HIPAA Compliance for WordPress Sites

By Timm HIPAA, Uncategorized hipaa compliance, HIPAA development Comments Off

All different types of companies use third party options for building their websites for both ease and overall compatibility. Medical practices and other Healthcare businesses do the same but what many may not realize is that a WordPress website out of the box is not HIPAA Compliant. We are going to cover some of the main ways you can ensure you know how to have a HIPAA compliant WordPress website. Now the guidelines for protecting ePHI information that we covered in our last blog are still relevant and now just need to be applied to WordPress.

Understanding HIPAA Risks and WordPress

A WordPress site is always able to be tailored to be HIPAA compliant, it is just important to understand that as a business owner the company you trust to build the site must also adhere to the following rules, and if you are a developer that is building a site that holds this type of information implement the correct security standards.

Ensuring Proper Access:

It is vital that you have any HIPAA Admins to the site only allow the people with the understanding of sensitivity of information and all users are accounted for. For example a user should never be able to sign up on a site to any form of access even posting articles, editing, ect.

Constant Updates and Review of Security:

One of the biggest security risks to a WordPress site is out of date plugins, or plugins built by un-reliable third party resources. Never should a plugin be out of date and all plugins being used should be from trusted sources. As an admin of a HIPAA Compliant site there needs to be routine checks for any vulnerabilities in terms of both security measures and plugins being used on the site.

Use Security Plugins and Other Security Tips:

There are a number of different security plugins available to use from iThemes Security,

WordFence and more that will assist in getting HIPAA-compliance applied on your site. Many of these also track logins to the site, and what pages / data was accessed. For a security measure having two factor authentication is another step that needs to be implemented. All ePHI information needs to be stored outside of the actual wordpress site as well, for you to be compliant you need to not house that type of sensitive information in a non encrypted environment that can be accessed but just the admins of the site.

Data Protection:

All information on your site needs to be encrypted as stated above you need to not store it directly on the WordPress site server and have it in an outside source that cannot be accessed. HIPAA compliance requires you to have backup of information and a log of who has accessed it. This means that you can have your normal site experience but any information that is transferred needs to be in the form of a encrypted form that is stored externally as WordPress has limitations on the encryption level of information on the database.

In conclusion to this it is important to understand that having a website built on WordPress is a perfection option, but making sure that your developers and administrators understand what needs to be involved. At CTI you will find these exact services for web development, site management, and even HIPAA Compliant forms for your patients to use on the site. Contact us today and we can do a HIPAA Audit on your current WordPress site to ensure you have the right set up and are indeed following the guidelines for a HIPAA Compliant WordPress site.