Is WooCommerce HIPAA-Compliant?
By Gil Vidals, , HIPAA Blog, HIPAA Hosting, HIPAA WordPress, Resources, Security

More than ever, commerce lives online.

From banking to shopping, we’ve come to expect smooth, streamlined experiences whenever we visit a website. How has that impacted healthcare? How should providers respond? 

Our WordPress customers tell us: consumers appreciate the convenience and ease of being able to buy specialized medical devices like hearing aids and dentures, medications, and even caregiving services online. 

The message is clear: today’s healthcare organizations must leverage the benefits of eCommerce innovations to improve their care.

Highly Functional, Secure Healthcare Websites  

As noted on, WooCommerce is the world’s most popular open-source eCommerce solution, offering numerous benefits and features, including: 

  • Beautiful storefronts, with brand and industry-specific themes
  • Revenue growth, through an optimized shopping cart experience
  • Customized product pages
  • Showcase of both physical and digital goods, with instant downloads and more 
  • Improved visibility and search results with WordPress’ SEO advantage 
  • Payment options, and simplified sales tax with automated calculations 
  • Monitoring of your store on the go

Yet while highly functional, feature-rich, secure websites for these transactions are now an indispensable part of doing business, the first roadblock to offering these digital solutions is – you guessed it – HIPAA data and privacy regulations.

Proven security specialists are required to meet the physical, technical, and administrative safeguards of HIPAA, in all environments where sensitive, electronically-protected health data (ePHI) is exchanged. Adding WooCommerce capabilities to a website, then, should prompt a salient question.

Is the WooCommerce Plugin HIPAA-Compliant?   

The simple answer is no; “out-of-the-box” WooCommerce – like WordPress itself – is not HIPAA compliant. WooCommerce was not designed with the full protections necessary to securely store or transfer ePHI.  

So what is needed? 

Like WordPress, applying the right security is critical; yet doing so in a haphazard or piecemeal way won’t cut it.

Only comprehensive security measures that are designed for HIPAA compliance will truly protect your site and data from malicious attacks – especially necessary with WordPress since its ubiquitous nature makes it highly targeted:

1. A HIPAA-Compliant Host

As stated, if your healthcare site handles ePHI and you are not using a compliant host, understand that traditional web hosting companies will NOT promise to secure your medical data. 

In contrast, a HIPAA-compliant host will offer you a BAA – a written pledge to protect your PHI in transit, and as it rests in servers and data centers. With a BAA, the responsibilities of each party for preserving critical data protections are clarified.

It behooves you therefore to have your site migrated immediately. This is a must to protect WordPress and WooCommerce from the serious consequences of a data breach.

2. HIPAA Safeguards

Protecting WordPress/WooCommerce means you’ll also need the full range of technical, administrative, and physical safeguards which HIPAA requires. This includes written policies for your organization and everything from door locks to security services to cameras.

For your online environment, a HIPAA-compliant host for WordPress/WooCommerce should provide 24/7/365 managed security, including system monitoring and alerts, vulnerability scans and mitigation, anti-virus and managed firewall rules, intrusion detection and prevention, and regular patching and updates.

3. Access Controls

A HIPAA-compliant environment will possess all the access controls necessary to preserve the confidentiality, integrity, and availability of protected health information – in servers, databases, and data centers. 

Access controls to your HIPAA environment will be governed by the least privilege principle, restricting access to sensitive data to only those who need access. Strong passwords and two-factor authentication are also critical.

4. Updates

A HIPAA-compliant host will use the most trusted and up-to-date security plugins for WordPress/WooCommerce, and any other plugin utilized. Updates provide security fixes for vulnerabilities; a site can be compromised more readily if just one plugin is out-of-date.

5. Encryption

PHI traveling through WordPress/WooCommerce will need the technical safeguard of encryption. Encryption is the industry standard for data protection, rendering your data unreadable (through ciphertext) should it ever fall into the wrong hands. 

An SSL certificate will be required to establish an encrypted session between the server and client to protect PHI data during transport.

6. A Secure Database Connection

A HIPAA host will segregate your public-facing website server from your database server. This way, if your web server is breached, your database server will not be impacted. 

7. Securing the LAMP Stack

The software infrastructure for WordPress/WooCommerce is called the ‘LAMP stack’: Linux, Apache, MySQL, and PHP. (Apache is the common HTTP web server software). 

Securing your LAMP stack is critical; it includes:

  • maintaining regular updates for OS, Apache & PHP
  • ensuring strong encryption & encrypting data at rest
  • restricting access to only authorized users
  • ensuring unique, strong passwords for all LAMP software
  • securing file permissions
  • never using root user to configure WordPress
  • Disabling the browsing directory

8. Offsite Back-Ups in a Secure Data Center

Automatic, offsite backups for redundancy are critical to maintaining your WooCommerce transactions and the high availability of PHI data.

Backups should be geographically removed – at least 50 miles away or further – to prevent natural disasters (earthquakes, fires, storms) from destroying both servers and backups as well.

9. Log Retention

Logs keep track of who accesses protected health information (PHI), and why they are accessing it. 

Logs must include all:

  • new or deleted user accounts
  • malicious system breach attempts
  • failed and successful login attempts 
  • attempts to modify software or logs

Logs must be kept for a minimum of 6 years  – a HIPAA mandate.

If this seems overwhelming, it’s because it should be for the average healthcare organization. Do-it-yourself, in this case, will be highly complex, time-consuming, and expensive. 

The good news is, HIPAA Vault’s fully-managed WordPress with WooCommerce can give you all this and more.

Why Choose WooCommerce with HIPAA Compliance?

Just as provider-patient portals are now common, the addition of eCommerce functionality to pay for needed services is becoming increasingly valued by both providers and their patients.

Consumers expect healthcare to offer the same kinds of online experiences that they enjoy elsewhere. This includes eCommerce for purchasing medications and devices, virtual visits, and more. Websites must provide this functionality.

Yet HIPAA Vault understands: caring for patients is your skill set, not hardening servers or configuring websites to protect sensitive transactions. 

Our HIPAA-compliant Linux hosting for WordPress with WooCommerce does the job for you. We provide a highly secure WooCommerce platform – a fully-managed, hosted solution designed for HIPAA compliance – that will help grow your business while increasing patient satisfaction. 

Want to learn more? Give us a call! 760-394-6920.