Personal History Information (PHI) is personally identifiable data that is protected under HIPAA. For entities that fall under HIPAA protections, like health clinics, insurance agencies, etc., many of the most common personal information such as name and address fall under HIPAA protection when being recorded or sent using your website’s intake form. There is a serious legal risk to collecting this information in something like a contact form or appointment request form. This is why intake forms or any other method of recording patient information for treatment or scheduling falls under PHI and requires specialized handling with HIPAA compliant security.

So…

If you started your own medical practice or are a medical professional who wants to build their online presence, don’t just go on Wix and slap on a contact form for your patients to fill out!

What counts as PHI on your website

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets strict rules for protecting sensitive patient data. This includes any health information that can be linked back to an individual person.

If information relates to someone’s past, present, or future physical or mental health, the care they receive, or payment for that care, AND it contains details that could identify them, it’s likely PHI.

The “18 Identifiers”: Red Flags for Your Standard Website Forms

HIPAA outlines 18 identifiers. If any of these are collected along with health related information (even if it’s for an appointment request) by a covered entity (like a clinic), that data becomes PHI and requires specific protections.

here are the most common identifiers you will encounter in something like a website contact form:

  1. Names: Obvious, but critical.
  2. Addresses: Geographic subdivisions smaller than a state (street address, city, county, zip code).
  3. Dates: All specific dates related to an individual (birth date, admission/discharge dates, appointment dates). Even just asking for a preferred appointment date range can qualify.
  4. Phone Numbers: Direct lines to the patient.
  5. Fax Numbers: Less common now, but still counts.
  6. Email Addresses: Direct digital contact.
  7. Social Security Numbers: Highly sensitive, and probably shouldn’t be asked on basic web forms, but definitely PHI.
  8. Medical Record Numbers: Assigned by healthcare providers.
  9. Health Plan Beneficiary Numbers: Insurance information.
  10. Account Numbers: Related to payments or patient accounts.
  11. Certificate/License Numbers: Less likely on patient forms, but possible.
  12. Vehicle Identifiers (including license plates): Unlikely, but listed.
  13. Device Identifiers and Serial Numbers: Relevant for things like pacemakers or wearables if linked to health info.
  14. Web URLs: Can be identifiers in specific contexts.
  15. IP Addresses: The unique address of a user’s computer connection – often logged automatically by web servers!
  16. Biometric Identifiers: Fingerprints, voiceprints.
  17. Full Face Photographic Images (and comparable images): Patient photos.
  18. Any Other Unique Identifying Number, Characteristic, or Code: A catch-all for anything else that could pinpoint an individual.

This counts if your website form collects any of these identifiers in relation to a health inquiry, appointment request, symptom description, or insurance question, you are collecting ePHI (electronic PHI) on your website.

Avoid standard Website Forms

TLDR: Avoid using a standard website form on your website!

“Okay,” you might think, “so I’m collecting PHI. What’s the big deal if it just goes to my email?”

The problem lies in how standard website forms and basic web hosting typically handle data:

  • Insecure Storage: When a patient hits “submit” on a typical website form (built with basic WordPress plugins, Squarespace tools, etc.), that data often gets stored directly on the web server that hosts your public website files. These servers are generally not designed with the stringent security protocols required by HIPAA for storing sensitive medical data. They are built for public access, making them bigger targets.
  • Unencrypted Transmission: The data might be sent to your email inbox unencrypted, like a postcard anyone could potentially read along the way. HIPAA requires strong encryption both “at rest” (when stored) and “in transit” (when moving). Standard email often fails this test.
  • Access Control Chaos: Who has access to your website’s backend? Your web developer? A marketing assistant? HIPAA demands strict controls over who can view PHI. Managing this on a standard web server is difficult.
  • Data Retention Issues: How long does that form submission sit on your server or in your inbox? HIPAA has rules about data retention and disposal; basic website tools often lack these controls.

What About ePHI? Is ePHI the same as PHI?

Any PHI that is created, received, maintained, or transmitted in electronic form is called electronic PHI (ePHI). This absolutely includes data submitted through website forms, sent via email based on form submissions, or digitized from paper forms. The same strict HIPAA Security Rule requirements apply – robust technical, physical, and administrative safeguards are mandatory.

Keep PHI Off Your Website

So, how do you offer online convenience without risking a HIPAA violation?

  • Leverage Your Practice Management Software (PMS): Most modern PMS platforms offer secure, HIPAA-compliant patient portals or embeddable widgets (like secure booking forms). These tools are designed to handle PHI safely. The data submitted goes directly into the secure PMS environment, completely bypassing your main website server. Your website’s job is simply to link to the portal or display the secure widget.

  • Use HIPAA-Compliant Third-Party Forms: Services exist (like Jotform’s HIPAA-compliant plan) that specialize in secure online forms. Like PMS widgets, these ensure the data is handled within their secure, compliant environment, not your website server. You embed their form or link to it. Be aware, many of these form options can be expensive.

    In the case of Jotforms, HIPAA compliant forms are only available on their higher and more expensive form options.

    HIPAA compliant form costs

The High Stakes: Consequences of Mishandling PHI on Your Website

Thinking “it’s just a simple website form” or “it probably won’t happen to me” is a dangerous gamble when dealing with patient health information. Failing to comply with HIPAA’s strict requirements for handling, accessing, or storing PHI – even accidentally through an insecure website form – can lead to serious consequences.

These aren’t just slaps on the wrist; they can involve significant financial penalties and even criminal charges. HIPAA violations are categorized into tiers, largely based on the level of knowledge and neglect involved:

  • Tier 1 (Unknowing Violation): The entity was unaware they were violating HIPAA and exercised reasonable diligence.
    • Penalty: $100 to $50,000 per violation.
  • Tier 2 (Reasonable Cause): The entity knew, or should have known by exercising reasonable diligence, about the violation, but it wasn’t due to willful neglect.
    • Penalty: $1,000 to $50,000 per violation.
  • Tier 3 (Willful Neglect - Corrected): The violation was due to intentional disregard for HIPAA rules, but the entity corrected it within the required timeframe (usually 30 days).
    • Penalty: $10,000 to $50,000 per violation.
  • Tier 4 (Willful Neglect - Uncorrected): The violation stemmed from intentional disregard, and the entity failed to correct it promptly.
    • Penalty: $50,000 or more per violation.

Worse still, “per violation” can mean per patient record affected, potentially leading to astronomical fines even for a single incident involving multiple patients.

As of October 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) had received over 374,000 HIPAA complaints since the Privacy Rule was enacted in 2003, and they have resolved 99% of them, often resulting in corrective action plans and financial penalties for non-compliant entities.

Your clinic’s website is often the first point of contact and represents your practice’s professionalism and trustworthiness. Make sure it doesn’t become an accidental source of HIPAA violations by improperly handling PHI through insecure forms.

If you’re interested in learning how you can protect your patient’s and your practice, while build your online presence, you can fill out our intake form here.