Skip to main content

How to Make WordPress HIPAA Compliant: 8-Step 2026 Guide

By Joseph Abear ·
How to make a WordPress SIte HIPAA Compliant

Last updated: June 8, 2026

Here is how to make WordPress HIPAA compliant in eight steps: move to hosting that will sign a Business Associate Agreement (BAA), limit which pages touch patient data, switch to secure forms, turn on encryption, lock down logins, keep six-year audit logs, harden and back up WordPress, then run a yearly risk analysis with staff training. WordPress on its own is not HIPAA compliant, because WordPress.com will not sign a BAA and a standard install lacks the safeguards the law requires. The good news is that only the parts of your site that collect or store protected health information (PHI) must be compliant, not every page. The work splits into technical safeguards, like hosting, encryption, forms, and logs, and administrative safeguards, like policies, risk analysis, and training. Both sets are defined in the HIPAA Security Rule at 45 CFR Part 164.

TL;DR: Quick answer

  • WordPress is not HIPAA compliant by default. WordPress.com will not sign a BAA, so you must host the site with a provider that will, under 45 CFR § 164.308(b).

  • Only pages that collect or display PHI, usually intake and contact forms, must meet HIPAA standards. Plain marketing pages that store no patient data do not.

  • Technical safeguards under 45 CFR § 164.312 include encryption in transit and at rest, unique logins, automatic logoff, and audit logs kept at least six years per 45 CFR § 164.316(b)(2)(i).

  • Administrative safeguards under 45 CFR § 164.308 require a written security risk analysis and staff training, which auditors usually check first.

  • A managed HIPAA host can configure these controls for you and sign the BAA, which removes most of the technical work from your staff.

How to make WordPress HIPAA compliant, step by step

The eight steps below show how to make WordPress HIPAA compliant from the ground up. Work through them in order, because each one builds on the last. Before you learn how to make WordPress HIPAA compliant step by step, gather four things. First, a list of every page and form on your site. Second, a clear note of which of those collect health information, such as appointment requests, intake forms, or symptom questions. Third, admin access to your current hosting account. Fourth, the name of the person who will own compliance going forward, often a practice manager or office lead.

Step 1: Move to hosting that signs a BAA

Move to Hosting that signs a BAA

Start with hosting, because nothing else counts without it. This is the foundation of how to make WordPress HIPAA compliant. A BAA is a contract that makes your hosting provider legally responsible for protecting PHI under 45 CFR § 164.308(b). If a host will not sign one, you cannot store patient data on it. Budget hosts like Bluehost and Wix do not sign BAAs for website hosting, and WordPress.com does not either. Choose a host built for healthcare that signs the BAA, encrypts your data, and keeps audit logs. Our HIPAA compliant WordPress hosting includes the signed BAA, a web application firewall, encrypted daily backups, VPN access for admins, log management, and free migration of your existing site.

Step 2: Map which pages actually handle PHI

Map which pages handle PHI

You do not need to make your whole website compliant. You need to make the parts that touch PHI compliant. Walk through your page list and mark every form or feature that collects health details. Common examples are new patient intake forms, appointment requests that ask about symptoms, and patient portals. A simple "contact us" form that asks only for a name and email is lower risk, but treat it as PHI the moment it invites health questions. This step keeps your project focused and your costs down.

Step 3: Replace stock forms with HIPAA-ready forms

Replace stock forms with secure forms

Standard WordPress form plugins are not HIPAA compliant on their own. Contact Form 7 and the free version of WPForms do not encrypt submissions or sign a BAA, so they should not collect health information. Use a form tool that is built for HIPAA and will sign a BAA with you, then make sure submissions are encrypted and are not emailed in plain text. Avoid storing form entries in the WordPress database when you can, since the database was not designed to hold sensitive records. Send entries to a secure, access-controlled destination instead.

Step 4: Turn on encryption in transit and at rest

Turn on encryption in transit

Encryption scrambles patient data so it cannot be read without a key. HIPAA treats encryption as "addressable" under 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii), which means you must use it where reasonable or write down why you used an equal protection instead. In practice, you should always use it. Protect data moving across the internet with TLS 1.2 or higher, and TLS 1.3 where you can. Protect stored data with strong encryption such as AES-256. A federal rule proposed in December 2024 would make encryption fully required, but as of June 2026 it is not final, so the current addressable standard still applies.

Step 5: Control who can log in

Control who can log in

HIPAA requires that only authorized people reach patient data under 45 CFR § 164.312(a) and (d). Give every user a unique login, never a shared account, so you can tell who did what. Turn on multi-factor authentication (MFA) for all admin accounts, which means a password plus a second code. Set automatic logoff so an idle session closes on its own, as called for in 45 CFR § 164.312(a)(2)(iii). Remove old accounts the day someone leaves. These steps are simple, free, and stop a large share of common breaches.

