This week we talk about WordPress forms and how to implement HIPAA compliance for forms on a WordPress Healthcare site and recommended tools.
Transcript:
Adam
Hello and welcome to the HIPAA Vault podcast where we discuss all things HIPAA compliance and WordPress. Last week we talked about WooCommerce. This week we’re going to talk about HIPAA compliant forms for WordPress. My name is Adam Zeineddine, and I’m joined by the CTO and founder of HIPAA vault, Gil Vidals. Hey Gil.
Gil
Hey Adam. Looking forward to talking about forms for Hip environment today?
Adam
Absolutely. So let’s get stuck in, shall we? So, a little bit about WordPress forms. A WordPress form is a feature that allows a user on a website to submit information to a website administrator or owner of the website through web form. On the site. The form typically includes information like the user’s name, address, some contact details, and maybe a message from the user to the owner of the website. In the case of healthcare sites, it becomes particularly important for the developers of the healthcare website to pay attention to HIPAA compliance when it comes to the form data that’s being collected on the site. So Gil, what kind of controls need to be in place when it comes to forms taking into consideration HIPAA?
Gil
Yeah, that’s a good question, Adam. Before I jump into that, I did want to mention that the whole premise here is there’s going to be patient or protected health information. If you have a website that’s just brochureware, and you’re just having a person fill out some basic information without touching patient health care, then probably don’t need that. So you consider that from the beginning because a lot of medical practitioners, they just have a pretty brochure where site that’s not very deep and so you probably don’t need any of this. But for those other practitioners that do have and do collect information that’s considered PII, personally identifiable information or HIPAA compliant, they need to be careful to make sure they’re properly protecting it.
Gil
So the forms themselves, what happens is when someone fills out the form that’s on the computer, the laptop of the user, they’re filling it out so that information is there physically on their browser. Now you can’t protect what they’re doing because they’re typing it in. Someone could walk behind them and see what they’re typing. Well, that’s his problem. It’s in his home that’s on his laptop. But once he hits the submit button, it becomes your responsibility. Now, because he submitted it’s traveling through the internet. It’s traveling through the internet to the web server. And that connection, as I’m drawing a little rainbow here, needs to be encrypted. So that’s https. So you as a medical practitioner or audience, make sure that your form, when you hit submit, you test your own form out, make sure when you look at the browser that it says Https and that you don’t have a little red line.
If there’s a little red line, a little circle with the red line, or a little exclamation, click on it’ll tell you what the problem is. It’ll say, hey, your SSL certificate. That’s the secret behind these certificates. This secure connection is outdated, it’s expired. We’re talking to an audience here. That’s not necessarily the developer. We’re talking about the owner here. And that’s why we give you tips on how you can do this yourself, or at least not how to implement the technology, but how to check to make sure it’s working instead of just being blind like, oh, I don’t know what my developer is doing.
Gil
No, you have the responsibility to check to make sure your developer or your tech team has done it properly. And you can do this quite easily because you just see these little red marks come up. So in a sense, a short answer is just the encryption has to be enabled and working.
Adam
So would that be referred to as encryption in transit or in flight?
Gil
Yeah, encryption in transit or in flight. In transport. That’s why it’s traveling. Now when it lands on the computer on the web server on the other end, then that system should be encrypted at rest. What that means is if you power off that web server that received the form, if you powered it off when it’s at rest, sleeping, it needs to be encrypted. That’s the idea behind that.
Adam
Okay, so encryption and transit and at rest. What about the data? What kind of controls need to be in place to protect in case the data gets accidentally deleted or so in.
Gil
Terms of backups, the regulations say that your patient information should be readily accessible. So if you think about what does that mean? What if your developer called all in a frenzy, the web server company blew up and they fell apart, they went bankrupt, and we can no longer get to that data. You’re like, uhoh, we got problem. So you can’t make it accessible if your web hosting company went bankrupt. So you’re obligated to have a backup. And what’s called an off site backup, offsite backup, means that it’s not in the same location as your production web server. The backup is made here, and then you copy that backup somewhere else. So you should be asking, well, where’s this other backup, this off site backup? And so that’s one of the things for HIPAA compliance that you really should pay attention to.
Adam
Okay, so ensure that there is some backup policy in place.
Gil
Yes.
Adam
Okay, how does the developer or the website owner go about tackling, making sure that the controls are in place and who do they go to for that?
Gil
There are these policies that are written down and then the policies in turn use controls to enforce the policy. So I’ll give you an example, or one policy might be that you always can see who is accessing the protected information. So someone might say, well, how are we going to implement that control? Well, you could have a web camera that’s watching. This is just an example. So the policy just states loosely or not loosely, but generally speaking, what you should do. And then the implementation of how you achieve that goal is kind of up to you. But there are many policies. It can be overwhelming. You’re talking about many pages of policies that if you read to page three and you’re still awake, I’d be amazed. So these are very detailed and they’re technical.
