Understanding HIPAA compliance in healthcare commerce

Table of Contents

The pocket guide for healthcare commerce: What you really need to know about HIPAA compliance

Aron Birenbaum
Aron Birenbaum
Technical Product Manager, commercetools
Published 24 July 2024
Estimated reading time minutes

In the US, HIPAA compliance is mandatory for covered entities and their business associates handling health-related products and services transactions. Whether it’s online pharmacies selling prescription medication or telehealth applications, HIPAA compliance is essential to ensure patient trust, mitigate legal risks and safeguard sensitive health information. 

Let’s take a look at the ramifications of HIPAA for healthcare commerce and what your business should watch out for when partnering with commerce vendors. 

Understanding HIPAA compliance in healthcare commerce

What’s PHI?

The first step to understanding HIPAA is to unpack what PHI is. Under US law, protected health information (PHI) encompasses any data related to an individual’s health status, as well as the provision of healthcare or healthcare payments. This information, created and collected by a Covered Entity (such as a hospital or care facility), can be linked to a specific individual. 

In other words, PHI is only considered “protected health information” when an individual can be identified from the information. If all identifiers are stripped from health data, it ceases to be PHI. For example, an email address is only considered PHI when it's associated with a health-related product order, medical record numbers or dates related to the health of individuals, such as the date of hospital discharge. An email address alone isn't PHI.

The 18 HIPAA Identifiers from the Department of Health and Human Services (HHS)

  • Name.
  • Address (all geographic subdivisions smaller than the state, including street address, city county, and zip code).
  • All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death and exact age if over 89).
  • Telephone numbers.
  • Fax number.
  • Email address.
  • Social Security Number.
  • Medical record number.
  • Health plan beneficiary number.
  • Account number.
  • Certificate or license number.
  • Vehicle identifiers and serial numbers, including license plate numbers.
  • Device identifiers and serial numbers.
  • Digital identifiers, e.g., website URLs.
  • Internet Protocol (IP) address.
  • Biometric elements, such as finger or voice print.
  • Photographic image — photographic images are not limited to images of the face.
  • Any other characteristic that could uniquely identify the individual.

Furthermore, processing PHI isn’t a consideration for all health-related transactions. For instance, B2B transactions between medical equipment manufacturers and hospitals don’t require safe PHI processing, as there is no individually identifiable patient data as a part of that kind of transaction. 

However, a B2B2C transaction could require the processing of PHI, as in the example of a doctor’s office ordering a glucose monitor from the device manufacturer (a seemingly B2B transaction), but having it shipped directly to the patient’s home address and including their email for shipment tracking purposes. The association of the health “product” (the glucose monitor) and the patient’s email and home shipping address is considered PHI, and thus processing a transaction like this would require a HIPAA-compliant commerce platform. 

Understanding when PHI processing is needed for healthcare commerce

For covered entities and their business associates that process PHI, ensuring robust security of data and data processing practices is paramount. The risk of not doing so is immense: If a stolen credit card sells for $2 USD on the black market, PHI can sell for as much as $363 USD, according to the Infosec Institute. Scammers use PHI to commit insurance and medical fraud, with high costs for individuals and healthcare systems. 

Moreover, failure to comply with the provisions of the HIPAA Privacy, Security or Breach Notification rules can also mean steep financial penalties for Covered Entities, even if a violation was unintentional.  

What’s HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a federal law in the United States that governs the handling and security of protected health information (PHI). Overall speaking, HIPAA applies to the following parties: 

  • Covered entities are companies subject to HIPAA regulations. This encompasses healthcare providers (hospitals and nursing homes), insurance plans and pharmacies that transfer medical information, often referred to as electronic medical records (EMR), electronic health records (EHR) or simply protected health information (PHI). It’s crucial to note that covered entities are responsible for their own HIPAA compliance

  • Business associates perform activities involving the use or disclosure of PHI on behalf of a covered entity. Examples include a CPA firm providing accounting services to a covered entity, as well as technology providers that provide software for use within the regulated setting, like a commerce platform technology vendor.  

