Any time you ask whether software is HIPAA compliant, you’re asking an abstract question. After all, a locked file drawer with records in it can be HIPAA compliant, but not if the key is left in the lock to make it easier for all the preschool teachers to find parent phone numbers.
So the question, “Is WordPress HIPAA-compliant?” gets a firm “It depends” for an answer.
Does your website store protected health information?
When we build websites for medical professionals, we usually link to the patient portal rather than having PHI stored in the website itself. Your website may not contain any personally identifiable health information.
It’s worth making sure.
Sometimes, even if health records aren’t stored in your WordPress website, there could be an appointment calendar, patient comments, an email list, or records for ecommerce transactions which could under some circumstances threaten patient privacy.
“Some circumstances” would pretty much have to involve human error. WordPress websites allow you to control access to information at a very granular level.
Use HIPAA compliant plugins
As of this writing, there is one HIPAA-compliant practice management plugin, Jituzu Tools.
This plugin connects with a Jituzu account and allows secure messaging, appointments, and even billing.
There is a new plugin, HIPAA Forms, that allows you to make HIPAA-compliant forms as long as you have Caldera or Gravity Forms and a monthly subscription to HIPAA Forms. As of this writing, that’s $50.00 a month. Our thanks to Spencer Fraise for alerting us to this new tool.
Other WordPress plugins haven’t been developed specifically to meet HIPAA guidelines. That doesn’t mean that these plugins have security issues. Using the plugins described above can give you a higher level of confidence, though.
Keep your systems secure.
Most HIPAA concerns aren’t about the software. They’re about human error. Make sure your systems and awareness extend to internet use.
Comments are one place we’ve seen security issues arise. While you can plan how to secure information at your website, you may not realize that patients are sharing sensitive information in comments. It’s worth checking comments, and perhaps even setting them to require moderation before being posted.
Speaking of human error, your practice blog is one place where it’s easy to violate HIPAA regulations, whether you’re using WordPress or not. This can be a particular issue if you don’t have a blogger, but instead rely on team members. We’ve spoken with companies that figure it’ll be easy to get their doctors to write occasional posts. Usually those posts are extremely occasional — not frequent enough to have the benefits of blogging.
And it’s also easy for an occasional blogger to jump in hurriedly and share a great story. “This morning,” he writes, “I was working with a patient suffering from diverticulitis. She’s a full-time librarian and a part-time volunteer at a local homeless shelter, with seven grandchildren, so she’s a very active woman. Since she’s African-American, she also faces statistical…” At this point, many readers will know exactly who this doctor is talking about — they will have recognized a friend or neighbor in this description. No matter where the blog post goes after this, it’s probably sharing information about this woman’s bowel that she wouldn’t choose to share with everyone in town.
This is not a problem with WordPress, obviously. But if you use WordPress, you’ll find that the Edit Flow plugin will allow you to build in a layer of compliance checking before the post is published. This is an advantage of WordPress, and a workflow step that will help you ensure HIPAA-compliant blogging.
Here are some other articles that deal with HIPAA compliance:
People’s actions don’t depend on the software they use, and software can’t control people’s behavior.
The bottom line: any software can be HIPAA-compliant — or not, depending how you use it.