Protect ePHI – 16 Steps to Secure Website and Mobile App for Healthcare Businesses

How to secure websites and apps of healthcare

Why secure websites are important in healthcare practice?

Interactive websites, mobile apps, online surveys and online web forms have already taken over the way how businesses do communication and customer service these days and healthcare businesses are no exception.
Almost all healthcare providers now have a website or mobile app and they are using it just for branding or as an extension of physical business practice in order to save time for patients. Whenever a healthcare business chooses to exchange personal information through their website or app they are obligated to protect ePHI (electronic personal health information).

There are certain provincial and federal laws that ask healthcare providers to safeguard information and I have discussed the summary of privacy laws of PIPEDA in this post about patient engagement technology and how to make secure pharmacy websites and apps

This article is intended for all healthcare providers of Canada dealing with ePHI such as pharmacy, doctors, dentists, physiotherapists, psychologists, counselors and so on. Some more examples are naturopaths, midwives and clinical hypnotherapists. The list can go on and apply to any healthcare provider who collect or exchange personal information online – it can also be a simple appointment reminder form, patient intake form, consultation questionnaire etc. 

Ultimately the reason to go online and digitize operations is to save time for patients and enhance their overall experience in managing health and medications.

For this very reason we should not be worried about the time and cost it takes to build healthcare security around ePHI. It is a process, not an end goal. It takes time and many attempts to learn what is the best option to safeguard information and yet do it in a way without expensive web development costs. 

Let us jump right into this: We have compiled a simple checklist of security features and policies that should be in place if you have a healthcare niche website, mobile app or deal with ePHI through email conversations.

It doesn’t matter if you are doing it yourself or have hired a web development team – what’s important is that all points discussed below should at least be covered when deciding on infrastructure of online interactions in healthcare.

16 things to get right on healthcare websites and mobile apps

  • Audit: Conduct regular audits yourself to verify the security is up to date at any regular intervals you feel necessary to do so. Hire third party auditors to review your strategy and audit existing policies of ePHI protection in place.
  • Sustain Security: Keep your pharmacy business (for example) ahead of everyone else by continuous training in privacy protection and handling of personal information. If required take online courses to learn more about what is takes to be compliant and sustain it.
  • Privacy Officer: Designate a specific person from business as an incharge of the process of handling electronic personal information (ePHI). Further, assign authorized users with unique identification to log in the software program or website to make it easy to maintain an accountability log. Clearly identify in your business how many users are authorized to access the website from back end. Always have a password protected access to anything beyond primary or secondary level access. Most businesses already follow this but it’s worth mentioning again.
  • Secure Access to website and app: Protect from any unauthorized access by having security and passwords in place. Review the purpose and policies of electronic personal health information handling with all employees authorized to access in workplace. By setting clear expectations and providing training it becomes easy to sustain the privacy compliance.
  • Encryption: Database level encryption makes it very difficult to break into your website. Usually encryption at application level is sufficient sometimes but when doubled with database level encryption it will increase the security of website. For those who want to know what is database: it is the back end of your pharmacy website which contains all information and this information is returned as search/action results when someone interacts with your application (This applies to not just pharmacy website but any healthcare website or mobile app)
  • Web hosting: Server compliance to encryption is just as important as application level encryption done to secure website. There are many Canadian web hosting companies providing services which matches the level of security required by privacy laws of Canada. The most cost effective option of web server hosting in our opinion is AWS (Amazon web services) and they are compliant to all privacy laws of state.

It can be quite time consuming and confusing to select web hosting features. Ask out technology person what factors to consider before buying server space HERE.

  • How to treat ePHI: Personal information means any piece of information deemed sufficient enough to identify someone. It can be anything that can be considered enough to link to any information that can identify an individual. By law once the information comes in the hands of healthcare providers they need to protect it because it is now their responsibility.
  • How much ePHI is enough: Only collect personal information which is sufficient enough to provide a service for example if a pharmacy is offering online prescription upload service then they don’t need to collect other information like Social Insurance number (SIN). They only need enough details about person to provide requested service.
  • Secure with auto log off: Always have auto log off feature which lofs out a user after 15 minutes of inactivity. This simple feature can go a long way if electronic device of person fall into wrong hands. Good example of this is immigration Canada website.
  • Marketing and Web development partner:  Whenever dealing with personal information please review any information handed over to web developer/designer to post on website or app doesn’t contain any personal information like full names, address, name and age, date of birth, health conditions, medical history, medication information etc. This can happen accidentally when website owner is trying to put user reviews and testimonials.
  • Spotting spammers: Never answer emails coming from another email address than provided by users to help reset password or gain access to account. This can be fraudulent activity which can compromise the security of platform if it is some hacker trying to gain access.
  • Consent and Terms: All healthcare provider except public healthcare providers are required to operate according to personal information protection act PIPA in British Columbia. It starts with consent of a patient. We must have written or verbal consent of patient to access their personal health information.
  • Disclosing ePHI: The same regulations apply when personal information is disclosed to third party such as another healthcare provider out of province, lawyer, police unless otherwise the law specifically indicates to release personal information.

How to make users aware of this conditions : you should have an elaborate description on your terms and conditions page explaining the need to consent to collect information.

  • Business associate agreement (BAA):  Prepare a clear, detailed agreement between you as business and web developer who handles technical infrastructure of pharmacy apps and websites. As part of regulations they are required to protect the information related to business they come in contact with. It is also mandatory of any web development to inform the web platform owner/company in the unlikely event of security breach of website. As businesses, we must notify any incident of breach of security to privacy officer as it helps to take the next appropriate action.
  • How to secure emails: If healthcare providers are dealing with personal information exchanged through email – it is under their responsibility to safeguard email conversations. One way to do it is have a privacy act compliant email provider such as Outlook email. They provide email encryption on both ends and to strengthen the security partner with a third party email encryption service to ensure any email going out or landing in your inbox stays secure during transit and at-rest.
  • Secure Pharmacy apps and Web forms: healthcare businesses are putting convenient tools like website forms for patients to fill out in order to speed up workflow they can follow the same encryption steps mentioned above. Doing this way, your web forms will be opened with a new secure link that is hosted on secured server. Ask us how to get started with this service and we will set up all infrastructure for you.
  • User identification: Enhance security of login procedure by confirming the identity of patients with two way factor authentication. For example, sending a confirmation code on their mobile to finish registration on website or app.
  • Retaining ePHI: Retain electronic personal health information for at least one year in situations where it seems likely that the information might be requested by patients. For services that you don’t feel important to retain information it is obvious to destroy it once the purpose of intended service is served.  

We really hope that this guide helps you make a decision if going extending some operations of healthcare practice online using secure website or mobile app is good choice or not. This guide is to empower even the smallest healthcare practice to think big and use healthcare security to grow their practice.

It is a process, not an end goal. It takes time and many attempts to learn what is the best option to safeguard information and yet do it in a way without expensive web development costs. 

All healthcare professionals, consultants or privacy advocates are more than welcome to discuss any topics of healthcare web development, healthcare security, secure websites, mobile apps, security features, HIPAA compliance, Canada privacy law PIPEDA and so on.

Leave us a comment about any new information you might want to add in this article. You can also email your question on  or direct Tweet Pratik Dalwadi 



2 thoughts on “Protect ePHI – 16 Steps to Secure Website and Mobile App for Healthcare Businesses”

Comments are closed.