Web site question: HIPAA compliance

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have an Eye Doctor who want patients to be able to make appointments
via his web site.  The majority of his patients are on Medicare (this is

The form is behind a secure certificate, however my question has to do
with getting the appointment information to the doctor and his staff.

Is an Eye Doctor required to meet HIPAA compliance?  The only personal
information collected is the patients name and contact info.  No medical
history is collected or kept by the web site.

Can the appointment time and patient contact info be sent to the doctor
by unsecured email?  Or should they be required to log into their secure
site in order to retrieve that information?

I've been to several HIPAA web sites, but I can't get a clear
understanding of what information is required to be secured.

Re: Web site question: HIPAA compliance

Quoted text here. Click to load it

I don't know whether compliance is *mandated* or not, but whenever you're
talking about this sort of transaction, where a user might expect to give
sensitive information (even if ultimately he does not), providing a
totally passworded and secure connection is important. I advise the doctor
to go all out in making this a secure communication.

Re: Web site question: HIPAA compliance

Quoted text here. Click to load it

Yes, an eye doctor is required to meet HIPAA, afaik

Quoted text here. Click to load it

IMO, you should require the doctor/ his staff to log-in to their secure site
to download the information.
Perhaps you can send them an e-mail saying "New appointment request for B.
Jones has arrived"?


Re: Web site question: HIPAA compliance



Quoted text here. Click to load it

As far as I understand it (which may not be very far) just letting
someone find out that a certain person is a patient of Dr. Foobar
(without the patient's permission) may be itself a violation of HIPAA

Quoted text here. Click to load it

That's all right. Nobody understands it.


Nick Theodorakis
nicholas_theodorakis [at] urmc [dot] rochester [dot] edu

Re: Web site question: HIPAA compliance

"Nick Theodorakis" wrote in message
Quoted text here. Click to load it

Yes, it is.  Unless you have a disclaimer statement saying that use of the
website constitutes and agreement to disclose this info.  Or you have an
area of the website where the person makes a choice to disclose their
information to the public.
Take Care,  Sharon Lane

Re: Web site question: HIPAA compliance

Thanks to everyone who responded.

The doctor is in the process of upgrading software and procedures in the
office to meet HIPAA compliance and I got a chance to talk with their

Patient related data, even if it's as simple as an appointment time,
must be transmitted securely or using codes.

The new software used by the doctor supports coded emails for
appointments, so I will be able to email the information to the doctor
as such:

T012133 20040608 13:30:00

Which the nurse or office assistant can cut from the email and paste
into their scheduling software.  The first item is the coded patient ID,
the second item is the date and the third item is the time.

We're discussing the possibility of using a VPN to connect directly to
the SQL database in the doctor's office to update it.

Site Timeline