Is Contact Form 7 HIPAA-Compliant?
By Gil Vidals, , HIPAA Blog, HIPAA Hosting, HIPAA WordPress, Resources, Security

“There’s a form for that.”

You’ll hear it when you start a new business, do your taxes, or register your boat with the DMV. And your patients will surely hear it when they register to receive your quality healthcare.

Medical history forms, HIPAA consent forms, patient referral forms, insurance information forms, notifications and review forms – the list goes on.  

All that paperwork is critical, of course; still, it’s no pleasure cruise for your staff: the copious data entry, deciphering of hard-to-read handwriting, re-mailing of lost forms, and all that postage.   

That’s why you’ve simplified life by adding a plugin for forms to your WordPress website. It’s a great move towards streamlining the collection of data, going paperless, and also enhancing the patient’s experience.

And if you haven’t yet added forms to your site, you might discover that one of the oldest such plugins for WordPress is Contact Form 7. Highly customizable, Contact Form 7 allows for the management of multiple contact forms while providing features like Akismet spam filtering, CAPTCHA, and more. And, it’s free.

But before you race to install the plugin and sail away, there are two key questions you’ll need to consider: 

Question #1: Is Contact Form 7 HIPAA-Compliant?

The answer actually rests on another question: 

Is your WordPress site HIPAA-compliant? 

Think of it like this: imagine your site is like a “ship” carrying valuable cargo – all your content, plugins, and sensitive patient data. The first question you’ll want to ask is, is my ship really seaworthy? 

In other words, is your site prepared to resist the violent storms and squalls of cyberattacks and data breaches aimed at healthcare sites in general, and WordPress sites in particular? 

If the answer to this question is “no,” then a forms plugin like Contact Forms 7 (or WPForms, Formidable Forms, etc.) won’t hold water either. In other words, it won’t be HIPAA compliant and secure – not if the ship it’s traveling in isn’t “seaworthy” itself. 

So the bottom line about your plugin is this:

A secure, HIPAA-compliant WordPress site is essential to keep your plugins, forms, and everything else “afloat.”  

Of course, there are other concerns, such as if the plugin is kept up-to-date with the latest security patches. Not doing so is like inviting water to pour in – before you know it you’ll be visiting Davey Jones’ locker.

So what is required for a HIPAA-compliant WordPress site? Or to stay with the ship analogy, how do you “batten down the hatches” and allow your forms plugin to remain secure?   

First, let’s sweep the deck and clear away any misconceptions. HIPAA compliance for sensitive medical data won’t be achieved with a cheap, traditional hosting company like GoDaddy.

The ability to secure your data’s privacy, integrity, and high availability, requires technical configurations that they simply can’t provide. 

This is why they won’t offer you a Business Associate Agreement (a requirement for HIPAA-compliant hosting) to protect your medical data. 

In contrast, a HIPAA-compliant host – like HIPAA Vault – will ensure your WordPress site rests on a HIPAA-compliant infrastructure, with all the strong, end-to-end privacy protections your data needs. 

Your answer to “Is Contact Form 7 HIPAA Compliant?” then rests on whether your host offers a BAA, and an environment that necessarily includes:

1. Access Controls: 

This is a system of unique user IDs and strong passwords, procedures for login and logout, encryption and decryption, and emergencies – all designed to determine who can access your protected health information. Once a determination is made regarding the appropriate access and permissions for your team, our skilled admins will set these unique user IDs.

2. Encryption – both in transit and in storage in servers:  

Encryption is the “standard of care” for protecting health data; it provides this protection by replacing your data with ciphertext, making it unreadable until decrypted. 

This is an integral part of our managed services. HIPAA-compliant hosting ensures the encryption of data “in transit” – meaning, from the patient to the web server, and outside the hoster’s physical boundaries to the wide-area network (WAN) between data centers – and also “at rest” on their servers. 

HIPAA Vault follows the National Institute of Standards and Technology (NIST), which recommends the Advanced Encryption Standard (AES) 128, 192, or 256-bit encryption, OpenPGP, and S/MIME.

