This week on the HIPAA Vault Show, we talk about the least expensive ways to make a healthcare WordPress site HIPAA-Compliant
Want to learn more? Check out our blog post on secured WordPress
Transcript:
Adam
Hello and welcome to The HIPAA Vault Show, where we discuss all things HIPA compliance and the cloud. My name is Adam Zeineddine and I’m joined today by CTO and founder of HIPAA Vault, Gil Vidals.
Gil
I’m looking forward today’s episode.
Adam
Me as well. Last week we talked about HIPAA when it comes to emailing, outlook and Gmail. This week we’re going to talk about WordPress hosting. And in particular, we have a question that we get asked quite a bit. And today’s question is, what is the least expensive way to make my WordPress site HIPAA compliant? So Gil, do you have any initial thoughts on budget when it comes to WordPress sites and HIPAA?
Gil
Yeah, I do. And things have changed over the years, but it was and still is somewhat expensive to do that, generally speaking, versus a website that’s a GoDaddy or one of these really inexpensive hosting platforms where they don’t protect sensitive information. You can get it for probably less than $50 a month. But a WordPress site that’s properly secured, you’re talking about typically hundreds of dollars per month. And HIPAA Vault has got a solution that’s under $100 a month. So that’s why we introduced that to a lot of medical practitioners. They just didn’t have the budget to pay too much for that. So we introduced that recently.
Adam
Interesting. And yeah, I think were talking a little bit before the call. And I get this question quite a bit because HIPAA Vault is a managed security service provider and we specialize in HIPAA compliant hosting. So as you can imagine, this question comes up a lot. And the way I like to break it down is start first with the why of your website. And so what’s the purpose of the website? What are you looking to ultimately host? There could be a number of different things that the website is there to achieve, right? So it could be based on the idea of building trust and credibility for your brand awareness. It could be the trust and credibility part could also involve, well, our brand. But then is our brand aligned with HIPAA practices and security?
Adam
The other area to consider is providing information to your patients. Is the website there to primarily be a source of information on looking up symptoms and things like that? You have pages for specific conditions that the visitors might have and they’re looking to get information on. Then the other thing is the website more of a lead generation lead conversion tool where you’re going to have contact forms and then those contact forms are going to ultimately lead to more patients for your healthcare business and then moving on to maybe more complex purposes. Might be your website has some sort of portal functionality in it where users are going to log in and access that information. And another option is, and this comes up a lot when it’s something to do with medical supplies or pharmacy sales ecommerce.
Adam
So using your website to directly sell products to the internet. So there are a couple of reasons why you might want to host your website. And depending on that, the levels of security that need to be enabled for your hosting can vary. Gil, could you kind of align those to what kind of hosting might be needed in different circumstances?
Gil
Sure. My first comment, first of all, is a really good summary of the reasons and different types of use cases for websites. And I would like to say that HIPAA compliance is really a binary situation. Either you’re HIPAA compliant or you’re not. So there’s not shades of gray where you can kind of on a HIPAA compliant scale, one to ten, you can score a five. It doesn’t work that way. Either you’re completely compliant or you’re not at all. And so really you have to decide, does my website need to be HIPAA compliant? And you should save some money if you’re a medical practitioner that just has a brochure website that just advertises your location on Google Maps with the contact form, here’s where I’m located. Here’s my bio. The therapist has their bio.
Gil
That’s what we call brochure, where there’s no reason to go for expensive HIPAA compliance. Now, having said that, though, there are cases where a medical practitioner does have a form and they are accepting people to put in whatever they want, like a very general, like a notes area. And that can get you into trouble because in the note area, your patient or your potential patient might type in all sorts of patient protected health information that they’re allowed to do that because they own the information. But once they submit it, you have to carefully think about that. Where does that information go? Where is it residing? Well, it’s going to be residing on the web host server somewhere. And now you put yourself in a position where you better be HIPAA compliant because you are holding protected health information. So be careful.
