HIPAA-Compliant WordPress Hosting: What the Hosting Layer Must Provide
HIPAA-compliant WordPress hosting means a hosting environment that supplies what WordPress core does not: a signed Business Associate Agreement under 45 CFR § 164.308(b), encryption of ePHI at rest (§ 164.312(a)(2)(iv)) and in transit (§ 164.312(e)(2)(ii)), audit logging (§ 164.312(b)), access controls, and tested backups under § 164.308(a)(7). WordPress itself is general-purpose publishing software. It has no concept of protected health information, no audit controls aimed at PHI access, and no contractual mechanism to bind anyone to the HIPAA Security Rule. Compliance readiness is built around it, mostly at the hosting layer.
TL;DR: Quick answer
- WordPress core is neither HIPAA compliant nor non-compliant; HIPAA regulates Covered Entities and Business Associates under 45 CFR § 160.103, not software, so the obligations land on whoever hosts and operates the site.
- The hosting layer must provide a signed BAA (§ 164.308(b), § 164.504(e)), encryption at rest and in transit (§ 164.312(a)(2)(iv), (e)(2)(ii)), audit logging (§ 164.312(b)), and backup and recovery under the contingency plan standard (§ 164.308(a)(7)).
- The most common WordPress PHI leak is a form plugin emailing submissions in plaintext to an inbox with no BAA; the email path counts as a PHI disclosure the moment a visitor types health details.
- Standard managed WordPress hosts (and wordpress.com plans) generally will not sign a BAA; a BAA-covered environment on AWS HIPAA Eligible Services is the usual foundation.
- No host can sell "HIPAA certified" WordPress hosting; no official HIPAA certification exists, so evaluate the BAA and the named controls instead.
Why WordPress core cannot be HIPAA compliant on its own
HIPAA applies to Covered Entities and Business Associates, not to software products. A CMS cannot sign a BAA, perform a risk analysis under § 164.308(a)(1)(ii)(A), or retain documentation for six years under § 164.316(b)(2)(i). What WordPress core specifically lacks, measured against the technical safeguards at § 164.312:
- No PHI-aware audit controls. WordPress logs almost nothing by default. There is no built-in record of who viewed a database row containing a form submission, which § 164.312(b) expects for systems holding ePHI.
- No encryption at rest. The MySQL database and uploads directory are plaintext unless the hosting layer encrypts the storage beneath them.
- No automatic logoff. WordPress sessions persist for 48 hours by default, and two weeks with "remember me." That conflicts with the automatic logoff specification at § 164.312(a)(2)(iii) unless shortened.
- Weak default access control. Roles exist, but there is no MFA, no login throttling, and the admin account is enumerable out of the box.
- A plugin trust model. Any plugin can read the entire database, which makes every installed plugin part of your ePHI attack surface.
None of this makes WordPress unusable for healthcare. It means the compliance work happens in the hosting environment and configuration, which is also true of Drupal, static sites with form backends, and most other stacks. Whether your organization needs this at all depends on whether PHI actually flows through the site; our guide to who needs HIPAA-compliant hosting covers that threshold question.
What must the hosting layer provide? Requirements with CFR citations
| Requirement | CFR citation | What it looks like for WordPress |
|---|---|---|
| Business Associate Agreement | § 164.308(b), § 164.504(e) | Signed BAA from the host; on AWS, executed self-service through AWS Artifact |
| Encryption at rest | § 164.312(a)(2)(iv) | AES-256 on the database (RDS or encrypted EBS) and the uploads volume, keys in KMS |
| Encryption in transit | § 164.312(e)(1), (e)(2)(ii) | TLS 1.2+ sitewide, HTTPS forced on wp-admin and wp-login, HSTS header |
| Unique user identification | § 164.312(a)(2)(i) | Named accounts for every admin and editor; no shared logins; MFA enforced |
| Automatic logoff | § 164.312(a)(2)(iii) | Session lifetime shortened from the 48-hour default; idle timeout on admin sessions |
| Audit controls | § 164.312(b) | Server, database, and application activity logs shipped off-instance and retained |
| Integrity controls | § 164.312(c) | File integrity monitoring on core and plugins; checksummed, encrypted backups |
| Backups and recovery | § 164.308(a)(7) | Automated encrypted backups with documented, tested restores |
Encryption specifications are addressable under § 164.306(d), which means you implement them or document an equivalent alternative; for a hosted website handling ePHI there is rarely a defensible alternative. This table is the requirements view. The step-by-step build order, from BAA to hardening to forms, is a separate article: how to make WordPress HIPAA compliant.
