Can I use Wordpress and be HIPAA Compliant?
Lately, we've been discussing in the office whether certain cloud solutions are HIPAA compliant or not. WordPress is both a popular open source Content Management System (CMS) and a commercially available hosting platform. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector. Today, we will determine if WordPress offers HIPAA compliance or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
Wordpress is a free and open source Content Management System (CMS) based on PHP and MySQL. It's such a popular CMS that it reportedly powers 29% of the internet (including this blog). It can be downloaded for free at Wordpress.org. There is also a commercially available version, which is found at Wordpress.com. Wordpress.com is targeted towards organizations that don't want to install, configure and maintain Wordpress on their own infrastructure.
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance. Since there are two distinct variations of Wordpress, we'll look at each one on its own for HIPAA compliance.
If the Wordpress server will reside on premises or in your datacenter, you'll need to configure that server to meet HIPAA compliance standards. The methods to do that involve a multitude of factors that are outside the scope of this post. If the Wordpress server will be hosted in the cloud and you will be storing Protected Health Information on it, you'll need to select a HIPAA compliant website provider who will sign a BAA with you. We recommend looking at providers like Atlantic.net or Medstack for HIPAA compliant Wordpress hosting.
SEE RELATED: How to Make Sure You Have a HIPAA Compliant Website
Wordpress.com, which is run by Automattic Inc, is the commercially available version of Wordpress. We checked the Wordpress.com Terms of Service and Privacy Policy pages for any signs of Automattic's ability to sign a BAA. In both cases, we were unable to find any mention of HIPAA, Protected Health Information, or Business Associate Agreement. We therefore conclude that Wordpress.com is not a HIPAA compliant vendor.
The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate. Since there are two variations of Wordpress, we researched each one for its HIPAA compliance capabilities.