WordPress is a popular content management system that anyone can use to create websites quickly. Many businesses use WordPress but is it HIPAA compliant so that healthcare organizations can use the platform in connection with protected health information?
The HIPAA compliance requirements for websites are actually a little vague. But with respect to the storage or transmission of electronic protected health information (ePHI), it is required by the HIPAA Security Rule to implement safeguards that would guarantee ePHI integrity, confidentiality and availability. This rule applies to all websites that deal with ePHI, including those created from scratch or with the use of CMS platforms like WordPress. There must be administrative, technical and physical controls such as the following to secure health data :
- Access controls prevent unauthorized persons from accessing PHI or the administration control panel
- Audit controls log access to the website and activities in-site involving ePHI
- Integrity controls that keep ePHI from being changed or destroyed
- Transmission security controls ensure the security of any ePHI uploaded to the site and stored in its server or third-party server via encryption
- Physical security controls prevent unauthorized persons from accessing the web server
- Administrators and any internal users must undergo training on HIPAA Privacy and Security Rules
- The website must only use HIPAA-compliant hosting provider
- A business associate agreement (BAA) is required when using a third-party hosting company
After implementing all the controls required by the HIPAA Security rule, the next step is to subject the website, plugins and associated systems to a risk analysis. Any identified risks must be processed and reduced to a reasonable level.
Regarding the signing of a business associate agreement, it’s unlikely that WordPress will do so and there is no mention about it on the WordPress site. Does this mean that healthcare organizations can’t use the platform? Actually, a BAA is not required if a healthcare provider will simply create a blog to inform patients and will not upload or collect any PHI using the site, take appointments for example. A BAA is also not required if PHI is stored on a separate location and only accessed via a plugin. The third-party developer of the plugin, in this case, needs to sign a business associate agreement.
Suppose a healthcare organization wants to use WordPress with PHI, it is possible but the steps are quite complicated. Here are the steps that will make WordPress HIPAA compliant:
- Conduct a risk analysis before using the site and lower the risks to a reasonable level
- Your web hosting must be HIPAA-compliant. Simply Implement access, audit, and integrity controls to secure data at rest and in transit
- Do a security scan to check for vulnerabilities
- Choose plugins from trustworthy developers
- Update all plugins including WordPress
- Activate a security plugins like Wordfence
- Use a SaaS provider that can interface the ePHI component into your website or develop the interface internally
- Store ePHI outside of WordPress
- Passwords and admin account names must be strong to stop brute force attacks. Enhance security of administrator accounts with two-factor authentications
- Do not allow users to sign up for accounts without first being vetted
- Encrypt data collected via forms and data in transit
- All service providers and plugin developers that get access to ePHI or whose software accesses ePHI must sign a BAA
Before deciding to develop a website using WordPress and use it with ePHI, consider developing a site from scratch or getting a vendor specializing in making HIPAA compliant websites. While there are ways to make WordPress HIPAA compliant, there are many security issues and vulnerabilities with the platform. Even WordPress plugins are often found with vulnerabilities. So, think carefully.