Any time you ask whether software is HIPAA compliant, you’re asking an abstract question. After all, a locked file drawer with records in it can be HIPAA compliant, but not if the key is left in the lock to make it easier for all the preschool teachers to find parent phone numbers.
So the question, “Is WordPress HIPAA-compliant?” gets a firm “It depends” for an answer.
Does your website store protected health information?
When we build websites for medical professionals, we usually link to the patient portal rather than having PHI stored in the website itself. Your website may not contain any personally identifiable health information.
It’s worth making sure.
Sometimes, even if health records aren’t stored in your WordPress website, there could be an appointment calendar, patient comments, an email list, or records for ecommerce transactions which could under some circumstances threaten patient privacy.
“Some circumstances” would pretty much have to involve human error. WordPress websites allow you to control access to information at a very granular level.
Use HIPAA compliant plugins
As of this writing, there is one HIPAA-compliant practice management plugin, Jituzu Tools.
This plugin connects with a Jituzu account and allows secure messaging, appointments, and even billing.
There is a new plugin, HIPAA Forms, that allows you to make HIPAA-compliant forms as long as you have Caldera or Gravity Forms and a monthly subscription to HIPAA Forms. As of this writing, that’s $50.00 a month. Our thanks to Spencer Fraise for alerting us to this new tool.
Other WordPress plugins haven’t been developed specifically to meet HIPAA guidelines. That doesn’t mean that these plugins have security issues. Using the plugins described above can give you a higher level of confidence, though.
Keep your systems secure.
Most HIPAA concerns aren’t about the software. They’re about human error. Make sure your systems and awareness extend to internet use.
Comments are one place we’ve seen security issues arise. While you can plan how to secure information at your website, you may not realize that patients are sharing sensitive information in comments. It’s worth checking comments, and perhaps even setting them to require moderation before being posted.
Here are some other articles that deal with HIPAA compliance:
People’s actions don’t depend on the software they use, and software can’t control people’s behavior.
The bottom line: any software can be HIPAA-compliant — or not, depending how you use it.