WordPress is not HIPAA compliant by default and WordPress will not sign a business associate agreement, but a WordPress website can be configured to support HIPAA-compliant collection and transmission of electronic protected health information when HIPAA Security Rule safeguards are implemented, electronic protected health information is secured outside WordPress, the site is hosted with a HIPAA-compliant hosting provider or internally, and business associate agreements are executed with any third party whose services or software touch electronic protected health information.
HIPAA does not define website-specific compliance requirements, but when a website captures or transmits electronic protected health information the HIPAA Security Rule applies in the same manner as for other electronic systems. Administrative, physical, and technical safeguards are required to protect the confidentiality, integrity, and availability of electronic protected health information. For a WordPress deployment, safeguards include access controls that prevent unauthorized access to electronic protected health information and to the site administration area, audit controls that log access and activity involving electronic protected health information, and integrity controls that prevent electronic protected health information from being altered or destroyed.
Transmission security controls are required when electronic protected health information moves from the website to a database or other storage environment. Data submitted through the site needs encryption in transit, and stored data needs encryption at rest or other security controls appropriate to the storage environment. Physical security controls are required to prevent unauthorized access to the web server environment. Workforce training applies to website administration functions, including training administrators and internal users on website use and on HIPAA Privacy Rule and HIPAA Security Rule requirements relevant to their roles.
A business associate agreement is not required for a WordPress site that publishes informational content when protected health information is not uploaded, collected, or made available through the site. A business associate agreement is also not required when protected health information is stored separately from the website and accessed via a plug-in, because the protected health information is not stored in WordPress. When a third-party developer provides a plug-in that touches electronic protected health information, a business associate agreement is required with that developer.
Using WordPress in connection with electronic protected health information requires controls to be implemented before any electronic protected health information is collected or uploaded, and the website, plug-ins, and associated systems that interact with the site require a risk analysis and risk management actions that reduce risks to a reasonable and acceptable level. WordPress has had security issues over the years and vulnerabilities are frequently identified, and plug-ins are also frequently found to have vulnerabilities, which increases the operational burden of maintaining a configuration that supports HIPAA compliance.