Making sure that your WordPress website is HIPAA compliant is essential if you’re accessing or interacting with anyone’s electronic protected health information (ePHI).
Protecting people’s data and finding a HIPAA compliant WordPress host can seem like a challenge, however, we have a specific recommended HIPAA compliant web host that tick all the right boxes.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets out strict requirements that need to be met in order for businesses to be compliant. Here are our recommendations below.
Table of Contents
How Does A Web Host Become HIPAA Compliant?
Our detailed HIPAA compliance guide talks in-depth about the HIPAA rules and breaks down the HIPAA compliance checklist.
The HIPAA security rule outlines and establishes standards that need to be met to protect individual’s ePHI. WordPress itself isn’t HIPAA compliant and doesn’t offer a HIPAA compliant hosting service. Therefore your hosting company must provide the relevant stringent security measures to ensure they are HIPAA compliant.
The only way to ensure that your WordPress website doesn’t suffer being hacked and potentially risks exposing patients’ ePHI is to remove it from WordPress entirely. A secure third-party environment is essential to house data, whether you choose to use a managed HIPAA compliant hosting service, cloud computing environment, or something else. As well as ensuring you protect a patient’s ePHI in terms of web hosting, you can also ensure this carries through in the way you practice your business, for example using HIPAA compliant telemedicine software.
Data storage facilities offer stringent protocols and features that WordPress and many web hosts can’t offer. Storing ePHI outside of WordPress means you can reduce the additional measures needed in place to make a WordPress website HIPAA compatible.
Although WordPress’s basic features may be lacking in terms of providing a HIPAA compliant platform, the availability of security plugins can emulate what’s required in order to keep data secure and protected.
A popular plugin is WordFence which uses a Threat Defense Feed to update your website and prevent it from being hacked. It also features a powerful firewall that allows you to block countries as a whole, and combat brute force attacks.
Unfortunately just purchasing and installing such a plugin isn’t sufficient enough. It must be configured correctly for your website’s needs to make sure it’s always updated. Simply missing an update could cause a whole world of pain for you and your patient’s data.
HIPAA Compliance Hosting
Our recommended web host for HIPAA compliant hosting is LiquidWeb. LiquidWeb offer a range of hosting services that meet HIPAA compliance guidelines, including:
- Managed Dedicated Servers
- VPS Hosting
- Cloud Dedicated Solutions
In order to secure your healthcare data, LiquidWeb offers the following:
- 24/7/365 on-site support
- LiquidWeb owned core data centers
- Fully managed servers
- Locked server cabinets
- High availability infrastructure
- Hardware firewall
- Data encryption
- Business Associate Agreement (BAA)
- Offsite backups
- Extensive administrative, physical and administrative safeguards
LiquidWeb HIPAA Hosting Plans
LiquidWeb’s data centers have physical security systems in place to ensure your data is protected. These include the following extensive solutions.
Minimize Risk of Loss and Theft
- 24/7/365 manned facilities
- 24/7/365 monitoring by third-party security company
- Controlled site entrance with EPACS
Minimize Risk of Damage
- High security facilities
- Privately owned and operated data centers
- Durable, poured concrete external walls
- Disaster neutral geographic locations
Advanced Fire Prevention
- Dry pipe preaction, double interlock system
- NFPA 13 compliant
- Office space separate from data center
- Advanced proximity credentials required for access
- All employees receive a full background check
- Key locked physical server rack enclosures
- Component level redundancy for hard drives
- Hot and cold spare on-site servers
- Exterior entrances secured by mantraps with interlocking doors
- Data center space access requires secure credentials
Uninterruptible Power Supplies
- Multiple N+1 generators
- Multiple fuel contracts to ensure fuel availability
- Multiple N+1 UPS systems with 30 minute minimum runtime
- Server chassis feature redundant power supplies
- Server chassis has A/B power configurations
- Redundant ASCO closed transition bypass isolation transfer switches
- Capability to provide tier-4 power
- Four 10 megawatt feeds
- Diverse paths from substation
- 2N power