Shopify is a popular eCommerce platform, but are you selling goods or services to patients? If so, you must ensure that the eCommerce platform you use to sell to patients is HIPAA compliant. Is Shopify HIPAA compliant?
What Makes a Software Tool HIPAA Compliant?
When it comes to software, there are certain indications of the tool’s HIPAA compliance. Software HIPAA compliance really boils down to two things. Does the tool have safeguards to keep patient data private and secure? Does the software provider sign business associate agreements?
When the answer to both of these questions is “yes,” the tool is likely HIPAA compliant. If the answer to either is “no,” the tool is not HIPAA compliant.
What Are HIPAA Safeguards?
HIPAA safeguards are measures that a healthcare organization puts into place to protect the confidentiality, integrity, and availability of protected health information (PHI). HIPAA categorizes safeguards into three groups – administrative, physical, and technical.
Administrative safeguards are written policies and procedures that dictate the proper uses and disclosures of PHI.
Physical safeguards are measures that protect an organization’s physical location, such as locks and alarm systems.
Technical safeguards are measures that protect electronic PHI (ePHI).
While administrative and physical safeguards are important, technical safeguards are generally the determining factor of a software provider’s HIPAA compliance. Technical safeguards that you should keep an eye out for include encryption, user authentication, access controls, and audit controls.
Why is a Business Associate Agreement Important?
Business associate agreements are a key determinant of HIPAA compliance. Even the most secure software platform is NOT HIPAA compliant is they will not sign a business associate agreement (BAA).
Why?
A BAA is a legal agreement that requires each signing party to be HIPAA compliant, and be responsible for maintaining compliance. As such, a BAA limits the liability for both singing parties in the event of a breach or OCR audit, as only the negligent party would be held culpable.
Shopify HIPAA Compliance
Is Shopify HIPAA compliant? Not as is, but it can be made to be. Shopify does not sign BAAs, so they cannot act as a business associate vendor. Therefore, no PHI can be created, stored, or transmitted through Shopify. So how can you use Shopify without violating HIPAA? There’s a workaround.
How to Use Shopify in Compliance with HIPAA
Shopify is not inherently HIPAA compliant. However, that doesn’t mean that you can’t use it to host your online store. To use Shopify in compliance with HIPAA standards, you must use a HIPAA compliant cloud server to store purchasers’ data. The form that the purchaser uses to input their data must also be connected to the secure private web service so that PHI is never entered into the Shopify platform.
Some examples of HIPAA compliant web hosting services include:
Doing all of this can seem overwhelming and complex. When implementing new software that requires configurations to be HIPAA compliant, it is best to consult your IT department or MSP. Don’t have one? Compliancy Group partners with MSPs across the country and can introduce you to someone to help.
