A Brief Guide to Data Protection and Accessibility Compliance
Life science, biotech, healthcare and the pharmaceutical sector are heavily regulated. You navigate complex laws, regulations and guidelines at every stage of a product life cycle. The web and internet environment as a whole is an increasingly important resource in many aspects of our life which includes: education, employment, government, commerce and life science and healthcare.
In addition, your businesses have a strong online presence made up of websites of all shapes, sizes and scope. Developing, hosting and operating these websites requires compliance with several laws and regulations. Depending on which countries you offer your services or products and from which you are receiving personal data, your website may have to satisfy an array of overlapping compliance requirements from different countries. And with ever-developing information technologies comes the need for information security.
This article aims to give you an overview of some of the data protection and accessibility requirements for a medical website. This article does not cover every aspect and is based on information available at the date of publish.
Data protection is a set of strategies and processes you can use to secure your data’s privacy, availability, and integrity. A data protection strategy is vital for any organisation that collects, handles, or stores sensitive data. Sensitive data, sometimes referred to as Protected Health Information (medical websites), may include, but is not limited to, names, phone numbers, addresses, dates of birth, social security numbers, payment information, test results, medical records, etc.
A successful strategy can help prevent data loss, theft, or corruption and help minimise damage in a data breach or disaster.
Data protection laws cover two main areas – data privacy and data security. These two terms are often used interchangeably, but there are distinct differences: Data Privacy governs how data is collected, stored, shared and used. Data Security protects data from compromise by malicious external or internal attacks.
Common Aspects of Data Protection
Secure Sockets Layer (SSL) Certificate
SSL is the standard security technology that establishes an encrypted link for data exchange between a web server and a user’s browser. Websites with an SSL certificate will have https:// and a lock icon in the URL.
A user will notice the presence or absence of SSL very quickly. And Google, for one, will flag your website as ‘Not Secure’ in the URL bar if you do not have SSL.
The benefits of SSL are:
Encrypts sensitive information, ensuring that no one other than the destination server can read your user’s data.
Protects you from cybercriminals who target weaknesses in the transmission of data.
Builds credibility and brand power as your users will trust your website and be more willing to complete contact forms and buy products.
Transmitted and Stored Data Encryption.
If you are a healthcare, medical devices or life science website, for example, that collects and transmits patient data, then you will also need additional data encryption services for all your web forms that contain this information. This type of data also needs to be secure at the point of storage, i.e. on your website’s hosting server and in every data backup location. Check that your hosting provider provides a high level of security.
Strict Access Control
In cases where you receive, store and use Protected Health Information (PHI), you will need to ensure that only authorised people can access this data and that there is security using multi-factor authentication and timed automated logout.
Auditing and Backups
Be sure that your servers run activity log files and audits, including the virtual servers, and that IP traffic can be tracked.
All personal data must be recoverable. Most hosting companies can back up log files on your behalf onto the cloud for long-term reliable storage. Backups will ensure that you can never completely lose this data.
Disaster Recovery requirements
Depending on the specific level of security your organisation needs, you may need a disaster recovery process to protect the information in the event of a data disaster. We advise you to consult the relevant data protection regulations and speak to your hosting company.
Data Protection Regulations (US, UK and EU)
Where you do business (offer services or products) and from where you collect data via your website will determine with which data protection regulations you will need to comply.
For example, if you have a U.K. business, sell products or services in the U.K. and U.S., and receive sensitive information (via contact forms) from users within the E.U. as well, you may need to satisfy data protection regulations in all three legislative areas.
The different data protection laws and regulations share many similarities but perhaps use slightly different terminology. However, we do not suggest that being compliant with one means you are compliant with another, but you are probably heading in the right direction.
Physicians and medical administrators within the US are acutely aware of the Health Insurance Portability and Accountability Act (HIPAA) which governs healthcare processes and transactions while keeping patient’s information safe.
However, in 2009, HIPAA was expanded by the Health Information Technology for Economic and Clinical Health (HITECH) Act. It established a set of federal standards to ensure the privacy of Protected Health Information (PHI), which the U.S. Department of Health and Human Services (HHS) enforces. These regulations also apply to medical websites and electronic PHI (ePHI).
The two key standards are:
- HIPAA’s Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule)
- HIPAA’s Security Standards for the Protection of Electronic Protected Health Information (the Security Rule)
Many ordinary healthcare websites are not secure or inadvertently fail to safeguard ePHI provided by users in simple online contact forms – even basic information such as name, phone number and email.