Gil
So here’s the easiest thing to do before we lose the audience, before they hit that we’re out of here button. All you need to do is find a HIPAA compliant provider because that’s what they focus on. So HIPAA Vault, our company specializes in hosting companies that have protected health information. That’s what we do. We don’t do lots of other things. That’s our focus, that’s what we do. So find someone who specializes, they devoted their lifetime work to do that, so that they can tell you, here’s our policies, they can show them to you. You can ask for them, you can read through them, and then you can ask them a spot check. You can say, well, how do you implement this policy? And then they should be able to give you a good answer. So that’s how you can do it.
Gil
So the short answer is spot checking. You’re not going to have time to sit there and read through all these pages of stuff. You’re not going to have time to follow up. But if you spot check, if you remember your high school statistics course, you don’t have to always check everything. As long as you check enough items, a few items likely, if they’re not doing a good job, you’re going to catch them. You’re going to say, AHA, I’ve asked you about this policy and you don’t have anything to support that policy. There’s no implementation. So that’s a red flag. Like, oh, if they’re missing that one, they’re probably missing lots of other ones. And now I need to be careful.
Adam
Right, so choose a hosting provider that’s well versed in HIPAA compliance, essentially, yes.
Gil
And there are, of course, if you look up hosting, there’s a million of them. But just like anything else in life, Adam, there are specialists in the football games, you have specialists, you have the kickers and you have the tacklers. Well, in the website web hosting world, it’s the same thing. Not everybody does the same kind of hosting. Some people host just videos. That’s all they do. They just host videos. Others host patient information or medical data like we do, and others host only financial information. So find the specialist, right? If you know you’ve got a problem. You go to the specialist doctor. Everybody knows that if you’re going to have a bone fracture, get fixed, you’re going to go to the Orthopedic. Well, if you have medical data, you better go to the specialist provider. It might be obvious.
Gil
You’re like, why do you have to say this? Isn’t that obvious? Well, no, it’s not obvious. Not everybody knows that web hosting is specialized business. But almost more importantly, a lot of the audience just says, well, I’m just going to choose the cheapest provider. I’m going to goDaddy for $20 a month. It’s like, wow, that’s not a very good decision because they’re not a specialist in that and it’s super cheap. But that’s because they’re not doing all the work required to be HIPAA compliant. Of course it’s going to be cheap. So you really need to think about who you provide. That’s your partner, that’s an extension of your company, this provider, and choose carefully.
Adam
I would say, yeah, no, they’re great points. What I come across a lot with customers that are looking to make their website HIPAA compliant in general is they’ll come to us and maybe they’re hosting with GoDaddy or another provider and they’re paying like $20 a month, but then they’re also paying for specific plugins to guarantee HIPAA compliance for those plugins. And then their bill ends up being hundreds of dollars a month because they’re going with different vendors for each plugin. And this is particularly applicable for HIPAA forms because I know that there are paid HIPAA forms out there, but they secure the form, right? Could you go into a little bit of detail on that?
Gil
If you want a compliant form that’s going to collect sensitive information, then you can go to a provider that specializes only in forms. And what you do is you go to your WordPress website and you enable this form. But keep in mind how it works. When your customer, the patient, or the end user, they’re filling out the form. When they hit submit, that form is not going to travel back to your web server, it’s going to travel back to the web server of the form provider. So one example is gravity forms. So Gravity forms, you integrate it into your website, but that web page on your website, when you hit the menu forms, it goes to a page that’s in a frame. So you have a frame. And that frame page is actually at the Gravity Forms web server. It’s filled out.
Gil
And when they hit submit, it goes to them. This is just a description. I’m not saying this is good or bad. This is just the way it works. Whereas if you have your own form that lives on your own web server, when they fill out the form, they hit submit, it goes back to your own web server. So now you understand there’s two different paths. Both of them are HIPAA compliant, both of them work with the sites like Gravity forms, you have to pay for it. And again, that’s probably a good thing to pay for something that’s that important. I think there is a downside, I think, and maybe we’d have to dig into a little bit more. But when you have websites these days, the analytics is very important.
Gil
You want to know where your traffic is coming from, how many seconds are they on your website? I mean, there’s a lot of key analytics. When a user leaves your site and they travel to another site, that analytics is going to say, well, they left the website, they’re gone
Gil
I wouldn’t say it’s necessarily inaccurate, I would just say you’ve lost the eyeballs. The eyeballs that were on your site now are gone. They’re over here now. However, if you craft it just right and the form is embedded, when they’re done filling the form out, usually they can come back to your website with the thank you note, hey, thank you for filling out the form, now they’re back. So I’m not saying it’s terrible or you can’t track it’s just be aware that the user is traveling to another site even if they don’t know it because it looks like it’s fully integrated. But that’s how the technology works. And I think there are some good form providers, and I know you wanted to talk.
