A solid web presence can provide a significant source of revenue for organizations that might otherwise rely on referrals and word-of-mouth to generate business—healthcare providers are no exception. Whether you’re a local practitioner or an urgent care clinic, it’s vital to both establish trust and credibility on the front end and ensure that patient information is secure and protected on the back end.

Basic Best Practices

Successful medical websites convert curious visitors to dedicated patients; most have a number of characteristics in common. These sites:

  • Offer quality content and rich resources.
  • Offer messaging that is reassuring and designed to speak directly to targeted audiences.
  • Don’t make users think.
  • Favor simplicity in their design.
  • Pride themselves on their accessibility.
  • Never use stock images, fake reviews, or too much industry jargon.
  • Display contact information clearly on every page.

The owners of these sites work hard to keep them relevant, engaging, and accurate; these site sponsors:

  • Use the sites more as educational tools than as marketing platforms.
  • Don’t underestimate the power of social media to deliver their messages.
  • Regularly track, test, and redesign calls to action.
  • Invest in ongoing SEO campaigns to improve organic search results.
  • Triple-check terminology for accuracy and clarity.

Understanding HIPAA and HITECH

Developing and hosting healthcare and medical websites requires agencies to be well informed about current laws and regulations governing secure hosting and protection of patient information. This means understanding HIPAA and HITECH—two laws that govern how patient information is handled online. This discussion may be a little dry for many, but if the intricate process of securing healthcare information online captivates you—you’ll eat this stuff up.

HIPAA, (The Health Insurance Portability and Accountability Act) was passed in 1996 and was intended to improve the healthcare process and reduce costs by standardizing common healthcare transactions while keeping individual patient information safe. The HITECH Act (Health Information Technology for Economic and Clinical Health), which was passed in 2009, expanded HIPAA and provided minimum standards for handling protected health information (PHI). With this expansion, both privacy and security standards have been drastically improved, as have healthcare quality, safety, and efficiency.

Hosting Solutions and Securing Information

There are specific security standards within HIPAA that address the encryption of PHI, both in transmission and in storage.

To protect data during electronic transmission, files containing PHI should be encrypted using technologies such as 256-bit AES algorithms. A complete firewall solution can be created in the cloud by utilizing the default deny-all mode, which automatically denies all inbound traffic unless the customer opens an EC2 port. Administrators can set up multiple security groups to enforce different ingress policies as needed. Each security group can be controlled with a PEM-encoded X.509 certificate and traffic can be restricted to each EC2 instance by protocol, service port, or source IP address.

Large-scale server environments such as Amazon or Rackspace often host healthcare websites. These companies recommend either short- or long-term storage data be encrypted before transmission. Information can be accessed via secure socket layer (SSL)-encrypted endpoints over the Internet or with assistance from the hosting company. Adhering to these practices helps ensure PHI and other sensitive data is safe and secure.

High-Level Protection

Data passing to and from the cloud should be safeguarded with encryption; however, information that comes in contact with administrators or third-party partners may require different control mechanisms.

It’s vital to keep a close watch on security policies and processes regarding data and how users can implement authentication, access consent processes, and audit controls to reduce the risk of compromise. This attention to detail allows site administrators to understand data restriction options for their systems and to monitor their systems for a threat or attack.

Auditing and Back-Ups

Be sure your servers can run activity log files and audits down to the packet layer on the client’s virtual servers, just as they would on standard hardware. In addition, make sure servers can track any IP traffic that reaches the virtual server instance. Most hosting companies have the ability to back up log files into the cloud on your behalf for long-term, reliable storage.

Disaster Recovery Requirements

Under HIPAA, covered entities must have a backup plan to protect information in case of an emergency. Retrievable and exact copies of electronic PHI must be available. HIPAA’s requirements for disaster recovery processes protect an organization’s data and IT infrastructure are typically among the more expensive requirements to comply with. Depending on the specific level of security the client requires, we suggest having a conversation with your hosting company’s representative to ensure you are fully compliant with HIPAA’s web-server requirements.


This article is not intended to constitute legal advice. Professional legal counsel regarding compliance with HIPAA and HITECH should be sought to ensure you and your organization are fully protected. Neither Gravitate nor our partners make any representations or warranties that the information presented here will ensure compliance with applicable laws, including but not limited to HIPAA and HITECH.

Hire Gravitate. Get Results.