If your business website in any way touches on health records, making sure it is HIPAA-compliant is an absolute top priority. The problem therein is that websites are not cookie-cutter templates of one another where the solution for one is the solution for all.
Different web-hosting platforms have different levels of inherent and added-on security, and companies must research these strata of enhancements before deciding on where to build their site.
WordPress: Hosting Powerhouse
WordPress is a household name when it comes to web hosting and content management systems (CMS), but that does not mean it’s not constantly growing stronger. In 2018, it reached the 30% mark in terms of how many websites run on WordPress. That number is even more impressive when you consider WordPress reached 25% of the world market share less than three years ago in November 2015.
But there are different versions of WordPress to consider. The free, open-source one is based in PHP and MySQL. It is free to download. There is also a paid version geared toward organizations seeking to use WordPress outside their own infrastructure.
Must-Haves for WordPress HIPAA Compliance
Every business is going to need different components in place to be HIPAA compliant, but there are some basics that will have to be met by all websites using WordPress. The following is an overview of these requirements.
Business Associate Agreement – A Business Associate Agreement (BAA) is a written contract initiated by your company and a Business Associate – in this case, WordPress – that is required for HIPAA compliance. This is an all-encompassing agreement that contains 10 provisions that must be defined and planned in accordance with HIPAA regulations. Among these provisions are guidelines for:
- How much protected health information (PHI) the Business Associate is allowed to disclose.
- Requirements for the Business Associate to use appropriate safeguards and methods of encryption to keep PHI and electronic protected health information (ePHI) safe.
- Create specific procedures by which the Business Associate reports data breaches to the company.
- Create terminology that requires the Business Associate to make its books, records, practices, and procedures available to the US Department of Health and Human Services.
- Detail procedure for the deletion of PHI and ePHI by the Business Associate upon termination of the contract.
HIPAA Compliant Hosting Service
WordPress itself does not offer a HIPAA-compliant hosting service, which means your company will have to go elsewhere to really drill down on the security front. Doing research to find a website host that is already HIPAA compliant is a big step in the right direction, but is not a simple plug-and-play solution. Every facet of the web hosting provider, specifically access, audit, and integrity controls must be identified and data safeguards must be confirmed.
What’s the best way to keep WordPress from suffering a hack that exposes your patients’ ePHI? By not keeping it within WordPress’s confines at all. There’s no excuse at this point in time to not use a secure third-party environment to house data, whether that’s in a cloud computing environment or elsewhere. Data storage facilities can offer the kind of round-the-clock, high-level, real-time security that is impossible to replicate for WordPress or most other web hosting sites.
By storing the ePHI outside of WordPress, you’re limiting the amount of additional protocol that has to be put in place to make the WordPress site HIPAA compatible as well as limiting the amount of time when ePHIs are actually passing through the WordPress infrastructure, dramatically reducing the dangers of a data breach crippling your site.
Plug in for Performance
Where WordPress’s basic faculties are lacking, it has on tap a long list of security plugins available that can emulate the essentials when it comes to keeping data secure, protected, and moving in the right channels. A popular choice here is Wordfence. A powerful plugin, WordFence uses a Threat Defense Feed that is constantly updated to prevent your site from being hacked. It has a powerful firewall, allows you to block entire countries and counteract brute force attacks. But just purchasing this plugin doesn’t guarantee your safety.
You have to configure it specifically for your site and needs and make sure it is constantly updated. Some of the most devastating data breaches in history have come as a result of a failure to make simple updates. Another to examine is iThemes Security.
This intuitive security measure can be built right into your WordPress desktop and breaks down each component of your site in an easy-to-use fashion from 404 Detections to File Permissions to Banned Users. Hackers and cybercriminals target websites dealing in ePHI because they have a long shelf life and go for up to $1,000 per record.
Conclusion on WordPress Site HIPAA-Compliant
HIPAA compliance is a vast field all to its own outside the confines of running a successful business website hosted by WordPress. If you are to incorporate this popular CMS into your business site, ensuring that you’ve covered every base is essential before going live. The potential fines and punishments are daunting, but the loss of patients’ private information is the real nail in the coffin should something go astray.