Adam
There are free form plugins, right? I mean, I hear a lot about contact seven WP forms. There’s a couple of free form plugin providers. There’s also paid plugin providers like you mentioned, gravity forms, cold forms, right. So what would you typically recommend? Like a specific form plugin for clients that are looking to host compliant.
Gil
So paying for a form versus a free form? Typically the paid forms or paid plugins to WordPress have an advantage. And the advantage when you pay is twofold. One is you get support. So if something goes wrong, you can get someone who actually will help you. The free ones have help, but they’re based on the community. That means there’s nobody there that can help you specifically. You just post a message and hope that some other user of that plugin will respond. And the second advantage is if it’s paid, you get a right to the update. So when the author adds a feature or fixes a bug, you have the right, because you’re a paying customer, to upgrade to that. If you’re free, if you’re a free user, then a lot of times the author says, well, you’re out of luck, right?
Gil
You’re not going to get the latest update, you’re going to behind a version. And that version you’re behind could be important. There could be a vulnerability in that version and you don’t want to be on it very long. What’s more important is to just work with the form that you like. So you have a lot of leeway. You have a lot of leeway. Our audience can pick the forms that they like. Contact Seven is certainly one you should look at because it is popular for a reason. They’re good forms. And you say, well, how do you make it HIPAA compliant? Well, the HIPAA compliance comes from WordPress. WordPress is the mechanism. It’s like the car, right? You get into car, the car takes you somewhere. Well, think of the car as WordPress.
Gil
WordPress is the car, and then the Contact Seven is getting in the car. So the car, as long as the car is secure and safe, the passengers are safe as well. So in this case, WordPress, if WordPress is HIPAA compliant, it’s got all the security controls, then the passenger in that case is the Contact Seven plugin. It moves with the WordPress site. So that’s the main thing. Focus on WordPress, making sure it’s compliant. The form will come along for the ride. It will also be compliant as long as you’re keeping the plugin up to date. There’s always a caveat, right? A lot of people make the mistake of getting a form. They plug it in, it’s all working, they’re all good to go. And then two years later, they’re still on the same version from two years ago. Updates that’s not compliant.
Gil
They’ve broken HIPAA compliance because that old plugin has a list of this long of all the vulnerabilities that the hackers know about. So there is some work to do there, but that’s something your provider should be. Well, I shouldn’t say should be. I have to be careful how I say this. There are hosting providers, Adam, that advertise HIPAA compliance, but they will tell you they’re transparent. They’ll say, we don’t deal with your plugins. That’s up to you, and that’s fine. They’re telling you that upfront the price might reflect that maybe it’s a cheaper provider because they’re not doing all that work at HIPAA Vault, we like to do that for our customers. If it’s fully managed, we have a fully managed plan and one that’s up to the customer. But the fully managed one, we update the plugins. So that’s our responsibility.
Gil
So you have to choose which way you want to go on that. Do you want to save some bucks and do it yourself, or do you want someone else to be responsible for that?
Adam
Yeah, and on that note, you can check out our HIPAA compliant managed WordPress plans at our website, hipavault.com. Okay, gil, any other considerations when it comes to HIPAA compliant forms?
Gil
Well, forms, I want to give a little tip, Adam, forms. There’s been studies done on forms and which forms are more successful. From a marketing point of view, if you have a lot of information to collect, that’s okay. But don’t get one of these forms that’s a mile long. The bounce rate is high. That means that someone will look at it, they’ll fill out the first few and they get tired. They’re like, I’m done. I’m out of here. I’m going to go get my pizza and watch my favorite movie. I’m done. If you’re going to have a long form, it has to be broken up. So you have maybe three questions and then a next, and then three or four more questions next. Three, four, next. And then at some point submit it. And that’s attractive because they never know when it’s ending.
Gil
And you say, well, why don’t they abandon it then? Well, you may have a breadcrumb at the top. The breadcrumb shows you’re on section A, section B, section C, and then it’s kind of like a game. They’re like, oh, I want to complete this now. But anyway, the studies show that a form that’s long, that’s broken up into chunks with the breadcrumb, that works well, and people will tend to fill that out more. Now, the best case scenario, even better than that, is just have a little form. There’s no next. But sometimes you can’t avoid it, right? I mean, you need to collect sometimes more detail. Like if you’re a therapist and you need to know more about your prospective client, you’re going to need to ask a lot of questions, and that’s okay.
Adam
All right? Fantastic. If you have any questions, you can email us at podcast@hipaavault.com. Leave us questions also in the comments below on YouTube, and you can also tweet us at @hipaahosting for any questions. That’s all for this episode. Be sure to share subscribe like to the channel. And until next time, thanks for stopping by.