WooCommerce HIPAA Integration

Is WordPress HIPAA Compliant? How to Keep WordPress & WooCommerce Secure

Updated  |  6 min read
Key Takeaways
  • WooCommerce is a popular eCommerce plugin for WordPress websites, allowing users to create online stores.
  • Is WordPress HIPAA compliant? Out of the box, WooCommerce and WordPress do not provide native support for HIPAA (Health Insurance Portability and Accountability Act) compliance.
  • To achieve HIPAA compliance, additional measures need to be taken, such as implementing appropriate security controls, encryption, access controls, and audit controls to keep logs.
  • It may involve using specialized HIPAA-compliant web hosting, plugins, or custom development to ensure that the website and its associated processes meet the necessary HIPAA requirements.
  • It's crucial to consult with experts or seek specialized solutions to follow HIPAA guidelines and ensure compliance when dealing with healthcare-related data.
HIPAA-compliant WordPress hosting improves transmission security controls.

WooCommerce and WordPress HIPAA Compliance

The commerce aspect of the medical profession continues to ramp up as more people become comfortable with booking appointments online, seeking medical advice on telemedicine apps, or ordering their prescription drugs through an online pharmacy portal.

Many health practitioners and health-related businesses are taking advantage of this by hosting their own websites to provide advice or offer medical-related supplies to patients. Confidential information pours in, information that's even more important than credit card numbers.

We're talking, of course, about their healthcare information. This is often called electronic protected health information (ePHI) and comes in the form of electronic medical records (EMR) or electronic health records (EHR). Due to the sensitive nature of the data, HIPAA-compliant website design becomes an absolute necessity.

What Is HIPAA?

HIPAA is an act of Congress passed in 1996 to oversee this protected health information (PHI). These guidelines and regulations are constantly updated and force medical providers and vendors, called covered entities, to protect this information when stored or transferred electronically. It requires every covered entity (as well as their parnters who have signed a business associates agreement [BAA]) to protect customer information regarding:

  • Web forms: Any forms submitted by patients that contain ePHI must be HIPAA compliant.
  • Content management system: Whether you're creating a WordPress website or using a different content management system (CMS) it has to be HIPAA compliant.
  • HIPAA-compliant hosting: Transmission security controls must be in place, encrypted in transit and at rest.
  • Administrative safeguards: Administrative safeguards include HIPAA-compliant access controls that limit who can access information.
  • Audit controls: Audit controls are necessary to record who has accessed what information. Audit controls are a requirment to be HIPAA compliant in case there is a goverenment inquiry regarding HIPAA violations.
  • Physical security controls: Physical access controls and restrictions to computers, tablets, and servers are necessary to stay HIPAA compliant.

Websites create one of the most vulnerable locations to store this information, whether it's a sales portal or a patient/doctor portal.

If your site is on WordPress, or you're considering WordPress and WooCommerce as your healthcare portal, there are some very important questions to ask regarding their abilities as a hosting provider. What are WordPress security best practices? Is WooCommerce secure “out of the box”? What are the biggest WooCommerce security issues as an eCommerce platform, and is it PCI DSS compliant? And, perhaps most importantly: What does HIPAA compliance mean and is WordPress HIPAA compliant?

Access controls for a WordPress website can answer is WordPress HIPAA compliant
WordPress HIPAA Compliance Isn't Easy

If you're using WordPress or WooCommerce, making sure that you have a HIPAA WordPress site is absolutely vital to the health of your business. Clarity can make sure that you have the security you need to protect protected health information.

What Does HIPAA Compliance Mean?

HIPAA ensures the privacy and security of PHI, which includes electronic medical records (EMR) and electronic health records (EHR). Covered information includes any information regarding patient health, their prescriptions, and the doctors they have visited. It also includes more basic information, such as the name and contact information a patient enters on a medical website when they're simply asking a question. (This is why WordPress HIPAA-compliant web forms are so important.)

Data covered by HIPAA is submitted in many ways.

  • Old medical forms are transferred to electronic forms by data entry workers. The initial entry could include scanning the information with optical character recognition (OCR) software.
  • Information that patients fill out on paper is transferred to an electronic form by data entry workers.
  • Doctors will enter the information directly on a doctor/patient portal.
  • Patients fill out HIPAA-compliant web forms or use a patient portal.
  • Patients enter information via a HIPAA-compliant mobile app.

This electronic protected health information, sometimes referred to as ePHI in its electronic form, is now covered by HIPAA. HIPAA compliance requirements apply to anyone who is able to provide treatments and receive payments for any medical service or prescription product.

Covered Entities

Covered entities include—but are not limited to—companies providing health plans (insurance or maintenance services provided on a private or governmental basis), health service providers (doctors, dentists, psychologists, chiropractors, and nursing homes), and anyone providing a product prescribed by a physician (e-pharmacy and medical supply companies providing durable medical equipment [DME]).

Covered entities must get patient or customer permission before transferring ePHI.


Business associates related to any of the covered entities above must also be HIPAA compliant (third-party data developers, claim handlers, transcriptionists). This is called a business associate agreement, known in the healthcare industry as a BAA. HIPAA compliance is enforced by the Office for Civil Rights (OCR), a division of Health and Human Services that can levy significant fines and force businesses to disclose their own HIPAA violations.

CEs also have to be aware of the significant damage that can occur to the reputation if the public discovers the business is not being careful with the ePHI in its care.

Stay HIPAA Compliant

The OCR can assess HIPAA fines per record, a situation you don't want to find your business in. Let Clarity help build your eCommerce platform and uphold PHI data security.

What Information Does HIPAA Protect?

According to official sources, information protected by HIPAA includes all "individually identifiable health information" submitted in paper, oral, or electronic form by any of the covered entities and/or any associated collaborating business partners.

Such information includes demographic and medical records (health condition, provision of health care, payment for treatment) of individuals regarding their past, present, and future, which can be potentially used to identify an individual.

Informing Patients

Each covered entity must present patients and prospective customers with the explicit policy on data privacy and safety, whether that information is gained in person, via a HIPAA website, a HIPAA-compliant forms plugin, or other submitted forms process.

Failure to do so could lead to trouble if you transfer that information to another healthcare professional with the patient or customer's written permission (which can include online digital signatures).

When Authorization Is Required

EPHI might be used without the authorization of the individual who provided it when it comes to consultation for treatment, healthcare operations, payments associated with these activities, or any other activity as specified by the Privacy Rule.

However, authorization is required when ePHI is to be used for marketing purposes, or when a specific form of ePHI (i.e., psychotherapy notes) is to be used for legal defense in court, such as where an individual has filed a lawsuit against the associated practitioner.

Five Rules of HIPAA

There are five rules covering most of the important aspects of HIPAA one needs to be aware of (this list is not exhaustive).

  • According to HIPAA’s Privacy Rule, patients are allowed to access (and amend) their ePHI, have to be alerted upon the usage of their ePHI, and information is to be shared with external parties only under strict guidelines. According to HIPAA's Privacy Rule, patients are allowed to access (and amend) their ePHI, have to be alerted upon the usage of their ePHI, and information is to be shared with external parties only under strict guidelines. The "P" in HIPAA, which stands for "Portability," means that the patient or customer has the legal right to take their medical information with them anywhere. You must also honor all requests to remove their information from your records.
  • The HIPAA Security Rule complements the previous rule and governs the secure transmission, maintenance, and handling of specifically ePHI, with three levels of data protection (technical, administrative, and physical safeguards), with several security standards naming requested and suggested implementations. Technical protection involves securing platforms, websites, and servers (whether on-premises or in the cloud). Administrative safeguards include training staff to protect information to fight against social engineering attacks (i.e., phishing). Physical safeguards require covered entities to take steps to secure computers, tablets, and server rooms.
  • The HIPAA Breach Notification Rule sets guidelines that must be followed in the event of a data breach to ensure that the covered entity mitigates the event and that a similar violation will not happen again. HIPAA violations include data loss through stolen storage devices, hacking of electronic health records, data breach from a business associate, loss of information kept on HIPAA cloud storage physical break-in of offices where PHI is stored, or accidental exposure of PHI to the wrong patient.
  • The HIPAA Enforcement Rule refers to the obligation of HIPAA compliance for eCommerce platforms to notify prospective customers about the fate of their data.
  • The Omnibus Rule covers the mandatory HIPAA compliance of business associates to other covered entities with a business associate agreement (BAA).
HIPAA covered entities must also provide physical security controls.

How Can HIPAA Compliance Be Assured?

HIPAA regulations can be very confusing, especially for someone starting a business that requires HIPAA compliance. HIPAA is constantly changing as technology evolves, making it even more difficult to keep up with the latest laws that must be followed.

Many companies will have a HIPAA compliance officer (or committee) with access controls that can provide training for anyone who has access to HIPAA data. This is especially important if you're continuously making WordPress HIPAA compliant. Internal audits and monitoring should be used to identify potential issues before becoming threatening to the business, even with something as simple as accepting HIPAA forms.

Extensive research by compliance staff will ensure they choose the best platform on which to build their HIPAA-compliant WordPress website and patient/doctor portal. Some software is better at maintaining HIPAA compliance encryption requirements than others. A HIPAA-compliant hosting provider is also a necessity to maintain security.

A HIPAA-compliant hosting provider satisfies some HIPAA regulations.
HIPAA Experience Pays Off

Working with a telemedicine app developer that has extensive experience with EMR/EHR integration is one of the easiest ways to ensure HIPAA-compliant hosting, a HIPAA-compliant website, and HIPAA-compliant web forms. Clarity can help.

The Relationship Between HIPAA and WordPress

Is WordPress HIPAA compliant? WordPress is one of the biggest website hosts, offering the ability to create a website from scratch without much prior technical knowledge. Unfortunately, this ease of use can lead to less robust security; every site built on WordPress is a target because a hack that infiltrates one WordPress site can infiltrate many.

The Problem with Plugins

Another disadvantage has to do with plugins. There are many useful plugins for WordPress, but installing them and updating them can crash a site. Some eCommerce customers get so leery of updates that they stop updating plugins altogether, a practice that opens them up to security issues.

WordPress will not sign a BAA (business associate agreement) because it will not ensure the sensitive data is protected enough.

WooCommerce Isn't Safe Out of the Gate

WooCommerce is a plugin of WordPress that creates eCommerce platforms, allowing customers to purchase products and services. It is a very popular and powerful platform that combines ordering, shipping, tracking, inventory management, and many other features that draw many businesses in.

But while WooCommerce might have the necessary security to provide protection for credit card data, its basic offerings do not provide enough security to satisfy HIPAA best practices.

WooCommerce, WordPress, and Compliance

Many covered entities are curious if a WordPress website and WooCommerce can be combined to create a HIPAA-compliant website. We're not saying that secure WordPress and WooCommerce integration can't be done; a good developer can make it happen.

We're simply telling you that WordPress and WooCommerce security issues must be carefully dealt with—and updates must be planned—in order to keep HIPAA standards.

A HIPAA-compliant hosting provider can ensure HIPAA compliance.

HIPAA Compliance in the Online Age

Data protection is a big issue in the online world, but protection is even more vital when the data is ePHI. A HIPAA website and collected form data should follow all the policies and standards set by HIPAA, especially if WooCommerce is used to set up an eCommerce platform.

Is WordPress compliant, though? Is WooCommerce secure? The simple answer is no, they are not. ePHI transmission and handling through this platform will almost certainly violate HIPAA unless additional security measures are implemented.

Does this mean that businesses should avoid using WordPress sites and WooCommerce to conduct online business? Not necessarily. There are ways to bypass HIPAA non-compliance by diverting ePHI to be stored (and handled) in external third parties which follow HIPAA compliance and satisfy HIPAA IT checklists. Such methods include WooCommerce ERP Integration and the use of separate APIs, without compromising the shopping interface and overall experience of customers.

Clarity has helped many clients with their WordPress and WooCommerce integration and ensured that they are HIPAA compliant. We're ready to help you navigate the difficulties that arise when HIPAA security best practices must be kept.


Uncompromised HIPAA-Compliant WordPress Security

HIPAA compliance for your website or hosting platform should never be an afterthought. Clarity can help you plan your WordPress and WooCommerce security long before launch.