Step 6: Keep audit logs for six years

Keep audit logs for six years

HIPAA requires audit controls that record who accessed data and when, under 45 CFR § 164.312(b). You must keep that documentation for at least six years under 45 CFR § 164.316(b)(2)(i). Logging needs to cover the server, WordPress, and your forms, and someone needs to review it for anything unusual. This is hard to do well by hand, which is one reason many practices choose managed hosting that records and retains these logs automatically.

Step 7: Harden and back up WordPress

Harden and back up WordPress

A compliant host gives you a secure foundation, but you still need to keep WordPress itself tidy. Change the default "admin" username and use strong passwords. Keep WordPress core, themes, and plugins updated, since outdated plugins are a leading cause of hacks. Remove plugins you do not use. Run a web application firewall to block common attacks, and confirm you have encrypted daily backups stored in a separate location so you can recover after an incident. Managed plans usually handle updates, firewall, and backups for you.

Step 8: Run a risk analysis and train your staff

Run a risk analysis and train staff

Technology is only half of HIPAA. The Security Rule also requires administrative safeguards. You must complete a written security risk analysis under 45 CFR § 164.308(a)(1)(ii)(A), and HHS guidance says to review it at least once a year. HHS offers a free Security Risk Assessment Tool that is a good starting point for small practices. You also must train staff on your policies under 45 CFR § 164.308(a)(5). To understand how the administrative, physical, and technical layers fit together, read our guide to HIPAA safeguards explained. Auditors often ask for the risk analysis first, so do not skip it.

Common mistakes to avoid

When practices ask how to make WordPress HIPAA compliant, three mistakes show up again and again. The first is assuming the whole site must move to a special platform, when only the parts that handle PHI need to be compliant. The second is collecting health details through a stock contact form that has no BAA and no encryption. The third is treating compliance as a one-time setup, when it requires ongoing updates, log review, and a yearly risk analysis. Plan for the upkeep, not just the launch.

Recap: how to make WordPress HIPAA compliant

To recap, here is how to make WordPress HIPAA compliant: host with a provider that signs a BAA, secure any forms that collect PHI, encrypt data in transit and at rest, control logins, keep six-year audit logs, harden and back up WordPress, and run a yearly risk analysis with staff training. Do those eight things and your WordPress site meets the core HIPAA requirements. That, in short, is how to make WordPress HIPAA compliant without guesswork.

Frequently asked questions

How do you make a WordPress site HIPAA compliant?

You make a WordPress site HIPAA compliant by moving it to hosting that signs a BAA, securing any forms that collect PHI, turning on encryption, controlling logins, keeping six-year audit logs, hardening WordPress, and completing a yearly risk analysis with staff training.

Is WordPress HIPAA compliant out of the box?

No. WordPress.com will not sign a BAA, and a standard self-hosted install lacks required safeguards. You can make a self-hosted WordPress site compliant by adding compliant hosting, secure forms, encryption, access controls, and logging.

Do I need HIPAA hosting if my site only has a contact form?

If that form collects health information, yes. The risk comes from the data, not the page count. A form that asks about symptoms or conditions handles PHI and must be protected.

Are WPForms or Contact Form 7 HIPAA compliant?

Not on their own. They do not sign a BAA and do not encrypt submissions by default. Use a form tool built for HIPAA that will sign a BAA, and stop emailing entries in plain text.

Does every page on my website need to be compliant?

No. Only pages that collect, display, or store PHI must meet HIPAA standards. Plain informational pages that store no patient data do not carry the same requirements.

How long does it take to make a WordPress site compliant?

With a managed HIPAA host handling migration and configuration, the technical setup often takes a few days to a couple of weeks. The administrative work, such as your risk analysis and staff training, is ongoing.

Get help making your WordPress site compliant

Knowing how to make WordPress HIPAA compliant is one thing; configuring it is another. HIPAA Compliant Hosting is a managed HIPAA hosting provider, so we have a commercial interest in this topic. We share these steps because a covered entity that understands them makes safer choices, whoever it hosts with. If you would rather not configure the technical safeguards yourself, our HIPAA compliant WordPress hosting sets up the firewall, encryption, access controls, and six-year logging for you, signs the BAA, and migrates your existing site at no extra charge, with plans starting at $229 per month.

This article is general information, not legal advice. Regulatory details are based on the current HIPAA Security Rule (45 CFR Part 164) as of June 2026; the encryption and MFA changes proposed in the December 2024 NPRM are not yet final. Confirm your specific obligations with qualified legal counsel.

← Back to all posts