No, WordPress isn’t HIPAA compliant. Covered entities shouldn’t use this software for protected health information (PHI).
Just so you know
WordPress offers a variety of website security features, but these controls aren’t sufficient to meet HIPAA regulations. Multiple security breaches over the years have shown that vulnerabilities are frequently found in the software.
It is possible to meet specific HIPAA standards in WordPress, but this process is complicated. Controls must be in place to prevent unauthorized access to the administration control panel and PHI. Additionally, transmission security controls are necessary to encrypt data in transit and secure information at rest.
WordPress isn’t willing to sign a business associate agreement (BAA). If covered entities choose WordPress for website design and content management, they shouldn’t upload PHI to the site.
Covered entities don’t need a BAA if PHI is accessed through a plug-in and stored separately from the website. If you’re using a third-party plug-in for PHI, then it’s necessary to obtain a BAA from the plug-in developer. This use of WordPress is risky because plug-ins often have vulnerabilities that could make it easy for hackers to access PHI.
Without a BAA, covered entities can use this software for general communication that doesn’t collect or store PHI on the site. For example, a blog to communicate with patients doesn’t require HIPAA compliance. But an online scheduling system to book appointments on the website violates HIPAA rules since it collects patient information.