To run a successful healthcare practice in the digital age, having a website for current or prospective patients to visit is key. However, if you’re a covered entity or healthcare vendor that collects protected health information (PHI), you must choose a HIPAA compliant hosting platform and content management system (CMS) for your website. This begs the question:
What Is HIPAA Compliance?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal regulation that sets standards for the privacy and security of PHI — any demographic information that can identify a health care patient.
Examples of HIPAA Data Include:
- Patient names
- Addresses
- Dates (e.g., birth, discharge, admittance, and death dates)
- Telephone and fax numbers
- Email addresses
- Social Security numbers
- Driver’s License information
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certification/license numbers
- Vehicle identifiers and serial numbers (e.g., license plate numbers)
- Device identifiers and serial numbers
- Names of relatives
- Internet Protocol (IP) address numbers
- Biometric identifiers (e.g., finger and voice prints)
- Full face photographic images
Both health care providers and vendors who come in contact with PHI are mandated to be HIPAA compliant. Under HIPAA, providers are known as “covered entities,” and vendors are considered “business associates.” So, whether your organization is a medical practice or a tech provider working in health care, you must have a HIPAA-compliant website to protect any captured PHI information.
Discover how to make your WordPress website HIPAA compliant.
What Makes a Website HIPAA Compliant?
The HIPAA Security Rule mandates “physical, technical, and administrative safeguards must be in place to safeguard electronic protected health information (ePHI).” These measures must “ensure the integrity, confidentiality, and availability of ePHI.” Any website containing ePHI must be HIPAA compliant.
To become HIPAA compliant, there are four rules you need to be aware of and adhere to:
- More patient control over health information
- Sets boundaries and establishes safeguards for health information
- Technical Safeguards
- Physical Safeguards
- Administrative Safeguards
- Enforces the Privacy and Security Rules
- Calculates fines for health-care providers for violation of HIPAA rules
- Requires HIPAA covered entities to provide notification of a breach of unsecured protected health information
Safeguards to Ensure HIPAA Compliance
Because WordPress enables those without prior web development knowledge to design and build their own websites, it’s one of the most popular website platforms available today.
HIPAA compliance requires the following safeguards to be in place:
- HIPAA-compliant hosting provider to host the website.
- Physical security controls to prevent unauthorized access to PHI.
- Integrity controls to ensure ePHI cannot be destroyed or altered.
- Transmission security controls for sending PHI to or using an external entity. Any data that passes through a third-party server must be encrypted.
- Access controls to limit who, externally and within the organization, can access PHI. The HIPAA Privacy Rule dictates that users access the “minimum necessary” PHI to perform their job duties.
- Employee training ensures that employees understand exactly what they are able and not able to share on a website to maintain HIPAA compliance.
- Audit controls to track activity on a website and monitor who is viewing what and when
- A business associate agreement (BAA) must be signed before any PHI can be stored on a website.
How to Make Your WordPress Site HIPAA Compliant
WordPress is a powerful CMS that enables login to your website dashboard and uses a simplified interface to create your web pages, add content, and customize the design. Then the CMS houses the data and does the hard work of creating the page layouts for you.
However, WordPress was not originally developed to comply with HIPAA standards. Making WordPress HIPAA compliant and ensuring it remains compliant is not a simple task, but it is possible.
If you want the website to include PHI, there are several steps to make WordPress HIPAA compliant.
Because WordPress does not offer a standard off-the-shelf HIPAA-compliant service, a WordPress installation is not HIPAA compliant automatically. Secure the following before uploading or collecting any ePHI via the website:
Checklist
- Perform a risk analysis before using ePHI and reduce risks to a reasonable and acceptable level.
- Secure a HIPAA-compliant hosting service. However, simply hosting your site with a HIPAA-compliant hosting provider does not ensure compliance. Make certain all access, audit, and integrity controls are in place and implement safeguards to secure all data.
- Complete a security scan of the site to check for vulnerabilities.
- Only use plugins from trusted sources, ensure all plugins are routinely updated, and install the latest version of WordPress.
- Utilize security plugins, e.g., Wordfence.
- Work with a SaaS provider able to interface the ePHI requirements into your website if you are unable to develop the interface with internal resources.
- Store ePHI outside WordPress.
- Have a strong managed firewall to ensure security responses, routine device health checks, log monitoring, and control of network ingress and egress points. The system should include load balancing, redundancy via a secondary firewall, global blacklisting, virtual private network (VPN) connectivity, and state-of-the-art filtering, monitoring, and reporting.
- Set strong passwords and admin account names to lower the risk of attacks. Use two-factor authentications for administrator accounts; rate limiting further enhances security.
- Vet users before permitting them to sign up for accounts.
- Restrict access with:
- Login for security
- Access controls, permissions, roles
- Audit controls
- Encrypt all data collected via web forms in transit. Formidable Forms is a form builder often used on WordPress sites.
- Procure business associate agreements from all service providers/plugin developers who require access to ePHI or whose software comes in contact with ePHI.
Your HIPAA Compliant WordPress Website
Many organizations choose to work with third parties, particularly in strictly controlled sectors such as healthcare. Contracting with outside organizations enables you to tap expertise unavailable in-house. The good news: you don’t have to rebuild your WordPress website completely to make it HIPAA compliant.