The UK General Data Protection Regulation (UK GDPR) is part of the data protection landscape that includes the Data Protection Act 2018 (the DPA 2018). The UK GDPR sets out requirements for how organisations need to handle personal data.
The UK GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and accidental loss, destruction or damage. It requires the use of appropriate technical or organisational measures.
For those companies that interact directly with patients, it is vital to remember that patient consent for treatment or to share healthcare records is not the same as UK GDPR consent.
Please note that if you are processing special category data – which includes information about an individual’s health – there are additional compliance rules in the UK GDPR.
The E.U. General Data Protection Regulation (EU GDPR) is an E.U. Regulation which no longer applies to the U.K. (following Brexit). If you operate inside the U.K., you must comply with the Data Protection Act 2018 (DPA 2018) and UK GDPR.
These regulations impact businesses that utilise the personal data of E.U. citizens, even if the company does not have a physical presence in Europe. Thus, the EU GDPR could be applicable for U.S. websites as well.
For example, a U.S. company with a website that receives traffic from European Union visitors, should seek legal advice on compliance with E.U. regulations regardless of whether it markets products or services to European markets.
Common Aspects of Accessibility Best Practice
There are several things that you can do to increase the accessibility of your website:
- Your website should be mobile-friendly.
- Use adequate link descriptions and/or alt text descriptions on images (this text should be readable by speech synthesiser software).
- Use subtitles/closed captions on videos.
- Make your website navigable by keyboard.
- Improve colour accessibility (background to text contrast and using non-colour cues).
- Use text formats that can be read by a screen reader (pay attention to PDF forms).
Similar to data protection, individual countries have their own standards for accessibility.
In the U.S., accessibility of websites is covered under the Americans with Disabilities Act (ADA) Title III.
After being unchanged for nearly 20 years, the U.S. Access Board updated accessibility requirements and created Web Content Accessibility Guidelines (WCAG) to help make all websites accessible via a checklist that web developers could follow. However, these guidelines change, and it’s important that you follow the most updated version.
The accessibility of U.K. websites is covered by the Equality Act 2010. This protects all individuals from unfair treatment and promotes an equal society. Site owners must make ‘reasonable adjustments' to make their sites accessible to people with disabilities.
Public sector websites had a deadline of September 2020 to comply with international standard Web Content Accessibility Guidelines (WCAG) Level 2.1 AA. Private companies do not currently have a deadline by which to comply, but you would be wrong to assume that these standards do not apply to you. It would be advisable to make your website accessible to as many users as possible.
Making your website accessible is the right thing to do. The benefits are not only to the user; they include enhanced brand reputation, increased market share and profit, and reduced legal risk.
The European Union (EU) Directive on the Accessibility of Websites and Mobile Applications requires EU member states to make sure their websites and mobile apps meet common accessibility standards. The Directive uses the four principles of the international Web Content Accessibility Guidelines (WCAG), requiring that public sector organisations across the EU take steps to make sure their websites are ‘Perceivable, Operable, Understandable, and Robust’.
At Arttia Creative we take the time to understand the restrictions and compliance needed for your website and online marketing. If your website or any associated data must meet compliance requirements of any kind for any entity, organization, or regulatory body it is your responsibility to inform us before your project starts or at the earliest opportunity, of the specific compliance requirements involved for your individual needs. We would then work closely with you to create a website that meets your requirements.
Belinda White | Creative Director
This article does not constitute legal advice. You should seek professional legal counsel regarding compliance with Data Protection and Accessibility regulations for the countries in which you offer services/products and/or receive and share data to ensure you and your organisation are fully protected.
Neither Arttia Creative Ltd nor our partners make any representations or warranties that our services will guarantee compliance with applicable laws, including, but not limited to, HIPAA, HITECH, ADA and UK/EU GDPR.
FREE 50-Page Guide. How To Take Your Biotech or Life Science Website To The Next Level.
Let me show you how to take your Biotech or Life Sciences website to the next level. Driving business growth.
Download our FREE 50-page in-depth eGuide which shows you how to increase quality leads from your website and create outstanding digital marketing for your Life Sciences or Biotech business.
"An exceptional resource on how to represent your life science business online. It stands out as a practical guide on how to use your website as part of a marketing mix specifically to engage with life science customers."