Can I use WordPress and be HIPAA Compliant?
- There are several definitions of WordPress.
- WordPress is a very popular open source Content Management System (CMS).
- WordPress.com is the commercially available version of WordPress CMS.
Lately, we’ve been discussing in the office whether certain cloud solutions are HIPAA compliant or not. WordPress is both a popular open source Content Management System (CMS) and a commercially available hosting platform.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
- Amazon CloudFront
- Apple iCloud
- Apple iMessage
- Citrix ShareFile
- Google Calendar
- Google Docs
- Google Drive
- Google Forms
- Google Hangouts
- Google Slides
- Google Voice
- Office 365
Today, we will determine if WordPress offers HIPAA compliance or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
WordPress is a free and open source Content Management System (CMS) based on PHP and MySQL. It’s such a popular CMS that it reportedly powers 29% of the internet (including this blog). It can be downloaded for free at WordPress.org.
There is also a commercially available version, which is found at WordPress.com. WordPress.com is targeted towards organizations that don’t want to install, configure and maintain WordPress on their own infrastructure.
WordPress and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.
Since there are two distinct variations of WordPress, we’ll look at each one on its own for HIPAA compliance.
WordPress.org and the BAA
As previously mentioned, WordPress can be downloaded for free at WordPress.org.
If this is the variation of WordPress you intend to use for HIPAA compliance, there are several added things to consider:
- Will the WordPress server reside on premises in your office or corporate datacenter?
- Will the WordPress server be hosted in the cloud?
If the WordPress server will reside on premises or in your datacenter, you’ll need to configure that server to meet HIPAA compliance standards. The methods to do that involve a multitude of factors that are outside the scope of this post.
If the WordPress server will be hosted in the cloud and you will be storing Protected Health Information on it, you’ll need to select a HIPAA compliant website provider who will sign a BAA with you.
SEE RELATED: How to Make Sure You Have a HIPAA Compliant Website
WordPress.com and the BAA
WordPress.com, which is run by Automattic Inc, is the commercially available version of WordPress.
We therefore conclude that WordPress.com is not a HIPAA compliant vendor.
Does WordPress Offer HIPAA Compliant Service?
The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.
Since there are two variations of WordPress, we researched each one for its HIPAA compliance capabilities.
If you installed the open source version of WordPress on your own server:
- You need to verify your internal infrastructure and configuration are HIPAA compliant.
If you are using a third party HIPAA compliant WordPress hosting vendor:
- Make sure to sign a BAA with them.
If you are using WordPress.com by Automattic:
- Do not store PHI on it because Automattic will not sign a BAA with your organization.