HIPAA Compliance for WordPress Sites
All different types of companies use third party options for building their websites for both ease and overall compatibility. Medical practices and other Healthcare businesses do the same but what many may not realize is that a WordPress website out of the box is not HIPAA Compliant. We are going to cover some of the main ways you can ensure you know how to have a HIPAA compliant WordPress website. Now the guidelines for protecting ePHI information that we covered in our last blog are still relevant and now just need to be applied to WordPress.
Understanding HIPAA Risks and WordPress
WordPress site is always able to be tailored to be HIPAA compliant, it
is just important to understand that as a business owner the company you
trust to build the site must also adhere to the following rules, and if
you are a developer that is building a site that holds this type of
information implement the correct security standards.
Ensuring Proper Access:
It is vital that you have any HIPAA Admins to the site only allow the people with the understanding of sensitivity of information and all users are accounted for. For example a user should never be able to sign up on a site to any form of access even posting articles, editing, ect.
Constant Updates and Review of Security:
of the biggest security risks to a WordPress site is out of date
plugins, or plugins built by un-reliable third party resources. Never
should a plugin be out of date and all plugins being used should be from
trusted sources. As an admin of a HIPAA Compliant site there needs to
be routine checks for any vulnerabilities in terms of both security
measures and plugins being used on the site.
Use Security Plugins and Other Security Tips:
There are a number of different security plugins available to use from iThemes Security,
and more that will assist in getting HIPAA-compliance applied on your
site. Many of these also track logins to the site, and what pages / data
was accessed. For a security measure having two factor authentication
is another step that needs to be implemented. All ePHI information needs
to be stored outside of the actual wordpress site as well, for you to
be compliant you need to not house that type of sensitive information in
a non encrypted environment that can be accessed but just the admins of
on your site needs to be encrypted as stated above you need to not store
it directly on the WordPress site server and have it in an outside
source that cannot be accessed. HIPAA compliance requires you to have
backup of information and a log of who has accessed it. This means that
you can have your normal site experience but any information that is
transferred needs to be in the form of a encrypted form that is stored
externally as WordPress has limitations on the encryption level of
information on the database.
In conclusion to this it is important to understand that having a website built on WordPress is a perfection option, but making sure that your developers and administrators understand what needs to be involved. At CTI you will find these exact services for web development, site management, and even HIPAA Compliant forms for your patients to use on the site. Contact us today and we can do a HIPAA Audit on your current WordPress site to ensure you have the right set up and are indeed following the guidelines for a HIPAA Compliant WordPress site.