Is the Best Choice For HIPAA Compliance

Drupal is considered to be one of the most secure content management system (CMS) available. Its encryption system is HIPAA-compliant to protect sensitive patient data.

Drupal has thousands of modules and themes, which provide companies with the capability to customize the user experience and deliver personalized data to patients and physicians online to improve patient engagement and satisfaction. Integrating Drupal with an electronic health record (EHR) system, for example, helps providers share information with patients through a secure portal.

Drupal also has modules that can translate websites into more than 94 languages, which helps provide a better scope of communication with patients. And Drupal’s mobile-first design allows medical professionals the opportunity to use tablets when collecting medical information and accessing records. This impacts workflows and further customizes the user experience to deepen patient engagement and improve provider satisfaction.

According to HIPAA Journal, healthcare data breaches are reported at a rate of more than 1.5 per day. Since Drupal is known for its secure platform, it is often chosen by healthcare industry organizations.

Drupal Hosting and Support Providers Can Ensure HIPAA Compliance

Drupal hosting makes a website accessible by storing your website data on its server and allowing a visitor’s computer to connect to your site. A HIPAA-compliant Drupal hosting provider will ensure that your data is secure by using encrypted storage, transfer and disposal. A Drupal hosting provider will also help you control access to PHI by offering unique user IDs and passwords.

In addition, Drupal support is a service that companies can use to outsource the maintenance and management of their Drupal websites. A Drupal support and Drupal hosting provider will provide routine software audits and updates as well as secure data backups to confirm that any ongoing updates and changes maintain your site’s compliance with HIPAA.

Drupal Healthcare Success Stories

Several large healthcare institutions have chosen Drupal when creating their websites. For example, Memorial Sloan Kettering selected Drupal for its configuration management capabilities, front-end integrations, and object-oriented programming. Drupal helped the cancer center create a flexible platform that would offer an innovative, user-friendly and HIPAA compliant platform for patients and healthcare professionals to discuss lab results, make appointments and carry out other functions.

Johnson & Johnson’s CaringCrowd® crowdfunding platform is also built with Drupal. CaringCrowd collects money that is used to work with nonprofits that manage the health of those living in underprivileged and neglected communities. Funded projects include burn centers, nutrition for HIV+ children, and pediatric heart surgery. CaringCrowd chose Drupal because its out-of-the-box features that could be easily scaled and customized.

And Kingston General Hospital in Ontario, Canada, chose Drupal when it was ready to bring its patient-centric experience to its website. Drupal’s easily customizable and scalable platform has the ability to securely integrate with third-party systems and data feeds.


Is my website affected by HIPAA rules?

To determine if the rule applies to you, ask yourself: Does my website or server collect, store or transmit PHI? If the answer is “yes,” your website needs to comply with HIPAA regulations.

How do I know if my website is compliant?

To be HIPAA compliant, you need to have taken the required steps to secure the collection, transmission, and storage of PHI, control who can access it, and partner with HIPAA-compliant vendors. A Drupal hosting and support partner can help you evaluate your website and ensure compliance.

What steps do I need to continue to take to ensure HIPAA compliance?

Being HIPAA compliant requires continual use of PHI protection as well as continuous reviews of policies, procedures, and devices as well as the addition of new vendor relationships. In addition, businesses must identify a security officer, who is in charge of its HIPAA compliance program.

Do I need a Drupal hosting and support provider to be compliant?

To host your website you will need a Drupal hosting provider who is HIPAA compliant. While it is possible to have your own server, it is expensive, requires a powerful computer, processor, and operating system, and is difficult to set up.

While it’s possible for you to do your own website maintenance and management, hiring a support service can provide peace of mind. For example, a Drupal support provider will conduct regular audits as well as perform preventative maintenance that can keep your site secure and operational.

What happens if my website isn’t HIPAA compliant?

If your business is required to be HIPAA compliant and you don’t take the required measures to secure PHI, you run the risk of receiving a HIPAA penalty, which range from civil to criminal, depending on the violation. Fines range from $100 to $50,000 per violation.

Where can I find more information about HIPAA?

For more information, visit https://www.hhs.gov/hipaa/index.html.