WordPress & HIPAA Compliance

WordPress is a handy content management system that allows websites to be quickly and easily set up. The platform is popular with businesses, but is it suitable for use in the healthcare sector and is it HIPAA Compliant?

HIPAA and Websites

HIPAA does not specifically relate to compliance with respect to websites, HIPAA requirements for websites are therefore a little grey.

As with any other method of electronic capture or transmission of ePHI, safeguards must be put in place in line with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of ePHI. Those requirements apply to all web pages, including those developed from scratch or created using an off-the-shelf platform like WordPress.

Websites must incorporate administrative, physical, and technical controls to guarantee the confidentiality of any protected health information published on the website or made available through the site.

• HIPAA-covered groups must ensure there are access controls iset up to stop unauthorized individuals from obtaining access to PHI or to the administration control panel
• Audit controls must be set up that log access to the site and any activity on the site that involves ePHI
• There must be integrity controls implemented that stop ePHI from being altered or destroyed
• Transmission security controls must be created to ensure any ePHI uploaded to the site is secured (and encrypted in transit) and data must be properly secured at rest (encrypted on a third-party server or encrypted/otherwise secured on a covered entity’s web server)
• Physical security controls must be in place to stop unauthorized access to the web server
• Administrators and any internal users should be shown how to use of the website and made aware of HIPAA Privacy and Security Rules
• The website must be hosted with a HIPAA-compliant hosting service (or internally)
• If a third-party hosting company is hired, a business associate agreement is necessary

Once all the necessary controls have been put in place that meet the requirements of the HIPAA Security Rule, the website (and plugins) and all associated systems that link with the site must be subjected to a risk analysis. All risks to the confidentiality, integrity, and availability of ePHI must be listed and those risks and addressed via risk management processes that minmize those risks to a reasonable and acceptable level.

WordPress Business Associate Agreements

WordPress will not sign a business associate agreement with HIPAA covered groups and there is no mention of BAAs on the WordPress site. So, does that mean that the platform cannot be implemented in healthcare?

A business associate agreement is not necessarily obligatory. If you simply want to create a blog to communicate with patients, once you do not upload any PHI to the site or collect PHI through the site (such as making appointments), a business associate agreement would not be necessary.

You would also not require a BAA if PHI is stored separately from the website and is accessed through a plugin. If the plugin has been created by a third party, you would need a business associate agreement with the plugin developer.

If you want to use the website in connection with PHI, there are many seps you must take to make WordPress HIPAA compliant.

Making WordPress HIPAA Compliant

A standard off-the-shelf WordPress installation will not be HIPAA compliant as WordPress does not provide a HIPAA-compliant service. It is possible to make WordPress HIPAA compliant, but it will be a major job of work. You will need to ensure the following before any ePHI is uploaded to or gathered through the website.

• Complete a risk analysis prior to using the site with any ePHI and reduce risks to a reasonable and acceptable level.
• Use a HIPAA compliant hosting service for your website. Just hosting the site with a HIPAA compliant hosting provider does not guarantee compliance. Ensure that all access, audit, and integrity controls are enabled and safeguards implemented to secure data at rest and on the move.
• Perform a security scan of the site to check for flaws.
• Always use plugins from trustworthy sources.
• Ensure all plugins are updated and the most recent version of WordPress is installed.
• implement security plugins on the website – Wordfence for example.
• Use a SaaS provider that can work with the ePHI component into your website or develop the interface internally.
• Ensure ePHI is stored externally to WordPress.
• Create strong passwords and admin account names to cut the potential for brute force attacks. Use rate restricting to further enhance security and use two factor authentications for administrator accounts
• Ensure that users are not able to sign up for accounts directly without first being vetted
• Ensure any data gathered via web forms is encrypted in transit
• Complete business associate agreements with all service providers/plugin developers who need access to ePHI or whose software touches ePHI

WordPress was not created to confirm to HIPAA standards so making WordPress HIPAA compliant is complex. Ensuring a WordPress site is always HIPAA compliant is similarly difficult. There have also been many security issues with WordPress over the years and weaknesses are frequently identified. WordPress is not the only issue. Plugins are frequently found to have weaknesses and there is considerable potential for those vulnerabilities to be targeted.

While it is possible to make WordPress HIPAA compliant, the possible risks to ePHI are considerable. WordPress makes website creation easy, but not as far as HIPAA compliance is concerned.

O