Covered entities and business associates must sign a business associate agreement (BAA) when sharing PHI, ensuring compliance with HIPAA regulations. The BAA is a contract that governs the secure processing of PHI, specifies the business associate’s role and requires it to comply with HIPAA rules. 

While there’s no formal HIPAA certification, organizations must implement safeguards to process PHI according to their role and risk level, including third-party security risk assessments, adoption of industry standards and established frameworks, direct alignment with the guidance set by the US Department of Health & Human Services, technical, administrative and physical controls, as well as continuous internal training. 

The 5 HIPAA rules

These rules collectively aim to protect individuals' health information while allowing for the secure and efficient exchange of electronic healthcare data.

      1. Privacy rule: Establishes national standards to protect individuals' medical records and other personal health information (PHI). It sets limits and conditions on the use and disclosure of PHI without patient authorization.
      2. Security rule: Sets standards for the security of electronic PHI (ePHI). It requires covered entities to implement technical, physical and administrative safeguards to protect ePHI from unauthorized access, use or disclosure.
      3. Transactions and code sets rule: Establishes standards for electronic healthcare transactions, such as claims and benefit eligibility inquiries. It also sets guidelines for the use of code sets (e.g., ICD-10, CPT) in these transactions.
      4. Identifier rule: Sets standards for unique identifiers used to identify individuals, employers, health plans, and healthcare providers in electronic transactions. It includes standards for National Provider Identifiers (NPIs) and Employer Identification Numbers (EINs).
      5. Enforcement rule: Outlines procedures and penalties for non-compliance with HIPAA rules. It empowers the Office for Civil Rights (OCR) to enforce HIPAA through investigations, audits and civil and criminal penalties for violations.

How does HIPAA compliance impact the customer experience in healthcare eCommerce?

When customers know their personal health information is protected, they feel more secure and are more likely to engage in online healthcare transactions. In short, adhering to HIPAA fosters patient trust while reducing the risk of data breaches, having a direct (and positive) impact on the growth of your healthcare eCommerce business. 

For instance, when PHI is safely processed, healthcare businesses can create a heap of digital solutions that make health and wellness services easier, faster and more convenient for patients. Here are some examples of digital solutions for healthcare that require PHI processing:

  • Telemedicine platforms: Remote consultations, medical diagnosis or treatments. 

  • Healthcare mobile apps: Applications that collect, store or transmit PHI such as patient records, digital therapeutics, medical images or test results. 

  • Online patient portals: Web-based platforms that allow patients to access their medical records, schedule appointments or communicate securely with healthcare providers. 

  • Electronic health records (EHR) systems: Systems used to manage patient records electronically, including storing, sharing and accessing PHI.

  • Medical billing and claims processing: Platforms that handle billing information, insurance claims or payments related to healthcare services.

  • Health information exchanges (HIE): Networks that facilitate the sharing of patient health information among healthcare providers.

  • Remote monitoring devices: Wearables or home health devices need to comply with HIPAA regulations when storing and transmitting health data to providers.

  • Pharmacy eCommerce: Online pharmacies or platforms that handle prescription-required (Rx) orders, medication delivery or patient information.

Many healthcare companies are relying on HIPAA-compliant digital commerce platforms to scale health and well-being products and services across the US to serve patients online. For instance, the eyecare leading company Bausch & Lomb is seeking to create an experience that would allow eyecare providers to sell Rx (prescription-required) contact lenses, a process that requires safe PHI processing. 

By digitizing its biggest, most complex use case first — B2B2C — which is used when consumers need a prescription from an eye care professional (ECP) to purchase a product, the company required a digital commerce platform that can ingest PHI securely and is fully HIPAA-compliant, which was commercetools. 

Which commerce technology providers are built for the stringent requirements of healthcare eCommerce?

While there's technology serving the healthcare industry that provides HIPAA-ready ERP and related services solutions, such as Adobe Commerce and SAP, these legacy all-in-one platforms aren’t fit for purpose. While they might solve the secure processing of PHI, these platforms typically lack the flexibility required to translate complex use cases into intuitive buying experiences. 

This is because the monolithic platform bundles all the commerce components (backend, frontend, and everything in between) in one system, a notoriously inflexible setup that slows businesses down. 

