WordPress makes it easier for those without website development knowledge to create their own websites. Having a website that current or prospective patients can view is a key component of running a successful business. However, if you’re a covered entity or healthcare vendor, you need to make sure that the web developer and content management system (CMS) you are using for your site is HIPAA complaint. As WordPress is one of the most popular website platforms, it begs the question: is WordPress HIPAA compliant?
What Makes a Website HIPAA Compliant?
The Health Insurance Portability and Accountability Act (HIPAA) established industry standards for the privacy and security of protected health information (PHI). HIPAA law exists to protect patients from their PHI being exposed to unauthorized individuals. The HIPAA Security Rule mandates that there must be physical, technical, and administrative safeguards in place to protect electronic protected health information (ePHI). These safeguards must ensure the integrity, confidentiality, and availability of ePHI. Any website that contains ePHI must be HIPAA compliant.
The following are safeguards that must be in pace to make a website HIPAA compliant:
- Access controls: limit who, externally and within an organization, can access PHI. The HIPAA Privacy Rule requires individuals to access the “minimum necessary” PHI to perform their job functions.
- Audit controls: tracks activity on a website to see who is viewing what, and when.
- Integrity controls: ensures ePHI cannot be destroyed or altered.
- Transmission security controls: must be in place whenever an organization sends PHI to or using an external entity. Data passing through a third-party server must be encrypted.
- Physical security controls: relates to your physical site, such as installing an alarm or lock to prevent unauthorized access to PHI.
- Employee training: ensures that employees know what they can and cannot share on a website to maintain HIPAA compliance.
- HIPAA compliant hosting provider: whichever platform an organization chooses to host their website must be HIPAA compliant.
- Business associate agreement (BAA): must be signed before any PHI can be stored on a website. If a web service is unwilling to sign a business associate agreement, another platform should be chosen.
To ensure that ePHI is adequately protected, a risk analysis must be conducted. A risk analysis determines an organization’s gaps in their security practices. If any gaps are identified, they must be addressed before using a website to hold ePHI.
Is WordPress HIPAA Compliant?
No. WordPress is not HIPAA compliant as they are unwilling to sign a business associate agreement. Therefore WordPress cannot be used to transmit or hold ePHI. A covered entity (CE) may, however, use WordPress if they do not upload any PHI to the site.
A CE can use WordPress to post office hours, contact information, or location. They may also use WordPress to post blogs or newsletters. In conclusion, if you’d like to use WordPress to host your website, you cannot use it to input any patient information.