by Hoala Greevy Founder CEO of Paubox
Article filed in

Is WordPress HIPAA Compliant?

by Hoala Greevy Founder CEO of Paubox

Is WordPress HIPAA Compliant? - Paubox
Can I use WordPress and be HIPAA Compliant?


  • There are several definitions of WordPress.
  • WordPress is a very popular open source Content Management System (CMS).
  • WordPress.com is the commercially available version of WordPress CMS.

Lately, we’ve been discussing in the office whether certain cloud solutions are HIPAA compliant or not. WordPress is both a popular open source Content Management System (CMS) and a commercially available hosting platform.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

Today, we will determine if WordPress offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About WordPress

WordPress is a free and open source Content Management System (CMS) based on PHP and MySQL. It’s such a popular CMS that it reportedly powers 29% of the internet (including this blog). It can be downloaded for free at WordPress.org.

There is also a commercially available version, which is found at WordPress.com. WordPress.com is targeted towards organizations that don’t want to install, configure and maintain WordPress on their own infrastructure.

WordPress and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

Since there are two distinct variations of WordPress, we’ll look at each one on its own for HIPAA compliance.

WordPress.org and the BAA

As previously mentioned, WordPress can be downloaded for free at WordPress.org.

If this is the variation of WordPress you intend to use for HIPAA compliance, there are several added things to consider:

  • Will the WordPress server reside on premises in your office or corporate datacenter?
  • Will the WordPress server be hosted in the cloud?

If the WordPress server will reside on premises or in your datacenter, you’ll need to configure that server to meet HIPAA compliance standards. The methods to do that involve a multitude of factors that are outside the scope of this post.

If the WordPress server will be hosted in the cloud and you will be storing Protected Health Information on it, you’ll need to select a HIPAA compliant website provider who will sign a BAA with you.

We recommend looking at providers like Atlantic.net or Medstack for HIPAA compliant WordPress hosting.

SEE RELATED: How to Make Sure You Have a HIPAA Compliant Website

WordPress.com and the BAA

WordPress.com, which is run by Automattic Inc, is the commercially available version of WordPress.

We checked the WordPress.com Terms of Service and Privacy Policy pages for any signs of Automattic’s ability to sign a BAA.

In both cases, we were unable to find any mention of HIPAA, Protected Health Information, or Business Associate Agreement.

We therefore conclude that WordPress.com is not a HIPAA compliant vendor.

Does WordPress Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Since there are two variations of WordPress, we researched each one for its HIPAA compliance capabilities.

Conclusion

If you installed the open source version of WordPress on your own server:

  • You need to verify your internal infrastructure and configuration are HIPAA compliant.

If you are using a third party HIPAA compliant WordPress hosting vendor:

  • Make sure to sign a BAA with them.

If you are using WordPress.com by Automattic:

  • Do not store PHI on it because Automattic will not sign a BAA with your organization.