Is WordPress HIPAA compliant?

No, WordPress does not define itself as a HIPAA compliant system. Covered entities shouldn’t use this software for protected health information (PHI).

Just so you know

Collect patient contact information, medical records, and payments with JotForm's HIPAA-compliant forms.
WordPress offers a variety of website security features, but they have not declared that these controls are sufficient to meet HIPAA regulations. Multiple security breaches over the years have shown that vulnerabilities are frequently found in the software.

It is possible to meet specific HIPAA standards in WordPress, but this process is complicated. Controls must be in place to prevent unauthorized access to the administration control panel and PHI. Additionally, transmission security controls are necessary to encrypt data in transit and secure information at rest.

WordPress isn’t willing to sign a business associate agreement (BAA). If covered entities choose WordPress for website design and content management, they shouldn’t upload PHI to the site.

Covered entities don’t need a BAA if PHI is accessed through a plug-in and stored separately from the website. If you’re using a third-party plug-in for PHI, then it’s necessary to obtain a BAA from the plug-in developer. This use of WordPress is risky because plug-ins often have vulnerabilities that could make it easy for hackers to access PHI.

Without a BAA, covered entities can use this software for general communication that doesn’t collect or store PHI on the site. For example, a blog to communicate with patients doesn’t require HIPAA compliance. But an online scheduling system to book appointments on the website violates HIPAA rules since it collects patient information.

Product details

Company Logo

Business Associate Agreement


HIPAA Compliant


Product description

WordPress is a content management system that offers open-source services for website design and more. Available features include templates and plug-in architecture to provide easy-to-use, customizable solutions for each site.


Readers should perform their own research before making the final decision. The information on the Jotform HIPAA Compliance Checker does not constitute official healthcare or legal advice. Jotform is not liable for any damage or liabilities arising out of or connected in any manner with this platform.

If you see any incorrect, incomplete or inaccurate information, please request correction by filling the form below.

Request Correction