A small shopping cart with small boxes in it sits on top of a laptop to symbolize e-commerce.
A road map for online retail success in the health care industry
by Kelly Grahovac & Cassi Price

In the past year, online purchases in the United States have grown 12%. In 2023, the health care e-commerce market in the U.S. made more than $22 billion in revenue due to advancements in technology, evolving consumer behavior and the increased influence of mobile devices on digital health care platforms. 

So, why have so many home medical equipment (HME) businesses avoided entering the e-commerce market? Because the challenge of compliance with payer guidelines and regulations while selling online at a competitive (but profitable) price can seem insurmountable. In truth, however, navigating the delicate balance between profitability while maintaining regulatory compliance requirements, prescription adherence and licensure requirements is just the competitive edge you need to thrive in 2025. 

Why E-Commerce in Health Care?

If the stats alone and the ability to broaden your customer base beyond your community don’t convince you, focus on the decrease in repeat customers you’ve had over the last few years because they can’t conveniently order from your business online after hours.

Your reputation and excellent service won the first visit. Unfortunately, convenience is what the pandemic has driven today’s consumer to expect. The good news is that once you’ve added compliant health care e-commerce to your business, your competitive edge is combining that with the principles that you have built your HME business on—unimpeachable care for the health of your customers and excellent service to your community. 

You may be wondering why you haven’t started already. But before you begin, it’s imperative to understand the importance of compliance and incorporate the appropriate security measures to ensure that you are protecting your patients and company information.

Without Security, None of the Business Matters

Building a health care e-commerce site starts with implementing the appropriate security measures. Health care businesses are a high value target for hackers, so we must take the necessary steps to ensure a secure, protected experience for every one of your patients. Make sure these security measures are included and enabled in your platform:

  • Multi-factor authentication (MFA)

  • Limited user access to your administrator pages

  • Strong encryption standards

  • Firewalls that are kept updated

  • Regular vulnerability scans by your web provider

It is also recommended that your web provider adhere to high security and privacy standards with their data management, such as SOC 2 standards. This ensures that you are managing your customer data securely. Globally trusted SOC 2 principles ensure secure availability, processing integrity, confidentiality and privacy. You can test your web provider on their high security standards by asking them to complete a third-party security risk assessment or questionnaire.

It’s also important that you implement a secure payment gateway through:

  • End-to-end encryption

  • Fraud detection and prevention

  • Multiple secure payment options

  • Competitive transaction fees with no hidden charges

Medicare & E-Commerce

As a health care provider, you must follow HIPAA and HITECH (Health Information Technology for Economic and Clinical Health) rules to protect patients’ private health information (PHI). When building your health care e-commerce platform, implementing data encryption, secure hosting and access controls are a must. Data should be encrypted in transit and at rest. When deciding on a platform to host your website, choose a provider that hosts in secure servers and data centers. 

To comply with HIPAA guidelines, it is recommended that you conduct regular auditing and monitoring functions to properly detect security incidents. This is where hosting infrastructure is important. There are many HME businesses out there trying to save on web hosting, but there is risk in this decision. Cheaper hosting options often come with basic security features, but those may not be sufficient to protect sensitive health data. Hosting providers that specialize in health care web services are more likely to focus on providing advanced security measures like intrusion detection and prevention, regular security audits and patching, and an infrastructure team to support you 24/7 when outages occur as well as hosting your data at centers that are monitored and controlled by experts. These centers are built with redundant power and cooling systems and are geographically diverse with multiple data network access points. This is designed to ensure facilities containing servers with your data in it can weather nearly any incident with low downtime.

Don’t forget to create and maintain an incident response plan for potential data breaches or security incidents. Lastly, don’t forget about your business associate agreements, which should also be implemented with your online vendors who handle PHI to comply with HIPAA regulations.

