photo of a healthcare worker typing on a laptop

WordPress HIPAA Compliance

– Are you a covered entity under HIPAA?
– Does your practice have a website built on WordPress?
– Does your website create, receive, maintain, or transmit ePHI?

If you answered yes to all 3 questions, we’ll help make sure that your website is compliant with the regulatory standards of HIPAA and the provisions of the HITECH Act.

Yes, WordPress can be HIPAA Compliant.

HIPAA covers a lot of stuff. This includes your website. Maintaining privacy and security of electronic protected health information (ePHI) is key. Our focus is securing WordPress and your website’s infrastructure. The information below outlines what we do.

photo of developer wearing a WordPress t-shirt

What We Do

We provide regular behind-the-scenes management of your website and its infrastructure. This service is only available if your website is built on WordPress, excluding sites hosted on wordpress.com.

Important: this service does not cover everything required under HIPAA to make your business compliant with the law. We only focus on your website and its infrastructure for creating, receiving, maintaining, and transmitting ePHI.

Website Risk Analysis

meets requirements for 45 CFR 164.308(a)(1)(ii)(A)

  1. We assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI either created, received, maintained, or transmitted by your website.
  2. This includes an analysis of your website security settings, hosting infrastructure, transmission infrastructure, database encryption, file storage, and more.
  3. We will provide a report with recommendations if we find potential risks and vulnerabilities with your infrastructure and website configuration.

Website Risk Management

meets requirements for 45 CFR 164.308(a)(1)(ii)(B)

  1. We take steps to mitigate any potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI either created, received, maintained, or transmitted by your website.
  2. This can include updating your website’s software, applying security options, moving your website to HIPAA-compliant infrastructure (additional fees may apply), and more.

Data Backup Plan

meets requirements for 45 CFR 164.308(a)(7)(ii)(A)

  1. We create and maintain multiple retrievable exact copies of your website using automated software.
  2. We create full backups daily with incremental backups of any changes hourly.
  3. Backups are saved for 30 days.
  4. Backups are encrypted, both in transit between data centers and at rest.
  5. Backups are redundant. Two copies are stored in two separate off-site data centers.

Disaster Recovery Plan

meets requirements for 45 CFR 164.308(a)(7)(ii)(B)

  1. In the event that a disaster takes your website offline, we will decrypt and restore a backup set using the same software we use to create backups.
  2. In the event that a disaster has compromised the hosting infrastructure of your website, we will restore a backup to one of our hosting environments covered under a BAA.

Emergency Mode Operation Plan

meets requirements for 45 CFR 164.308(a)(7)(ii)(C)

  1. Emergency mode operations may include turning off services that transmit outbound data packets that contain ePHI, such as automated email notifications and backup systems. This will not impact the security, privacy, or integrity of ePHI that is created, received, or maintained by your website.
  2. Emergency mode operations may include turning off services that permit the creation or receiving of ePHI by your website. This will not impact the security, privacy, or integrity of ePHI that is maintained or transmitted.
  3. Emergency mode operations will cease after all primary systems are back online. We will keep you updated via phone, text, or email.

Testing and Revision Procedures

meets requirements for 45 CFR 164.308(a)(7)(ii)(D)

  1. The data backup plan, disaster recovery plan, and emergency mode operation plan will be tested upon implementation for reliability and will be repeated on an annual basis.
  2. The data backup plan, disaster recovery plan, and emergency mode operation plan will be revised as necessary to ensure successful outcomes. In the event that these contingency plans are revised, our team will undergo training to ensure technical savviness in implementing the revised plans.
  3. In the event that contingency plans are revised in a manner that may affect your business processes, we will send notices via email.

Application and Data Criticality Analysis

meets requirements for 45 CFR 164.308(a)(7)(ii)(E)

  1. Our position is that all applications and data are critical to business operations. Your business will undergo a review to understand the criticality of our work for your operations.
  2. Our data backup, disaster recovery, and emergency mode operation plans have been designed to be executed rapidly (same day) to minimize downtime in the event of a disaster.

Access Establishment and Modification

meets requirements for 45 CFR 164.308(a)(4)(ii)(C)

  1. User accounts with access to any part of your website that creates, receives, maintains, or transmits ePHI have activity logged for documentation and review.
  2. Users’ right of access to any part of your website that creates, receives, maintains, or transmits ePHI can be removed at will by our team with contractural assigned security responsibility over your website. This may occur without your knowledge to mitigate a security breach but will be remedied with you as soon as possible.

Security Reminders

meets requirements for 45 CFR 164.308(a)(5)(ii)(A)

  1. We have automated notifications to ensure that all security measures are up-to-date.
  2. These notifications are triggered by several factors at the server level and the application level that could result in moderate to severe security risks.

Protection from Malicious Software

meets requirements for 45 CFR 164.308(a)(5)(ii)(B)

  1. Your website will be scanned on a daily basis to ensure that all software is up-to-date and current with all known security vulnerabilities.
  2. If applicable, we will implement strict inbound firewall rules in place at the server level and automatically drop any external SSH, MySQL, or DNS connections.
  3. We will utilize an endpoint firewall at the application level that updates its rules in real-time to protect against malware and other vulnerabilities.

Log-In Monitoring

meets requirements for 45 CFR 164.308(a)(5)(ii)(C)

  1. We will set up activity logging, which records log-in activity, the date and time of log-in, and the IP addresses from where a log-in occurred.
  2. We monitor and block unauthorized login attempts at the application level. This includes brute force protection, XML-RPC protection, reCAPTCHA to block automated attacks, and IP access control.

Response and Reporting

meets requirements for 45 CFR 164.308(a)(6)(ii)

  1. In the event of any security incident of which we become aware, we will immediately respond to secure and protect all ePHI as possible. Details of any security incident will be documented and reported to you and the parties to whom we are legally required to report.
  2. We will report any use or disclosure of ePHI not provided for by our BAA of which we become aware, including breaches of unsecured ePHI as required at 45 CFR 164.410, and any security incident of which we become aware.
  3. As a business associate, we will not send breach notifications on your behalf to individuals, the HHS Office for Civil Rights (OCR), or the media.

Annual Technical Evaluation

meets requirements for 45 CFR 164.308(a)(8)

  1. We will annually evaluate the technical implementation of these services, particularly in response to any environmental or operational changes affecting the security of ePHI either created, received, maintained, or transmitted by your website.
  2. We will provide a report with our results that will be sent to you via email. This report will also include the testing results of the data backup plan, disaster recovery plan, and emergency mode operation plan as required by 45 CFR 164.308(a)(7)(ii)(D).