3. Ensuring your systems are monitored 24/7 to ensure consistent reliability and uptime: 

HIPAA-compliant data must be highly available so you can treat your patients, anytime and anywhere. One way a HIPAA-compliant host will maintain the high availability and integrity of data is by monitoring the health of each server, in addition to server security. Monitoring includes assessing the status of the hardware, operating system (OS), and the applications running on top of the OS. 

Systems administrators and network engineers rely on monitoring to alert them when predefined conditions arise, such as high CPU loads and disk usage. This aspect of managed services allows them to take action proactively and keep your system available and running smoothly.

4. Ensuring regular vulnerability scans of servers and mitigation of those vulnerabilities:

A HIPAA Compliant host should scan your HIPAA-related servers regularly, and enable alerts, 24/7/365. The purpose of the scan is to discover any vulnerabilities in the hosting environment (a report should be available to you whenever you ask for it). 

In addition to providing the report, the hosting company should be involved in helping remediate any vulnerabilities that are related to the infrastructure in order to ensure server security. 

5. Ensuring Data Center Compliance, with backups:

HIPAA Vault’s customers can have peace of mind that our world-class data centers meet or exceed industry-standard certifications, including SSAE 16, NIST 800-53, and Service Organization Controls (SOC) audits 1, 2, and 3.

Numerous audits, along with HIPAA and HITECH Omnibus standards, are used for assurance and validation that all service controls have been implemented and are functioning properly. 

Automatic, offsite backups that are geographically kept in a separate location – at least 50 miles away or further – also preserve critical data integrity and availability. In the event of a natural disaster (earthquakes, fires, or storms), servers and backups remain available. 

6. Ensuring Log retention:

Log retention of 6 years minimum is a HIPAA mandate. These logs will include both failed and successful login attempts to systems, networks, and all areas where PHI data is kept, as well as logouts.

In accordance with HIPAA regulations, the host ideally should offer a streamlined approach to gathering these logs and searching through them. 

7. Ensuring Appropriate Physical and Technical Safeguards

In accordance with the HIPAA Security Rule, your company must maintain appropriate physical safeguards to help ensure the confidentiality, integrity, and security of PHI. Do you have policies and procedures in place for this?

There should be safeguards to protect IT facilities [IT departments, data centers, etc.] and the equipment therein from unauthorized physical access, tampering, and theft. This would include personnel and property controls, locked doors, restricted area warning signs, cameras and alarms, security services, etc.

Question #2: If I do download a free forms plugin and try to manage it myself, will there be technical support? What about regular security updates?

Answer: You won’t get true and prompt support with a free plugin – it’s just not how it works. Technical support costs money. Again, think of the ship analogy: the sailors need to get paid. 

This matters because if any technical problems do arise (and they likely will), do you really want to be hunting through open-source forums to find answers? Do you want to take time away from patients to troubleshoot a glitchy form or poorly running site? 

As critical as your environment is for being proactive in your patient care, you need dedicated support technicians who will personally answer the phone and resolve your issues promptly. Essentially, they should act as an extension of your own company. 

For example, HIPAA Vault maintains a “tier-less” technical support staff that’s able to handle everything from general support questions and maintenance to more complex issues such as advanced firewall configurations and system monitoring – with over 90% resolution the first time you call.

No phone trees or being kept on hold for long periods of time. Our proven managed services allow you to streamline your IT costs, effectively saving you money.

And what about security updates? This, too, is critical to understand: you won’t get automatic security upgrades with a free plugin. 

Once you find yourself with an out-of-date version of a plugin, as we mentioned, it’ll literally be like having a hole in your boat. You’re now vulnerable to malware flowing in, residing in your system, and causing a potential breach of your sensitive data – possibly even sinking your whole enterprise.

In that case, do you really want to go down with your ship?

Fear not, HIPAA Vault has an answer: let us navigate, with our fully-managed WordPress. We’ll not only provide a secure vessel for your site but will provide the latest security updates for your plugins, along with antivirus, updated versions of MySQL and PHP, 24/7 monitoring and support, and more.

In other words, we’ll expertly steer your ship through the storms of cyberattacks when they come.

So, are you ready to update your site and smooth your sailing with some great forms? Give us a call! 760-394-6920. Our secure, managed platform for WordPress will ensure your forms and site are optimized and running smoothly, keeping your cargo and patients safe and secure!