To deliver HIPAA compliance within WordPress, the first step is to understand the basics of HIPAA-compliant IT. Relative to the specific deployment, perform a risk analysis and then build with five basic concerns in mind.
HIPAA compliance in IT – the basics
Why is this form of compliance needed? Organizations in healthcare and their service providers want to avoid federal fines but also want to generally prevent compromise. Healthcare data breaches increased 40% from 2015 to 2016, so now it is even more critical to pay attention to defenses for your protected health information (PHI) – particularly the electronic protected health information (ePHI) safeguarded within data environments.
If you are a healthcare company or otherwise interact with individuals’ ePHI, your first consideration should always be verifying that the system is HIPAA-compliant. For instance, a HIPAA-compliant hosting company has all the necessary protections in place to meet and exceed the parameters of the HIPAA Security Rule (fully managed firewall, encrypted VPN, encrypted backup, log management system, intrusion detection system, etc.), as indicated by certifications such as auditing to show compliance with the American Institute of CPA’s SOC 1, SOC 2, or SOC 3 (SSAE 16).
HIPAA-compliant WordPress hosting starts with risk analysis
While having the right host is critical, you need more than HIPAA-compliant hosting in order to protect yourself from violation. The preliminary step is a risk analysis.
A risk analysis is key because it gives you two basic positive outcomes: You should get assurance that the system you are using to serve your WordPress installation is able to properly safeguard the data. Plus, it is actually the first step of meeting the HIPAA Security Rule, so you are taking an initial compliance step by gathering that knowledge.
Note that a risk analysis really is necessary and not optional if you want your WordPress hosting to be compliant with HIPAA. It is not permissible to skip because you believe that you have no risk, and it is not an aspect of your business that you can entirely entrust to a third party – simply because your organization is ultimately held liable. This process allows you to review the current risks that are present to your system (and to develop the best strategy moving forward). Once you have that risk analysis documentation in place, then you can focus on the need to have a HIPAA-compliance program that is sustainable.
What is involved in a risk analysis to properly protect your WordPress hosting environment from HIPAA violations? Putting one together involves answering important questions about your environment, as indicated by Donna Grindle of HIPAA training firm Kardon Compliance:
- What is the purpose of the WordPress site?
- What groups of people need access?
- What types of ePHI will it be processing, storing, or transferring?
- Will the WordPress instance be publicly accessible, or is the system only for internal purposes?
- What are the security controls that are in place to safeguard it?
- What are your policies and procedures to handle the security needs of its data?
- What are the nature of the threat landscape and any individual concerns?
- What are the chances that threats will be deployed and potential impacts?
Five technical safeguards for your HIPAA-compliant WordPress
Once you have answered the questions of a risk analysis, it is time to think in terms of the controls you want to implement on your HIPAA-compliant WordPress site. You will be able to meet the requirements set by the Health and Human Services Department (HHS) through either the standard system, immediately available plugins, or custom tools. From a broad perspective, your environment should meet five key control requirements – all of them described by the Security Rule’s language on technical safeguards.
First, your HIPAA-compliant environment will need access controls. A covered entity or business associate needs to put technologies and systems into place that will prevent any unauthorized parties from accessing the data.
You can achieve that through WordPress via a combination of security configurations and plugins. You can take the standard installation and modify user roles, making sure that permissions work for administrators, the public, and staff.
Keep in mind, though, that the standard authorization capabilities within WordPress are relatively basic. You might have to get a plugin to disable a content type or module when users have not been authorized. For instance, you need a plugin in order to allow users to edit content, while not giving them access to the ePHI data that is within calendar registrations.
Second, as a covered entity or business associate, you will need audit controls. That means deploying computing equipment, programs, and processes to monitor access and behavior within IT portals that contain ePHI.
Third, HIPAA-compliant WordPress hosting requires integrity controls. In other words, you must make sure that data integrity is maintained at all times (i.e. that data is not destroyed or unintentionally altered). Plus, there should be a mechanism installed that can verify that alteration or destruction of data is not occurring.
A fourth key defense outlined within the Security Rules is person or entity authentication. You can verify identities of users through various person or entity authentication methods. At the bare minimum, a covered entity or business associate will want to confirm the privileges and transmission device are valid.
Finally, a HIPAA-compliant organization has to build transmission security into its environment. These methods protect against the possibility of compromise to the ePHI that is flowing through the infrastructure.
WordPress with a host that knows HIPAA
When you think of all these controls, it becomes apparent that a big piece of any HIPAA-compliant WordPress site is, in fact, the hosting. As Greg Gholson of web development firm Geonetric noted, “Anybody planning to build a HIPAA-compliant site needs to host in a HIPAA-compliant environment.”
Before you can build HIPAA-compliant WordPress, you need a web host that has the healthcare IT knowledge to set up a system that will truly protect you from breach. At Atlantic.Net, our HIPAA-compliant hosting is SOC 1 and SOC 2 certified and HIPAA audited, designed to secure critical data and records. See our HIPAA hosting plans.