We'd love to show you what we can do with HIPAA eCommerce. Get a free discovery session with our experts to discover what solutions will best fit your business.

A HIPAA-compliant hosting provider secures protected health information.



Yes, you'll need HIPAA-compliant WordPress hosting for your HIPAA-compliant website. There are many vectors by which hackers steal information, including via the CMS (such as WordPress or plugins like WooCommerce), social engineering (phishing), or cloud computing (Microsoft Azure or AWS). Hosting services is another to attack the protected health information in your care.

HIPAA-compliant WordPress hosting is a must in order to keep all ePHI as safe as possible. Make sure the HIPAA developer for your website has a plan to put guide you to a reliable HIPAA-compliant hosting provider.

HIPAA-compliant hosting is an absolute must, no matter whether you're looking for hosting a WordPress website or any other CMS (content management system). A a covered entity, you are required to seek out a HIPAA-compliant hosting provider that will sign a business associate agreement (BAA) detailing the legal responsibilities they will accept administrative safeguards are breached.


Is WordPress HIPAA compliant when plugins are used? Unfortunately, most of the time the answer is no.

A HIPAA-compliant WordPress plugin might be deemed perfectly secure and reliable on the day you install it. But hackers are constantly discovering new vulnerabilities, which means that all plugins must be updated. Unfortunately, updates to plugins are one of the most common reasons WordPress websites crash.

Because business owners are aware of such crashes—often having been burned before when their own site goes down during a plugin update—they may ignore plugin updates altogether. Unfortunately, this means the website doesn't have the most updated security plugins and is now more vulnerable, since it no longer meets HIPAA compliant standards.

Hackers can exploit the hole in security and steal data from HIPAA WordPress forms. HIPAA-compliant hosting is also important in order to ensure HIPAA compliance.


Is it possible to create HIPAA-compliant WordPress forms? Yes, creating HIPAA-compliant WordPress forms is possible. But much like WordPress itself, these forms might not be as secure as receiving HIPAA forms without additional security bolstering.

It’s vital for you to find a HIPAA developer that has experience creating these forms, whether you’re working on WordPress, DNN, or a proprietary platform. An experienced developer can provide HIPAA-compliant services and have already solved many of the problems that occur with healthcare websites.


While HIPAA-compliant WooCommerce isn’t easy, it is possible. It’s vital to your business's success that you choose a HIPAA developer that can properly secure the ePHI in your care.

If you are wondering how to make your website HIPAA-compliant, a platform change might be the best solution. Platforms such as DNN are much more secure and easier to make HIPAA compliant. This gives an additional benefit by updating your eCommerce platform and creating a friendlier HIPAA website.


WooCommerce is not HIPAA compliant in its native state. The popular WordPress eCommerce plugin is designed to facilitate sales and protect credit card numbers and can be made PCI-DSS compliant with enough effort put into it. It is not natively designed to protect ePHI.

HIPAA-compliant WooCommerce requires additional effort to satisfy the requirements as spelled out by the Office for Civil Rights, the division of US Health and Human Services that enforces the Health Insurance Portability and Accountability Act.


Is WordPress HIPAA compliant? It depends. WordPress, as most people use it, is not HIPAA compliant. WordPress can be made HIPAA compliant, but it takes considerable effort to do so. It’s often easier to capture EMR/EHR outside of WordPress so that the data is secure in a location/method specifically built to handle sensitive patient information.

The primary problem with making WordPress HIPAA compliant is that a security vulnerability found on one WordPress site can be used to exploit others. Hackers can share this information, so even if your website wasn’t a target before, it will be tested to see if the same exploit works on your site. It's best to find a developer that can help with HIPAA-compliant WordPress hosting as well as other security measures.

Still have questions? Chat with us on the bottom right corner of your screen #NotARobot

Sitefinity developers can make custom widgets for Sitefinity DX.
Stephen Beer is a Content Writer at Clarity Ventures and has written about various tech industries for nearly a decade. He is determined to demystify HIPAA, integration, enterpise SEO, and eCommerce with easy-to-read, easy-to-understand articles to help businesses make the best decisions.