be Smart.
be Secure.
Phone: 800-441-6612

WordPress for HIPAA and ePHI? Is that a good idea?

WordPress is an extremely popular content management system for both blogging and creating web sites.  It’s popular because it is quick to set up, easy to administer, has a very large supported base of add-ons, and looks good.  As a result, many LuxSci customers use WordPress in one fashion or another for their web sites hosted at LuxSci.

As we cater to a large segment of customers who have specific compliance needs, e.g. HIPAA compliance, we frequently are asked about using WordPress with ePHI … e.g. using WordPress to provide access to protected health information for members of the WordPress site.

Can this be compliant?  Is it a good idea?

What do you need for a HIPAA Compliant WordPress site?

First, you need to host your WordPress site with a hosting provider that provides HIPAA compliance and who will sign your HIPAA Business Associate Agreement.  This means that HIPAA WordPress hosting at places like and GoDaddy are immediately not possible.

Next, you need to ensure that your WordPress site meets HIPAA requirements and any requirements of your hosting provider.  This includes:

  • An SSL certificate and dedicated IP address for your web site so that traffic to/from it can be encrypted in transit.
  • Ensuring that your WordPress site cannot be accessed without SSL (e.g. by using LuxSci’s feature where you can have SSL-protected content separate from insecure content).
  • Ensuring that ePHI is never publicly available –users must login to access that content.
  • Ensuring that users with access to ePHI are properly granted / revoked access by your HIPAA administrators.   E.g. it should not be possible for someone to sign-up and get access without explicit review.
  • Ensuring that users have access to only the ePHI they need and should have access.
  • Ensuring that all WordPress logins are monitored and are logged.
  • Keeping your WordPress and all “add-on” software up-to-date.
  • Using plugins like “Duo Security” to add 2-factor authentication to your site.
  • Ensuring that there are good backups of your site and its content.
  • Ensuring that user logins to WordPress will automatically log users off due to inactivity.
  • Log access to ePHI, if possible.
  • Reviewing your procedures and users periodically.
  • Ensuring that WordPress does not cache copies of ePHI-pages insecurely on disk, especially if you are in a shared environment.  Wordpress content is normally stored in a database, but if it is cached insecurely on disk that will weaken security and in a shared environment could provide access to unauthorized persons.

There are many more procedural things that you must do and that your provider must do that are described here.

So, can these things all be done with WordPress?

Many of these things are doable, however:

  1. Not caching ePHI-laden pages.  Some WordPress caching addins cache pages to the database.  Others save pages to disk.  Furthermore, you can sometimes control what pages are cached and which are not.  Being forced to do that on a post-by-post basis, is however, a recipe for accidental breach.  By default, WordPress is probably not caching your site … unless that has been pre-configured or setup for you.  This should be reviewed by your WordPress admin.
  2. User auditing and access control. You can make your ePHI-laden pages accessible only to logged in users by using plugins like “User Specific Content“.  You do have to specify on a per-post basis exactly who should have access.  You can also use the User Tracker plugin to see what people are viewing and doing when logged in.  These two plugins give you fine grained control over access and auditing.
  3. Backups.  Even if your hosting provider makes automatic backups of your site, you should make your own backups “just in case”.  You can backup your MySQL database directly and/or use WordPress’ backup and restore features.

So, yes, these things can be done and with other plugins, you can further enhance WordPress security.  E.g.

However, is this a good idea?

Ok, so you can get a HIPAA-compliant web host (like and you can setup WordPress with SSL, lock it down and setup plugins to do the needful auditing and access control.  Great.  Is this a good idea?

While it does allow you to get up and running quickly, we would advise you to be very careful:

  • WordPress has had security issues in the past and is constantly being updated … fixing problems, and adding new problems.  A bug in WordPress or any of the plugins that you are using could leave you in non-compliance, or worse, in breach.
  • WordPress and its plugins are not responsible for any bugs or problems … only you are.  If you do not fully understand the security implications of using this or that software, plugin, or setting, then you could be setting yourself up for problems. WordPress’ ease-of-setup can make you think that you are all set when you are not.
  • If you are using WordPress for a HIPAA-compliant site, we would highly recommend that you have a WordPress expert developer who is familiar with HIPAA review all of your plugins and settings and your policies for assigning users and access.  You might be surprised.
  • WordPress and plugins are updated constantly, you must keep the latest versions installed. If you put your site up and leave it there to rot (e.g. never update anything) you will have problems at some point.
  • Review who is writing the plugins that you are using.  You have no contract with them and have done no reviews of their code. How do you know that it does what it says … and only what it says?
  • If you are restricting access to a specific set of users, consider additional non-Wordpress security measures such as:
    • Locking down access to the site by IP address
    • Using a dedicated server instead of a shared web host
    • Encrypting the MySQL database used by your WordPress instance

So, it comes down to “use at your own risk” … like any choice of web site content management software that you are using from a third party.   Remember, it may be advantageous to have a custom simple site developed for you rather than rely on WordPress. In this case you would have full control over what is happening and you can choose a developer who knows security and you can have a strong contract with that developer.  The price of that is much less than the price of a HIPAA violation.

Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries