Websites are designed to be marketing tools, not HIPAA compliant patient communication platforms. As you know, this doesn't stop patients, or prospective patients, from sharing all kinds of personal information via your website. While you can't control what people submit, you can control how you respond.

This article focuses on the scenario in which patients use your website's contact form to submit health information and/or makes clinical inquires.

Technical problem

The typical website sends you an email containing whatever information the person submits. If the email used to capture the website submission is not a secure HIPAA compliant email application (indicated by a business associate agreement) or an EHR patient portal, then you shouldn't use the email to carry on a conversation.

The problem escalates if your website hosting service stores the submission data (i.e., archives messages).

Read How to Use Email and Be HIPAA Compliant to learn more about the technical problem.

Information problem

As soon as someone sends information considered protected health information (PHI) you have a responsibility to safeguard said information if you continue the conversation. Patient inquires mentioning symptoms or treatment is PHI, as are questions regarding appointments (more on this later).

When the patient initiates a communication containing PHI, your best bet would be to transfer the communication to a secure channel, such as a phone call or in-person office visit. Do this and you'll be in good graces with the HIPAA.

Note: Make sure your Contact Us form requires a phone number so you always have the ability to call the person in lieu of responding with an email message.

Appointment problem

People love to schedule appointments online, but appointment information is clinical in nature so you should treat it in the same manner you would other PHI. Therefore, when patients try to schedule appointments using your website, don't email the patient back, call instead.

The HIPAA does not intend to limit people's ability to contact your business, nor does it state you cannot have a Contact Us feature on your website. The law requires only that you take reasonable measures to safeguard PHI, in whatever form you receive it.