This week on the HIPAA Vault Show we answer 6 FAQs about HIPAA WordPress. For more information on HIPAA Hosting and WordPress


Hello and welcome to The HIPAA Vault Show, where we discuss all things HIPAA compliance in the cloud. My name is Adam Zeineddine, your host for today, and I’ll be doing a solo episode today specifically focused on some frequently asked questions about HIPAA compliance when it comes to WordPress. So I’m really excited about diving into those questions with you today. I’ve before we get started, please give us a thumbs up on the video and subscribe for more content related to HIPAA compliance in the cloud and WordPress specifically as well. 

We have a lot of dozens of videos out there on our channel, so, yeah, give us a subscribe and check out more of our content. 

So let’s dive into it and we’re going to be discussing WordPress specifically today. 

And in terms of how we’re going to approach the questions, we’re going to talk a little bit about WordPress in general, and then also how HIPAA Vault manages WordPress for HIPA compliance. So we hope to be able to give you a lot of insight there. So, diving into it, the first question we have for today is what is HIPAA compliant WordPress? 

Well, from HIPAA Vault standpoint, HIPAA compliant WordPress is a managed service that we provide which essentially provides HIPAA compliance for the WordPress CMS or content management system. And that incorporates everything that’s needed to keep WordPress HIPAA compliant and keep a WordPress website live and HIPAA compliant specifically for medical related websites. So that is essentially what HIPAA compliant WordPress is. The next question is why does WordPress need securing? Which I think is a really good question, and it relates to we should probably start out by talking a little bit about WordPress. So WordPress is a content management system, as I said, and it is actually the most popular content management system. And what a content management system does is it allows you to build a website and incorporate whatever functionality it is that you need for that website functionality such as contact forms, scheduling and the like. It can also be used for more complex use cases for the website, for example, patient portals, user portals, things like that. And so WordPress is the most popular content management system in the world. Over 40% of websites are built on WordPress, and a lot of those are healthcare websites. 

Now why does WordPress need securing? Well, with that popularity also comes a lot of risks because it’s so popular. There’s a lot of attempts by hackers to compromise the code that’s used to build a WordPress. And specifically the biggest threat is within the plugin area. So WordPress has thousands of plugins or extensions that might be referred to in other CMS. And these plugins essentially allow someone developing a WordPress site to create various different functionality, like dynamic contact forms or scheduling, things like that. And these plugins, if they’re not robust and if they’re not coded in the right way, they can have a lot of backdoors for hackers to attack and in the medical industry. Specifically, if they attack a WordPress website that is housing medical data, protected health information under HIPAA, then that protected health information is very valuable to hackers. And so there’s a big incentive for hackers to get into unsecure WordPress websites so that gives you an idea of why it’s really important that WordPress is secure. 

The next question is: what are some features of HIPAA WordPress? Well, there’s a lot of features of HIPAA WordPress. I won’t go into all of them in depth in this, but I’ll touch on a couple when it comes to what goes into making WordPress HIPAA compliant. Obviously, the main guidelines for HIPAA are provided by HHS, the U.S. Department of Health and Human Services, and they give a framework for what needs to go into any kind of solution that is hosting medical data and specifically protected health information. Phi and what HIPAA WordPress does it aligns with those requirements from HHS? One of them would be with regards to user access, control and privacy there. So it implements policies such as least privilege for users, so users only have access to information that they need and then also security around the users to make sure that the users logging in are who they say they are. 

So implementing things like two factor authentication on WordPress user logins, so that’s one feature that is included in HIPAA WordPress. 

Another feature would be managed backups for the data because it is important, again, in line with HHS guidelines to make sure that the protected health information is preserved. And depending on the state, that varies, but a good benchmark is preserved for seven years. So the appropriate backups need to be in place there to ensure that no data is lost from the website should it go down due to a disaster or user error in terms of deletion on the main WordPress site. So that’s another feature that comes into play. There’s a lot of features like making sure that there’s a secure firewall that protects the website from malicious attacks, from whether it’s different countries, so GoIP based firewall restrictions, and then also more custom firewall policies. So there’s a couple of features of HIPAA compliant WordPress, and as I say, HIPAA Vault manages all those for the medical provider or the web development company that’s developing the WordPress site and full list of our features, by the way, is available on 

Moving on to the next question, I love this question. It’s: how will I know if my WordPress website needs to be HIPAA compliant? 