Maintaining HIPAA compliance is only one area of consideration in your e-commerce journey. To service your patients online, you must approach the process in the same manner as face-to-face patient interaction, especially if you wish to integrate insurance billing. It is possible to grow an e-commerce platform that allows you to accept a wide range of health insurance patients, including Medicare. Just remember that the same rules apply, no matter how the services are rendered. Pay attention to provider enrollment rules, including state licensure requirements. If you are not licensed to provide durable medical equipment, prosthetics, orthotics and supplies (DMEPOS) in all 50 states, clearly state this on your website. Additionally, implement system logic to exclude any states that you are not licensed to ship products to patients in. 

Taxes, Data Privacy & Accessibility

Additional areas to consider in e-commerce when it comes to homecare include compliance with state tax laws, data privacy laws and accessibility requirements, each of which can vary by state.

As an online retailer, you are responsible for adherence to state, local and federal taxes. Not all states apply taxes to medical equipment and supplies. It is recommended that you implement tools to ensure the most up-to-date rates are applied, and any changes in tax regulations are captured and implemented into your online platform. You can adjust this manually in your platform, but there are great automated tools out there to keep you compliant.

Protecting patient information goes beyond HIPAA and HITECH. Most states have data privacy laws in place that require you to protect online users. This includes personal data protection, individual rights, data security and consent and transparency. Collecting names and email addresses without consent is unlawful. Visitors to your site must be able to choose what information you collect, and have the ability to opt out from any communications. You also must be transparent in the data you collect as well as how you intend to use said data, including cookies. 

In addition to state law, you may also be required to adhere to international data privacy laws, if you offer to international users. This again is an area that you can automate with the right tools to keep you compliant with data privacy laws.

Accessibility guidelines should also be implemented to ensure you are not alienating potential customers. Understanding and applying both Web Content Accessibility Guidelines and Americans with Disabilities Act standards ensure you are not only compliant with federal regulations, but that your site is operable, accessible, understandable and robust. 

For example, a user who needs to use a site reader will need you to set the correct tags across all links and images so they can easily navigate your site. Another example is a colorblind user who will need you to ensure your site design includes the appropriate background-to-font-color contrast. Providers succeeding in this area are running quarterly tests on their sites to uncover web accessibility updates they must make to keep their site accessible to users of all abilities.

Compliance + Security = Success

Understanding the importance of compliance when building your e-commerce platform is key. Protect patient information and maintain trust by complying with HIPAA, Medicare and state licensure. Be sure to conduct regular audits, handle data securely and communicate policies clearly. Implement encryption, MFA and secure payment gateways to protect data. 

It is imperative to implement security measures and comply with security standards like SOC 2 and PHI. Compliance with tax laws, data privacy laws and accessibility guidelines are also mandatory when building your online platform. Consider the use of compliance automation tools to streamline operations and enhance customer trust. Tools to manage compliance with taxes, data privacy and accessibility are available and can help make sure you are adhering to all regulations. 

Implementing a compliant e-commerce process while leveraging your established reputation in your community and the health care space will give you exactly the competitive edge you’ve been searching for to be a successful health care retailer.



Kelly Grahovac serves as general manager for The van Halem Group, focusing on audits, compliance, education and resolving complex issues for clients in the post-acute care space. Grahovac has more than 20 years of experience working at one of the nation’s leading Medicare contractors and with The van Halem Group and is a known lecturer in the home health and hospice and HME industry. She is a frequent contributor to a variety of industry publications and serves as a board member for both the South Carolina Medical Equipment Suppliers Association (SCMESA) and Big Sky Association for Medical Equipment Suppliers (AMES). Contact her at Kelly@vanhalemgroup.com.

Cassi Price, president of VGM Forbin, has been with the VGM Group Inc. family since 2007, starting at the Orthotic and Prosthetic Group of America and transitioning to VGM Forbin in 2011. Over the years she has held various roles, including director of marketing and sales, and has made significant contributions to the digital marketing field. Price is a frequent speaker at industry conferences such as Medtrade, MAMES and the Heartland Conference, sharing her expertise and insights in health care e-commerce, web development and digital marketing. In 2021, she became vice president of corporate projects for VGM Group and returned to VGM Forbin as president in 2024. Visit forbin.com.