Atlantic.Net Blog

Best Practice for Creating a HIPAA-Compliant WordPress Site

WordPress is a widely used website creation application powering about 38% of all websites on the Internet today. WordPress achieved mainstream popularity because of its ease of use, allowing almost anyone to create detailed and professional-looking websites with a few clicks.

WordPress is particularly popular with small-to-medium size businesses, web developers, graphic designers, and personal blogs. However, it is also used by big companies, such as BBC America, Sony Music, and Microsoft News.

Did you know?

On the Atlantic.Net Cloud Platform (cloud.atlantic.net), you can auto-deploy a WordPress client-server in seconds. Our secure, defined one-click WordPress application uses Ubuntu 20.04 with PHP, MySQL, Apache, WordPress, and Postfix included as standard.

WordPress sites that include Protected Health Information (PHI), as with any website handling PHI, must adhere to the administrative, physical, and technical safeguards of HIPAA to ensure the confidentiality of data uploaded or made available through the website.

HIPAA-Compliant Design Rules for WordPress

The following three-step HIPAA-compliant framework facilitates the development of a WordPress site that can handle PHI:

Did you know?

HIPAA rules are applicable regardless of whether the WordPress site is being used in-house or connected to the public Internet.

Website Design

HIPAA compliance must drive the website design plan; the design must meet HIPAA’s minimum security and privacy standards to ensure the confidentiality, integrity, and availability of PHI.

  • Access controls to prevent unauthorized access to PHI
  • Access controls to the WordPress administration control panel

Need help? 

Check out the “Advanced Access Manager” plugin by Vasyl Martyniuk.

  • Audit controls to log all access to the site 
  • Audit controls to log any activity on the site that involves ePHI

Need help? 

Check out the “WP Activity Log” plugin by WP White Security.

  • Integrity controls to prevent PHI from being altered by unauthorized users
  • Transmission security controls to protect PHI uploads (encrypted in transit) 
  • Encrypt the webserver data

Server Hardening

Here are some practical ways to protect your WordPress server from common vulnerabilities and threats:

  • Update WordPress and PHP regularly
  • Update the operating system monthly
  • Only use very strong passwords and never reuse passwords
  • Only use sFTP encryption to transfer files to and from the webserver
  • Update file permissions so that no user can change or modify files
  • Ensure no system services or applications run as the root user

Did you know?

Only the .htaccess file should have root permissions.

  • Restrict database user privileges and set IP restrictions to access the DB
  • Secure WP-Admin with multi-factor authentication (MFA)

Need Help?

Here are two great MFA plugins: “Duo Two-Factor Authentication” and “Google Authenticator.”

HIPAA-Compliant WordPress Hosting

A hosting company that is HIPAA compliant will provide you with an infrastructure that is built around the fundamental safeguards needed for compliance. Make sure you choose a hosting provider that can:

  • Implement physical security controls to prevent unauthorized physical access to the webserver
  • Offer a Fully Managed Firewall or Web Application Firewall (WAF)
  • Provide an encrypted VPN
  • Provide an encrypted Data Backup plan to protect PHI securely
  • Provide a Disaster Recovery solution to ensure that PHI is continuously available
  • Provide forensic level logging of all activity of the host server (this is in addition to WordPress layer logging)
  • Monitoring and alerting logging
  • Monitoring file changes using an Intrusion Prevention Service

Did you know?

Atlantic.Net offers HIPAA Compliant WordPress Hosting and HIPAA Compliant Cloud Storage services to support IT Solutions for Healthcare. 

Ready to get started with setting up a HIPAA-Compliant WordPress Site? Choose Atlantic.Net for a one-click WordPress installation that will set you well on your way to a HIPAA-Compliant WordPress Website – get started today!


Read More About HIPAA Compliant Hosting

Get a $250 Credit and Access to Our Free Tier!

Free Tier includes:
G3.2GB Cloud VPS a Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year