Best Practices for Creating a HIPAA-Compliant WordPress Site

WordPress is a widely used website creation application powering about 38% of all websites on the Internet today. WordPress achieved mainstream popularity because of its ease of use, allowing almost anyone to create detailed and professional-looking websites with a few clicks.

WordPress is particularly popular with small-to-medium size businesses, web developers, graphic designers, and personal blogs. However, it is also used by big companies, such as BBC America, Sony Music, and Microsoft News.

WordPress sites that include Protected Health Information (PHI), as with any website handling PHI, must adhere to the administrative, physical, and technical safeguards of HIPAA to ensure the confidentiality of data uploaded or made available through the website.

HIPAA-Compliant Design Rules for WordPress

The following three-step HIPAA-compliant framework facilitates the development of a WordPress site that can handle PHI:

• HIPAA compliance built into the website design process
• Server hardening to meet the technical requirements of HIPAA
• HIPAA-compliant WordPress hosting

Website Design

HIPAA compliance must drive the website design plan; the design must meet HIPAA’s minimum security and privacy standards to ensure the confidentiality, integrity, and availability of PHI.

• Access controls to prevent unauthorized access to PHI
• Access controls to the WordPress administration control panel

• Audit controls to log all access to the site 
• Audit controls to log any activity on the site that involves ePHI

• Integrity controls to prevent PHI from being altered by unauthorized users
• Transmission security controls to protect PHI uploads (encrypted in transit) 
• Encrypt the webserver data

Server Hardening

Here are some practical ways to protect your WordPress server from common vulnerabilities and threats:

• Update WordPress and PHP regularly
• Update the operating system monthly
• Only use very strong passwords and never reuse passwords
• Only use sFTP encryption to transfer files to and from the webserver
• Update file permissions so that no user can change or modify files
• Ensure no system services or applications run as the root user

• Restrict database user privileges and set IP restrictions to access the DB
• Secure WP-Admin with multi-factor authentication (MFA)

HIPAA-Compliant WordPress Hosting

A hosting company that is HIPAA compliant will provide you with an infrastructure that is built around the fundamental safeguards needed for compliance. Make sure you choose a hosting provider that can:

• Implement physical security controls to prevent unauthorized physical access to the webserver
• Offer a Fully Managed Firewall or Web Application Firewall (WAF)
• Provide an encrypted VPN
• Provide an encrypted Data Backup plan to protect PHI securely
• Provide a Disaster Recovery solution to ensure that PHI is continuously available
• Provide forensic level logging of all activity of the host server (this is in addition to WordPress layer logging)
• Monitoring and alerting logging
• Monitoring file changes using an Intrusion Prevention Service

Ready to get started with setting up a HIPAA-Compliant WordPress Site? Choose Atlantic.Net for a one-click WordPress installation that will set you well on your way to a HIPAA-Compliant WordPress Website – get started today!

Read More About HIPAA Compliant Hosting

• HIPAA Compliant Hosting
• How to Make a HIPAA-Compliant Website
• HIPAA Compliant Server Case Study
• HIPAA Compliant Data Center
• Is WordPress HIPAA Compliant?
• HIPAA Compliant WordPress Hosting