Is WordPress HIPAA Compliant?

WordPress is a well-known content management system used for creating websites. A lot of businesses use WordPress but can healthcare organizations do the same? Is WordPress HIPAA compliant and can it be used with protected health information (PHI)?

The requirements of HIPAA compliance are quite vague for websites. However, regarding the storage or transmission of electronic protected health information (ePHI), the HIPAA Security Rule is clear. It requires the implementation of safety measures that ensure ePHI integrity, availability and confidentiality. This rule is applicable to all websites dealing with ePHI, whether built from scratch or using CMS platforms such as WordPress. Administrative, physical and technical controls need to be implemented, which include:

  • Access controls to stop unauthorized individuals from being able to access PHI or the admin control panel
  • Audit controls to log website access and activities in-site involving ePHI
  • Integrity controls to prevent alteration and destruction of ePHI
  • Transmission security controls to make sure that ePHI uploaded to the site and saved on a server or third-party server is secure and protected with encryption
  • Physical security controls to stop unauthorized individuals from being able to access the web server
  • Administrators and any internal users should be trainedon HIPAA Privacy and Security Rules
  • The website should solely use a HIPAA-compliant hosting provider
  • Choosing a third-party hosting company requires a business associate agreement (BAA)

After implementing controls to ensure compliance with HIPAA Security Rule, the subsequent step is to perform a risk analysis of the website, plugins and connected systems. Any discovered risks should be managed and reduced to an acceptable level.

Concerning the need for a business associate agreement, it’s not likely that WordPress will sign one and the WordPress site does not mention it. So, does this mean healthcare companies should not use WordPress? Basically, a BAA is not necessary if the purpose of the site is just to inform patients and no uploading or collection of PHI will be done using the site. A BAA is additionally not necessary if PHI is kept in a separate area and is only accessible using a plugin. The plugin developer in this case must sign a BAA.

Imagine that a healthcare company would like to use WordPress with PHI. It can be done, but the steps are fairly complex. To make WordPress HIPAA compliant, do the following:

  • Perform a risk analysis prior to using the site and minimize the risks to an acceptable level
  • Use HIPAA-compliant web hosting and ensure access, audit, and integrity controls are implemented
  • Perform a security scan to find vulnerabilities and mitigate any vulnerabilities that are found
  • Only use plugins from trusted developers
  • Keep all plugins updated and the WordPress CMS
  • Install a security plugin such as Wordfence
  • Employ a SaaS provider that could interface the ePHI element into your website or create an internal interface
  • Keep ePHI separated from WordPress
  • Passwords and administrator account names should be strong to prevent successful brute force attacks.
  • Improve security of administrator accounts by using two-factor authentication
  • Never let users register for accounts without being vetted first
  • Encrypt data gathered using forms and for PHi in transit
  • Service providers and plugin developers with access to ePHI or whose software program accesses ePHI should sign a BAA

Before making a decision to create a website using WordPress, think about building a site from scratch or using a vendor dedicated to making HIPAA compliant sites. Although there are ways of creating HIPAA compliant WordPress sites, the platform has a number of security concerns and vulnerabilities.