When it comes to HIPAA compliance, website users may be the last thing you think about. Health care marketing has to consider HIPAA compliance in quite a few areas:
But the security of your website isn’t generally up to the marketing department. Someone else takes care of that, right? And chances are good that your website doesn’t house any personally identifiable patient information, anyway.
There’s one area where the person responsible for the website is also responsible for HIPAA security, though: website users.
Your IT department might be in charge of blocking FTP access, but your WordPress practice website may not even be on their minds. And, from our experience, it’s easy for you to forget about, too.
WordPress website Users
The Users for your website will certainly include all the people who work on the website. You might have your webmaster, your web host, the people who built the website, your blogger or other members of your web team, and they probably all should have access so they can do their jobs, or come in and help you quickly if you need help.
But you might also have thousands of subscribers, team members who have added information on jobs or board members, customers who have placed ecommerce orders, and more. It’s not uncommon to have very large numbers of Users, and it’s not something to be concerned about. Find Users in your left sidebar in the Admin area of your website and choose All Users to see all your Users.
Each User has a specific role with a specified level of permission to access parts of the website. Administrator is the role with the highest level of access. An Administrator can, for example, delete the website. You can see in the screenshots above that each of these websites has just a handful of Administrators. That’s wise. Few people need that level of access.
The role with the least access is Subscriber. A Subscriber can access his or her profile and add information there, but cannot access any other part of the website’s Admin area. Subscribers can’t work on a website or make any changes, except to their profiles.
Depending on the theme or plugins you use, as well as any custom User roles built into your website, you might have lots of different choices for user roles. Check with your webmaster if you’re not sure what level of access each role includes.
If you need to give admin access to someone in order for them to do their job, it’s easy to give that role temporarily and remove it when the job is finished.
There are two simple ways to make these role changes. First, you can choose one of your Users and click through to their profile. In the screenshot below, we can see that Gideon is an Editor at this website. That means that he can work on and publish posts for all Authors, but he can’t make changes in the code. The “Role” field is a drop-down menu box where you can easily choose a role for a specific User. We can give Gideon Admin access when he needs it, and change him back to an Editor when he finishes.
You can also change roles from the All Users page. If you want all your team members to update their bios, for example, you can give everyone Author or Editor access and return them to Subscribers after the deadline.
One recent study found that 20% of companies surveyed had experienced some kind of malicious prank with former employees. You may not be worried about this, but you still have a responsibility under HIPAA to remove access to any personally identifiable information. If that’s a name and email from a booking plugin’s database or an indiscreet comment left by a patient (even unpublished), it could be possible for a former employee to access it through your website.
It takes just moments to change your employee’s role to Subscriber as soon as they finish their last day. It should be part of your routine — farewell party, accept their keys, change them to a Subscriber. Website Users can be a security issue, but it’s easy to control.