Skip to main content

HIPAA Compliant WordPress Hosting: What It Requires

By Joseph Abear ·
HIPAA compliant hosting complete guide title graphic with a server stack icon on a dark background.

WordPress can be used in a HIPAA-compliant way, but only on hosting configured for HIPAA with a signed Business Associate Agreement (BAA), encryption at rest and in transit, access controls, audit logging, and hardened plugins and forms. WordPress core is not HIPAA compliant by itself. Compliance comes from the hosting environment and how protected health information (PHI) is handled.

TL;DR: Quick answer

  • WordPress itself is not HIPAA compliant; the hosting environment and configuration make it so.
  • You need a host that signs a BAA and provides encryption, access controls, and audit logging.
  • Plugins and forms must be hardened, because they are a common PHI leak point.
  • Avoid storing PHI in standard WordPress databases or form plugins without safeguards.

Is WordPress HIPAA compliant out of the box?

No. WordPress is a content management system, not a compliance product. It has no concept of PHI, BAAs, or audit logging on its own. Whether a WordPress site is HIPAA compliant depends entirely on the hosting environment, the configuration, and how the site handles patient data.

What makes a WordPress site HIPAA compliant?

  • A signed BAA with the hosting provider and with any plugin or service that touches PHI.
  • Encryption of data in transit (TLS) and at rest.
  • Access controls with unique logins, least privilege, and multi-factor authentication.
  • Audit logging of access to PHI.
  • Hardened forms that encrypt submissions and avoid sending PHI through standard email notifications.
  • Regular updates and backups for core, themes, and plugins.

Where do WordPress sites usually go wrong?

The most common failure is a form plugin that collects health details and emails them in plain text or stores them in an unprotected database. Free plugins rarely sign BAAs, and a single misconfigured form can disclose PHI on every submission. Treat the entire path, from form to storage to notification, as in scope.

Frequently asked questions

Is WordPress HIPAA compliant?

Not by itself. It can be part of a compliant setup when hosted on HIPAA-compliant infrastructure under a BAA and configured correctly.

Can I use WordPress for a medical website?

Yes, including for sites that handle PHI, as long as the hosting, plugins, forms, and configuration meet HIPAA requirements.

What plugins are HIPAA compliant?

Compliance depends on the vendor signing a BAA and the plugin handling PHI securely. A plugin is not compliant simply because it advertises that word; verify the BAA and the data flow.

Where to go from here

Start with hosting that signs a BAA and supplies the required safeguards. See our guide to HIPAA-compliant hosting and who needs it.

This guide is general information, not legal advice.

← Back to all posts