Why ordinary managed WordPress hosts do not qualify
The disqualifier is usually contractual before it is technical. Mainstream WordPress hosts build for publishing performance, and their terms of service often prohibit storing regulated health data; they will not sign a BAA, and without one the arrangement fails § 164.308(b) regardless of how good the infrastructure is. Shared hosting adds technical problems: co-tenant isolation you cannot verify, no per-customer audit trail, and backup systems outside your control.
The workable pattern is dedicated, BAA-covered infrastructure, most commonly on AWS, where the HIPAA Eligible Services Reference lists more than 150 services (updated May 2026) and the shared responsibility model leaves configuration to you or your managed provider. We compare the realistic options in our roundup of the best HIPAA WordPress hosting providers, and the cost differences in how much HIPAA hosting costs in 2026.
Plugins and forms: where WordPress sites actually leak PHI
The hosting layer can be perfect and the site still non-compliant, because plugins move PHI along paths the host never sees. The canonical failure: a contact or intake form collects symptoms, medications, or appointment reasons, then the form plugin emails the submission in plaintext to the front desk through whatever SMTP service is configured. That is an unencrypted PHI transmission to an email provider with no BAA, on every single submission.
Three rules contain the risk:
- Inventory every PHI path. Form submissions, notification emails, plugin databases, analytics, chat widgets, and marketing pixels. If a vendor receives PHI, that vendor is a Business Associate and needs a BAA; "popular plugin" is not an exemption.
- Stop plaintext email notifications. Either send a content-free alert ("a new submission is waiting") with the PHI retrievable only from encrypted storage, or use a BAA-covered email service. Our guide to HIPAA-compliant email encryption covers the second option.
- Encrypt stored submissions. Form entries saved to wp_posts or a plugin table inherit whatever encryption the database has, which is why hosting-layer encryption at rest matters even for "just a contact form." The full intake-form pattern is worked through in making therapist contact forms HIPAA compliant.
Frequently asked questions
Is WordPress HIPAA compliant?
The question is category-confused: HIPAA regulates organizations, not software. WordPress can be part of a compliance-ready deployment when hosted on BAA-covered, encrypted, logged infrastructure and configured so PHI never travels an unprotected path.
Will wordpress.com or a mainstream host sign a BAA?
Generally no. Most consumer and mainstream managed WordPress hosts decline BAAs and exclude regulated health data in their terms. Confirm in writing before assuming otherwise.
Are there HIPAA-certified WordPress plugins?
No official HIPAA certification exists for any product. Evaluate whether the plugin vendor signs a BAA when it receives PHI and whether the data flow (storage, notifications, third-party calls) stays encrypted and access-controlled.
Can I keep PHI out of WordPress entirely?
Often yes, and it simplifies everything. Embedding a BAA-covered external form or scheduling tool keeps PHI off the WordPress database, leaving the site itself with a much smaller compliance surface. The marketing pages still need TLS and hardening, but the ePHI safeguards concentrate where the data lives.
Does a HIPAA-ready host make my site compliant automatically?
No. The host covers infrastructure safeguards and the BAA; you remain responsible for plugin choices, user accounts, form configuration, and the risk analysis required by § 164.308(a)(1)(ii)(A).
Where to go from here
For the wider context beyond WordPress, start with our complete guide to HIPAA-compliant hosting. If you want the BAA, encryption, logging, hardening, and migration handled for you, hipaacomplianthosting.com provides managed HIPAA-compliant WordPress hosting; that is our business, so read the recommendation with that in mind.
This article is general information, not legal advice. Consult qualified counsel and base your safeguards on a documented risk analysis under 45 CFR § 164.308(a)(1)(ii)(A). Reviewed June 2026.