The Health Insurance Portability and Accountability Act (HIPAA website) sets forth various guidelines (approved back in 1996) that must be adopted by anyone who handles any electronic medical data.
These guidelines stipulate that all medical and hospital services must ensure that necessary measures are in place when saving, accessing and sharing any electronic medical data to keep patient information safe. Failure to comply with HIPAA regulations of safety standards could lead to large fines and even loss of medical licenses.
Who Needs to Comply With HIPAA?
Among those who have to comply with HIPAA is any entity that provides or pays for health care services. This may include clinical centers, health plans, and any other type of healthcare provider (care, services, or supplies related to an individual’s health, including preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, counseling, services, evaluation or procedures related to the physical health, mental condition or functional state of an individual that affects the structure or function of the body).
Hybrid entities, which perform some of the functions listed above, also need to be HIPAA compliant. An example of this are universities that have hospitals. The university hospital transmits personal health information electronically, which in turn is covered by HIPAA.
On the other hand, imagine that this same university has a research laboratory that is not integrated into the hospital. In this case, this lab does not have the need to be HIPAA compliant. That’s because, despite dealing with health information, it does not have access to the same information as the hospital.
A Brief Summary of HIPAA Regulations
With HIPAA’s slogan being “Your health information, your rights”, it comes as no surprise that citizens are at the center of this Act. Here are the most important stipulations:
Access to information: Anyone can have access to their own health information. They can suggest corrections and obtain physical or electronic copies.
Information sharing: Citizens may need to share information with doctors or a medical specialist for any reason and, with HIPAA, this is possible, as all information is online, and they can choose whom to share with.
Information protection: All entities needing to be HIPAA compliant must follow specific HIPAA rules like HIPAA’s privacy rule or HIPAA’s security rule. This is with regards to information sharing, where the patient’s information cannot be disclosed without authorization (except for specific cases).
HIPAA and WordPress Websites
If you have a WordPress-built medical website, you are probably wondering if it needs to (and can) be compliant with HIPAA. In reality, it does not focus on website-related compliance, therefore making any HIPAA requirement for websites a little vague.
In this regard, there is another important concept to touch: ePHI. This acronym, which stands for “Electronic Protected Health Information”, refers to any information in a digital format that can be used to identify a patient. HIPAA has the same confidentiality requirements for all kinds of transmit PHI, physical or otherwise, making it an essential part of HIPAA compliance.
With this in mind, applying safeguards that respond to HIPAA’s requirements on confidentiality, integrity, and availability of ePHI becomes a must. Any related website needs to deploy administrative, physical, technical, and security measures so that the confidentiality of any protected health information is always guaranteed.
It’s worth mentioning that an essential part of any effective HIPAA compliance program is a Business Associate Agreement (BAA). If an organization handles, use, distribute, or access protected health information (PHI), they qualify as a BAA under HIPAA regulation.
How to Make Your Site HIPAA Compliant?
While there is no straight-forward way of making a WordPress site to be compliant with HIPAA, there are a few steps that can and should be done.
Start by Analyzing the Potential Risks
Depending on the website’s activities and purpose, the risks can vary quite a bit, so it is impossible to have a universal risk analysis to fit all cases. Website owners should be aware of common cyber-attacks and try to identify all the situations in which ePHI will be handled.
Find an Appropriate Hosting Service
Unless you’ll be taking care of your website’s hosting on your own, choosing the right hosting service is important. Making a WordPress website compliant with HIPAA is absolutely worthless if the hosting service is weak and fragile to attacks.
It then becomes important to go for a HIPAA compliant hosting service, which should offer a powerful firewall, an encrypted VPN connection so that no one can sniff your traffic. And offer offsite backups so that data is never lost, among other important and useful security features. If you want to switch to a better hosting provider, here’s a helpful post on best WordPress hosting to choose from.
Harness the Power of Plugins
One of the strongest features of the WordPress platform is how much it can be enhanced using plugins. Reaching HIPAA compliance is also easy if you go for the right plugins.
A good example of this is HIPAA FORMS, a WordPress plugin that allows your website to have HIPAA compliant web forms. It uses regular form plugins, like Caldera Forms or Gravity Forms, and adds a security layer to them. It includes a signature field where users can sign by dragging their mouse or with their finger on touch screens.
Upon submission, it encrypts the data and pushes it to the HIPAA FORMS Service API. It then stores the data within a HIPAA compliant storage solution. Keep in mind that this plugin requires a paid license.
The option for WordPress plugins are endless. You’ll find many WordPress security plugins to choose from.
Be Careful With Plugins
Plugins are a wonder of WordPress but are also one of its weakest points in terms of security. According to data from Wordfence, plugin-related vulnerabilities represented more than half of known attack entry points.
To avoid this, be sure to always get plugins from official sources. Also always keep them up to date. The same goes for the main WordPress platform, of course, as it is also prone to have security issues.
Store ePHI Outside WordPress
Most websites are built on WordPress making WordPress sites a target for cybercriminals. Because WordPress is not really the safest platform out there, avoid storing ePHI data there.
Discuss this with your hosting provider, to make sure you get the best possible solution here. With the right hosting provider, you can get external hosting locations and make sure that all data is stored and retrieved securely in an encrypted way.
Use All the Common Security Tips
Security is a common topic around the Web. There are many WordPress security tips that users can follow, yet very few follow them.
Common security rules that a HIPAA compliant website should follow are –
- Use strong passwords
- Enable two or multi-factor authentication
- Change admin account names to avoid brute-force attacks, etc.
Verify All New User Accounts
Another additional layer of security involves preventing users from creating new accounts on your site at will. Ensure that all new account requests are verified, either by hand or automatically, to reduce the amount of risk.
The reality is that WordPress was not developed with HIPAA in mind. There is no HIPAA WordPress core but this does not mean one cannot make a website built on this platform to be compliant to that Act. With the right knowledge and effort, it can be attainable. However, in order to increase the chances of doing so and getting risks down to the minimum, be sure to contact specialists. Be it individuals, or hosting services, they must be familiar with sites that are in compliance with it.
This is a guest post by Atlantic.net.