Gil
If you have forms, don’t just allow a wide open text field where they can type whatever they want. You put specifically what you want. So I went a little bit on a tangent there. But I did want to mention there are cases that Adam and I have seen, many cases where we get called from companies that they know. They realize they are not going to have protected health information, but they’re in the healthcare field, the healthcare industry, and they want to have a HIPAA compliant website even if they don’t have the patient information, because they see value in that from a marketing perspective. They see that if they have that, then it gives them more credibility. Which goes to what you mentioned earlier, Adam. So you have to think about all those things.
Gil
It’s not always strictly a case of, oh, I don’t have patient information, therefore I don’t need this HIPAA compliance. Well, maybe that’s true, but maybe, how many sales are you going to lose?
Adam
I remember to use analogy of a business card back in the day when I used to do a lot of outdoor sales and I’d have a business card. And often when you’re meeting a salesman, you would make some sort of distinction as to just inadvertently like, did they have a really thin flimsy business card or did they have something robust with maybe laminate and stuff like that? I mean, that’s a while back, but it did help in some way to increase the trust and credibility even though it was pretty superficial at that level. Anyway.
Gil
Yeah, that’s a good analogy. Right. The ones that were really cool laminate cards, I’m going to keep this one. And then the other ones that are really thin, you just throw that one away. Yeah. So yeah, that’s a great analogy. So the credibility of having a HIPAA compliant website where you can put a seal there like HIPAA ball seal, then that helps. So I think that answered what you were asking.
Adam
So moving on a little bit to the maybe more not complex, but like more functionality based websites that are not necessarily just brochureware. So the brochureware ones, you could probably go for a low cost eventry hosting plan, 1020, $30 a month. But if you wanted something a little bit more yeah, I’d like to build trust on that.
Gil
I want to comment on that a little bit because if you go somewhere like, say, GoDaddy or Wix, but especially GoDaddy does a great job of marketing and they will start you really low to get you in the know, they’ll get you as low as you can imagine. Super sale. And here you go and you’re all excited, but we’ve heard from many of our customers that we’ve gotten from GoDaddy that once you’re in the door, there lots of features that you would take for granted. They charge you for them. So by the time you’re done with your actual site, that’s working the way you want it to work with the Google map and maybe a chat function or whatever, by the time you’re done with that, you’re looking at $50 or more at least.
Gil
So you start off at $5 or $10, and then when you turn around, you’re at $50 at least maybe 100. So keep that in mind that just because that’s the advertised price doesn’t mean it’s going to stay there. And then there’s Wix and HostGator and there’s a bunch of other ones. But these are not services that will offer HIPAA compliance fee. And they don’t want to offer that. It’s not that they’re incapable or they’re bad. They’re great companies and they do one thing very well, and that is selling these inexpensive web platforms to every industry. Yeah, without compliance, they don’t want to enter that game because compliance is more expensive. And so that’s their playing field and it’s good for that. So if you’re confident that you don’t need HIPAA compliance, I definitely would save the money and go to one of these sites.
Gil
I think they do a good job.
Adam
Okay. And then for the use cases where there might be a WordPress site that does receive patient information through it, then what kind of recommendations would you make there?
Gil
Well, I think the first level I’ve seen companies that medical practitioners and healthcare app developers that really are on a razor thin budget and they say to themselves, well, I’m paying next to nothing at HostGator or Wix or GoDaddy. So what they do is they’ll say, well, I do have to collect patient information, so I want to do it with this form, this intake form. And then what they’ll do is they’ll go to a place that has secure forms and then they’ll just link to that. So you go to the web page, fill out this form, it’s just a link or they embed the form so it looks like the form is on their website, but it’s actually embedded form and the form actually exists on this other secure platform. And so that’s kind of a hybrid approach.
Gil
Now you’re paying two hosting providers, one that has your brochure where site that doesn’t have sensitive information, and then the second one, the second hosting provider is holding the form and the data. So now you’re paying two bills for that. And to me the way I think, although it does fulfill the HIPAA checkbox, but now you’ve got two vendors to deal with and I like to have one vendor instead of two. And so that’s a plug in.
Adam
What are they doing there? Effectively, when you sign up for a HIPAA form, is it anything on the back end that they’re doing?
Gil
Well, what they’re claiming is that form will reside in a HIPAA compliant environment and so they guarantee that the form is being collected in an encrypted transaction.
