Can You Make WordPress HIPAA Compliant?
WordPress is a convenient content management system that allows websites to be quickly and easily constructed. The platform is popular with businesses, but is it suitable for use in healthcare? Can you make WordPress HIPAA compliant?
Before assessing whether it is possible to make WordPress HIPAA compliant, it is worthwhile covering how HIPAA applies to websites.
HIPAA and Websites
HIPAA does not specifically cover compliance with respect to websites, HIPAA requirements for websites are therefore a little vague.
As with any other forms of electronic capture or transmission of ePHI, safeguards must be implemented in line with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of ePHI. Those requirements apply to all websites, including those developed from scratch or created using an off-the-shelf platform such as WordPress.
Websites must incorporate administrative, physical, and technical controls to ensure the confidentiality of any protected health information uploaded to the website or made available through the site.
- HIPAA-covered entities must ensure there are access controls in place to prevent unauthorized individuals from gaining access to PHI or to the administration control panel
- Audit controls must be in place that log access to the site and any activity on the site that involves ePHI
- There must be integrity controls in place that prevent ePHI from being altered or destroyed
- Transmission security controls must be implemented to ensure any ePHI uploaded to the site is secured (and encrypted in transit) and data must be appropriately secured at rest (encrypted on a third-party server or encrypted/otherwise secured on a covered entity’s web server)
- Physical security controls must be implemented to prevent unauthorized access to the web server
- Administrators and any internal users should be trained on use of the website and made aware of HIPAA Privacy and Security Rules
- The website must be hosted with a HIPAA-compliant hosting provider (or internally)
- If a third-party hosting company is used, a business associate agreement is required
Once all the necessary controls have been implemented that satisfy the requirements of the HIPAA Security Rule, the website (and plugins) and all associated systems that interact with the site must be subjected to a risk analysis. All risks to the confidentiality, integrity, and availability of ePHI must be identified and those risks and addressed via risk management processes that reduce those risks to a reasonable and acceptable level.
WordPress and Business Associate Agreements
WordPress will not sign a business associate agreement with HIPAA covered entities and there is no mention of BAAs on the WordPress site. So, does that mean that the platform cannot be used in healthcare?
A business associate agreement is not necessarily required. If you simply want to create a blog to communicate with patients, provided you do not upload any PHI to the site or collect PHI through the site (such as making appointments), a business associate agreement would not be required.
You would also not need a BAA if PHI is stored separately from the website and is accessed via a plugin. If the plugin has been developed by a third party, you would need a business associate agreement with the plugin developer.
If you want to use the website in connection with PHI, there are several steps you must take to make WordPress HIPAA compliant.
How to Make WordPress HIPAA Compliant
A standard off-the-shelf WordPress installation will not be HIPAA compliant as WordPress does not offer a HIPAA-compliant service. It is possible to make WordPress HIPAA compliant, but it will be a major challenge. You will need to ensure the following before any ePHI is uploaded to or collected through the website.
- Perform a risk analysis prior to using the site in connection with any ePHI and reduce risks to a reasonable and acceptable level
- Use a HIPAA compliant hosting service for your website. Simply hosting the site with a HIPAA compliant hosting provider does not guarantee compliance. Ensure that all access, audit, and integrity controls are in place and safeguards implemented to secure data at rest and in transit
- Perform a security scan of the site to check for vulnerabilities
- Only use plugins from trustworthy sources
- Ensure all plugins are updated and the latest version of WordPress is installed
- Use security plugins on the website – Wordfence for example
- Use a SaaS provider that can interface the ePHI component into your website or develop the interface internally
- Ensure ePHI is stored outside of WordPress
- Set strong passwords and admin account names to reduce the potential for brute force attacks. Use rate limiting to further enhance security and use two factor authentications for administrator accounts
- Ensure that users cannot sign up for accounts directly without first being vetted
- Ensure any data collected via web forms is encrypted in transit
- Obtain business associate agreements with all service providers/plugin developers who require access to ePHI or whose software touches ePHI
WordPress was not developed to confirm to HIPAA standards so making WordPress HIPAA compliant is complicated. Ensuring a WordPress site remains HIPAA compliant is similarly difficult. There have also been several security issues with WordPress over the years and vulnerabilities are frequently identified. WordPress is not the only problem. Plugins are frequently found to have vulnerabilities and there is considerable potential for those vulnerabilities to be exploited.
While it is possible to make WordPress HIPAA compliant, the potential risks to ePHI are considerable. WordPress makes website creation simple, but not as far as HIPAA compliance is concerned.
Our recommendation is to develop your own website from scratch that is easier to secure and maintain, host the site with a HIPAA compliant hosing company, and if you do not have employees with the correct skill sets, use a vendor that specializes in developing HIPAA compliant websites and patient portals.