This inflexibility means many healthcare companies operating across multiple business models end up with disparate, siloed systems, further adding to their already complex interoperability landscape. As a result, they struggle to release features that meet customer needs and can’t efficiently automate complex, manual and time-consuming sales and ordering processes.

Because of these constraints, many healthcare companies decided to invest in homegrown solutions in order to fully customize patient experiences. In practice, however, business goals quickly outpace the capabilities of in-house built technologies. Moreover, when you build your own system, it’s your job to implement security measures and ensure compliance with regulations. Homegrown solutions might struggle to stay compliant due to the complexity of these regulations, which, in turn, might make your company more vulnerable to cyberattacks.   

Composable commerce is a modular, component-based design that provides the flexibility and freedom for businesses to “compose” tailor-made shopping experiences by selecting and integrating the best components for their unique needs. 

When coupled with robust security and compliance measures, composable infrastructure is best suited to meet the needs of the healthcare industry as it’s capable of supporting sophisticated customer experiences while upholding the utmost data security standards. 

Is commercetools HIPAA-compliant?

HIPAA compliance is a feature of commercetools Platform’s security capabilities. commercetools’ HIPAA compliance is affirmed by: 

  • Third-party security risk assessments, including a formal external audit for HIPAA compliance, SOC 2 Type 2, Cyber Essentials, and TISAX Level 2.

  • Following established frameworks and standards such as HITRUST CSF, NIST 800-30 Rev 1 and an ISO 27001 certified information security management system.

  • Direct alignment with the guidance set by the United States Department of Health and Human Services Office for Civil Rights.

  • Technical, administrative and physical controls that employ the principle of minimum necessary authorization and access to systems and data.

  • Requiring all employees to complete HIPAA and HDS training with a mandatory test.

commercetools for Healthcare is a fit-for-purpose solution that empowers healthcare organizations to digitize commerce with unparalleled flexibility while ensuring regulatory compliance, including HIPAA, and security for sensitive and protected health data at scale. 

What’s the role of commercetools in ensuring HIPAA audit log requirements?

Data access logs play a critical role in HIPAA compliance by providing a detailed record of who has accessed PHI, when they accessed it and what actions they performed. Key requirements include:

  1. Detailed logging: Maintain logs of all PHI-related activities, including access, modification, deletion and transmission, with user identification.

  2. Event tracking: Log access, modifications, deletions and transmissions of PHI, including user details, timestamps and methods of transmission.

  3. Regular monitoring: Regularly review and analyze audit logs to detect unauthorized or suspicious activities, using automated tools where possible.

  4. Log integrity: Protect logs from tampering, regularly back them up and retain them for at least six years.

  5. Incident response: Have procedures to respond to and investigate anomalies or security incidents identified through logs and document actions taken.

  6. Policies and training: Develop policies and procedures for logging and monitoring PHI activities and train staff accordingly.

The commercetools for Healthcare solution comes with Audit Log Premium to track changes for detailed logging of all systems activity. By having an audit trail for changes across your commerce operations, you can support compliance audits and security investigations.  

Are there any similar compliance requirements or certifications outside of the US?

For companies with healthcare commerce operating in France, the HDS (Hébergeur de Données de Santé) certification is required to process PHI in the country. In addition, data security and protection such as the GDPR (General Data Protection Regulation) in the European Union and other relevant standards like TISAX are crucial for healthcare companies to up their security game in digital commerce.    

As an IT-managed service provider, commercetools holds the HDS certification for the scope of personal health data management, which is a requirement by the French Public Health Code for handling personal health information. In addition, commercetools’ commitment to securely managing data helps you meet regulatory and policy objectives through multiple certifications, including TISAX, ISO 27001, and more. Check our Trust Center for more information. 


Interested to learn more? Get additional information on how to start your HIPAA-compliant eCommerce with commercetools in our docs.

Aron Birenbaum
Aron Birenbaum
Technical Product Manager, commercetools

Aron has worked in software development for more than 20 years and in SaaS solutions for the past decade. He is responsible for the internal commercetools observability platform, which is a key driver of our operational excellence and service availability.

Related Blog Posts