So when it comes to HIPAA compliance, and also I encourage you to check out HHS gov because they have a lot more detailed descriptions of what HIPAA is and where it applies, but in general a good way to view it is to ask the question about the website when looking to see If it’s HIPAA compliant. 

Ask the question, is there any patient information that’s being collected through the website and stored where the website is hosted? 

And that’s a very good way to tell if HIPAA compliance would apply. And there are gray areas here, so how will I know if a WordPress website needs to be compliant? The short answer is there any patient information that’s being collected? 

The follow up question naturally that comes here that creates a bit of a gray area is how do I know if it’s patient information? There are a couple of scenarios here. So if there’s a website that has a user portal that patients are using to log into and manage their healthcare. For example, then that’s almost 100% certain that HIPAA would apply there, the gray area comes in when it’s not necessarily a patient portal, but the website does have some contact forms on it. For example, and the visitors to the website are not necessarily patients, but they are visitors that are potentially interested in healthcare from the website owner. So they would fill out a contact form and maybe list out their name, their telephone number and maybe a description of what they’re looking for and at that stage, if the visitor is not contracted with the medical provider it’s not technically HIPAA information because they’re not a patient of the healthcare provider. 

However, at any stage, if they do become a patient, then that information is regarded as patient information. So you can see there where there could be gray areas. And typically we advise that if there’s anything beyond on the website, if there’s anything beyond your typical just informational website, if there’s anything where it’s interacting and asking for information to be submitted on the website from the visitors, and it’s medical related, then err on the side of caution and look for implementing the appropriate HIPAA procedures. And again, you can reach out to us at and we can advise. 

And if you’re not sure about whether HIPAA applies, then do reach out to us. But in short, how will I know if my WordPress website needs to be HIPAA compliant? If there’s PHI, then HIPAA applies. 

Next question. Can I build my own website from scratch with HIPAA compliant WordPress? Or do I need to use Hipavault’s templates? So, HIPAA Vault’s templates, if you’re not aware, HIPAA Vault provides medical templates, which are a great way to get started if you’re building a new website. We have templates that deal with different types of medical use cases like labs, therapy practices, clinics. I think we have over a dozen of those and they’re available to view and preview at HIPAA cloud. 

But in terms of the question, can you build your own website without the templates? Absolutely, you can build your own website from scratch. The templates are really just there to give you a helping hand. There’s nothing that stops you from building your own, and we can certainly accommodate that when you set up a subscription with us. 

And finally, this is a little bit of a techie question, so I love it. Does HIPAA WordPress include SSH access to the backend? All right, so SSH access to the back end. So SSH is essentially a way that a developer or a user that’s looking to access the WordPress site from the backend would connect to the WordPress server, essentially so it’s a secure way for developers to get into the server that hosts the WordPress site and modify files and edit code and things like that. A HIPAA WordPress actually doesn’t provide SSH access to the backend. A HIPAA WordPress is a software as a service, so all the access granted for development purposes is through the WordPress front end or the WordPress backend. So that’s a little bit confusing there. But essentially a WordPress user login is what’s provided there. Everything on the server level is managed by HIPAA vault, and that helps developers and the owners of the website manage their risk when it comes to HIPAA compliance because HIPAA Vault is obviously taking a lot of that burden on compliance away from the developer. And so that’s the way HIPAA WordPress is set up. 

All right, so we’ve covered six questions there. I hope I was able to provide you with a lot of detail for more information. If you have any questions that I didn’t touch on, feel free to leave us a comment below or reach out to us at, and we’d be happy to either answer your questions over email or get on the phone with you, and we’d be happy to go through HIPAA WordPress in more depth. So that’s it for today. We’ve discussed some frequently asked questions about HIPAA compliant WordPress. Thanks for stopping by.