When it comes to building a website, the first choice is always WordPress as a CMS. Uploading new content or making it SEO optimized for ranking it better in Google SERP is one of the many reasons behind choosing WordPress.
But can we make WordPress HIPAA compliant?
Let’s assess –
Advantage and benfits from making WordPress HIPAA compliant
The answer for this question is with you. There could be only two possible reason for thinking to make HIPAA compliant WordPress website –
- I am making a blog on Healthcare niche / Medical niche using WordPress
- I am going to make a website and store e-PHI (Protected Health Information) using WordPress CMS, Serves and third-party WordPress plugins.
In the first case where you are not storing any e-PHI data on your end then there is no need for going or thinking about HIPAA compliance. You can start working on your website just like a normal blog.
On the other hand, if you are making a website in the healthcare niche and thinking to store e-PHI data then it is recommended that you make it HIPAA compliant from the very beginning. The whole focus while building a HIPAA compliant WordPress website, should be on how you can secure that e-PHI data and keep it private.
E-PHI data that you need to keep safe for protection
- Telephone Number
- Email address
- Date of birth
- Medical records
- Any other information which can be used to identify the person using e-PHI.
How to make WordPress HIPAA compliant website?
Start making WordPress HIPAA compliance with the following steps. Starting from secure servers, encryption service for storing and transmission of e-PHI data, and access controls. keep special attention to all these and many compliance conditions. Let’s cover and see what are the requirements
There are three main safeguards that need to implemented before making WordPress HIPAA compliant for storing and safely transmission of e-PHI data from the website to storage.
- Technical safeguards
Functions of these safeguards are following –
- Preventing an unauthorized individual from gaining access to e-PHI.
- Audit control for the access log to e-PHI and any activity around that.
- Encryption in motion and at rest for securely transmission of e-PHI from the website and after the e-PHI is stored in the website servers.
- Anyone who is going to get in contact with e-PHI must be trained with HIPAA guidelines for security and privacy
- HIPAA compliant web hosting service is a must for hosting e-PHI data and if they are a third party then they must sign BAA (Business Associate Agreement)
Here is the complete guide for your reference Privacy and security HIPAA
Will WordPress sign the BAA with us ?
Unfortunately, there is no mention of BAA anywhere on Automattic website. That means if you were planning to use WordPress.com for your website then, unfortunately, there is no BAA agreement that you can sign with them for HIPAA compliance. 🙁
However, if you are planning to use wordpress.org where you can download WordPress as open-source software. There are two scenarios that you need to keep in mind
- Hosting WordPress website on servers that are physically available to you or on your direct control
- Hosting WordPress website on third-party servers
In the first case when you self hosts the WordPress website, to make it HIPAA compliant you need to follow HIPAA compliance standards.
Always go with HIPAA compliant third-party hosting as they will sigh the BAA with you.
Things to keep in mind for making WordPress HIPAA compliant
Moreover, WordPress is not an out of box ideal software to make a HIPAA compliant website. However, there are steps that you can follow to a great start:
- Adhere to all the standard HIPAA compliance guidelines for self-hosted servers before storing any e-PHI
- Use a HIPAA compliant hosting for making WordPress HIPAA compliant for third party hosting providers
- If using any WordPress plugins for fetching and uploading e-PHI then please sign a BAA with them.
- Use HIPAA compliant WordPress forms for gathering, transmitting and storing e-PHI data.
- Only Authorised people have access to PHI on dedicated servers
- Log files maintaining to keep records of people how have accessed the data.
In the end, making WordPress HIPAA compliant requires security checks and audits as per HIPAA guidelines. But if you are up for the challenge then there is always a way for achieving the same.