Adam
Yeah, sorry, I just remembered as well for the viewers and listeners, we did an actual dive into HIPAA compliant forms as well in one of our previous episodes. So definitely check that out after this.
Gil
Yeah, that’s good to check out, but I don’t think using a form only company that attaches to your website, I think if you’ve crossed the line where you realize I’m going to have HIPAA compliant that I need to manage, then I would go for a fully managed HIPAA compliant service where you have your whole site there. That’s my opinion. Again, why? Well, you’re adding two bills instead of one and you’ve got two phone calls to make. And don’t forget when you get two vendors, what I’ve seen happen a lot in the hosting industry and it’s kind of sad because the hosting industry, like a lot of tech firms, they want to get you off the phone as quickly as they can. So when you call in with an issue, they’re rapidly trying to figure out. So a lot of times what will happen.
Gil
They’ll say, well it wasn’t us, it’s your other provider. And then you call the other provider and they’ll say, oh no, it’s not us, it’s your other provider. And if you’re not really technical you’re like, I don’t know who to believe. Now both pointing this way and so having two providers that are technical, unless you’re really technical, you’re going to be sandwiched in between and you’re not going to like it.
Adam
Yeah, I think I’ve seen some of those tickets sometimes where it’s one hosting provider, the support channel for one hosting provider, talking to the support channel to another hosting provider and it’s like two mirrors, right?
Gil
Yeah. So again, just as a recap, I don’t like that method doing, although technically speaking, yes, having a form provider that’s typically will fulfill the check mark, but I think it comes with too much baggage and it’s too much potential issue. So of course if you talk to the form, if you call the form provider yourself they’ll say, oh no, it works great and people love it, but you have to just make your own decision on that.
Adam
Okay, so we’ve reviewed the entry level non HIPAA options and then the almost mid level where you’re protecting a specific WordPress plugin. What about if a client or a customer is concerned with getting their whole website HIPAA compliant and having a business associate agreements in place? That’s definitely something we offer, right? Is that something that budget wise can be accounted for in any way?
Gil
Yeah, this is a good thing to talk about for a minute and I know we’re coming to a close here shortly, but keep in mind as soon as a company, a hosting provider, cloud service provider, has to sign a disassociative agreement, they’re taking on liability. What the associate agreement basically says is, look, you Mr. Healthcare, app developer or medical professional, you have patient information that is sensitive. And then the hosting company is saying, and we acknowledge that and we’re going to work together, we’re going to be connected at the Hip. If something goes wrong, we can’t point fingers to each other like what was your fault and all this stuff. They’re both going to be accountable and responsible for that. That’s what the business associate agreement really does.
Gil
And so any company that’s going to take on that liability, just think about it, in today’s world with inflation, no one wants to do that for $10 a month. It’s just not worth it. Right. So you’re looking at spending considerably more just for the liability, not for the technical reasons, which are expensive in and of themselves, but just for the liability. The company has to be able to generate enough revenue to be able to support that effort. So I think whenever that BAA comes up and you’re signing that means you’re dealing with a company who knows what they’re doing they’ve accepted that responsibility, and they’re going to invest in all the security tools and the engineers and compliance manager and everything else that comes along with that.
Adam
Yeah, absolutely. And I know that HIPAA hosting ranges in prices from in the hundreds to in the thousands per month, right. At HIPAA Vault, we do offer one of the most affordable plans on the market. So feel free to check out our plans. We have a plan for you on HIPAA Vault.com specifically for WordPress as well. We’ve got really great plans to host your WordPress site. Any other considerations?
Gil
Gil? Well, I was just know, reach out to us if you have some questions. Just feel free to reach out, especially to Adam. He’s not, as you can tell here, he’s not going to be down your throat trying to sell you something. He’ll just answer some questions. And if that’s all it is, that’s fine. We want to help the community out as well. So if you have some questions about the HIPAA compliant solution, infrastructure and cloud services, we’d be happy to help you out.
Adam
Absolutely. Yeah, I was just going to mention, Podcast@hipaavault.com is a great place to email us or tweet us at @hipaahosting. Other than that, make sure to subscribe. And please leave us a review if you enjoyed this episode. Until next time, thanks for stopping by.