Skip to content
HIPAA Graphic

Can you make WordPress & WooCommerce HIPAA-compliant?

Jun 26, 2023 | HIPAA Web Development

HIPAA (Health Insurance Portability and Accountability Act) compliance is critical for any system that handles protected health information (PHI). While WordPress and WooCommerce are not inherently HIPAA-compliant platforms, there are ways to implement HIPAA compliance, though it can be quite complex.

We do a lot of different deployments for HIPAA (pharmaceutical companies, clinics,  medical device manufacturers & HIPAA-adjacent (e.g. Med-Spas).

There is a right way and a wrong way to encrypt and meet HIPAA standards. Here we will give a basic overview of the elements of a HIPAA Web Development project that have to be covered in order to be compliant and adhere to best practices.

If you want an easier way to achieve NIST-level encryption standards – you should consider implementing Transparent Data Encryption (TDE) which we will cover in detail later in another article.

Both MySQL Enterprise and MS SQL have TDE options and you can use a Key Vault to rotate keys with Oracle KeyVault, AWS or Azure.

Howver, first, you must start with a HIPAA-compliant web hosting platform.

  1. Secure Hosting: Start with a hosting service that offers HIPAA-compliant servers. They need to have appropriate physical and network security, encrypted data transfer, regular security audits, and a Business Associate Agreement (BAA) in place.
  2. SSL Certificate: Install an SSL certificate on your website for secure and encrypted data transfer.
  3. Access Controls: WordPress should be set up with strong user roles and permissions. Use two-factor authentication and ensure there are strong passwords for all users.
  4. Audit Controls: Implement a mechanism to record and examine activities in information systems that contain or use electronic protected health information.
  5. Data Backups and Disaster Recovery Plan: Have a regular backup schedule and a disaster recovery plan in place. The backups should also be encrypted and stored securely.
  6. Regular Updates and Security Checks: Regularly update your WordPress and WooCommerce, along with all plugins, and ensure regular security checks.
  7. Data Encryption: The database where you store user data should use end-to-end encryption.
  8. Secure Forms and Checkout: Use HIPAA-compliant forms and secure checkout options.
  9. Limited Data Storage: Store as little PHI as possible. If you don’t need it, don’t collect it or store it.
  10. Risk Analysis and Management: Regularly perform a risk analysis to assess potential vulnerabilities in your security systems and remediate them.
  11. Third-party Vendors: Make sure any third-party vendors or plugins are also HIPAA compliant.

What WooCommerce Tables need to be encrypted for HIPAA-compliance?

When considering HIPAA compliance and WooCommerce, it’s important to understand that any table storing protected health information (PHI) should be encrypted. However, WooCommerce does not typically store health information unless you’ve configured it to do so, or if you’re using additional plugins that collect and store health data.

WooCommerce typically creates the following tables in your WordPress database:

  1. woocommerce_api_keys
  2. woocommerce_attribute_taxonomies
  3. woocommerce_downloadable_product_permissions
  4. woocommerce_log
  5. woocommerce_order_itemmeta
  6. woocommerce_order_items
  7. woocommerce_payment_tokenmeta
  8. woocommerce_payment_tokens
  9. woocommerce_sessions
  10. woocommerce_shipping_zone_locations
  11. woocommerce_shipping_zone_methods
  12. woocommerce_shipping_zones
  13. woocommerce_tax_rate_locations
  14. woocommerce_tax_rates
  15. woocommerce_termmeta

Of these, the woocommerce_order_itemmeta and woocommerce_order_items tables may potentially contain PHI if you’ve configured your store to sell products that require such information.

You should also consider other WordPress tables, like wp_users and wp_usermeta, which might contain identifiable information that, in conjunction with health data, could be considered PHI.

End-to-end database encryption is generally recommended as the safest measure. However, the process of database encryption can be complex and would likely require a web developer or a database administrator who is familiar with encryption and data security. Additionally, the database would need to be managed and hosted in a HIPAA-compliant environment.

Moreover, remember that encryption is just one aspect of HIPAA compliance. You should consult with a legal expert or a professional specialized in HIPAA compliance to ensure all areas of the law are properly addressed.

Ensuring HIPAA compliance is a continuous process, not a one-time setup. Also, HIPAA compliance does not depend only on the technology but also on organizational policies, procedures, and staff training.

It’s always a good idea to work with a professional who specializes in HIPAA compliance when dealing with sensitive health data. You should also consult with a legal expert to ensure that you are fully compliant with all aspects of the law.

If you would like HIPAA consulting on best practices and other NIST recommended best practices – please reach out using the form below for a FREE consult.

Related posts:

  1. De-Identification of Information in HIPAA-Compliant Ecommerce – A Quick List for Developers.
  2. 10 Unintentional Ways Healthcare Organizations Violate HIPAA on Their Websites
  3. Understanding HIPAA Compliance for Gyms
  4. HIPAA and Health Apps: Protecting Patient Data in Mobile Health Technologies

If you are interested in HIPAA compliant web hosting you can look at packages we offer below.

HIPAA Hosting Solutions

Contact Us Today!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
I would like to be contacted by:*
Select all that apply.

Categories

Join Our Newsletter List!

* indicates required
Test