Is WordPress HIPAA Compliant for Healthcare Websites?

Short answer

Is WordPress HIPAA compliant? The answer depends entirely on which WordPress you mean. WordPress.com — the hosted service run by Automattic — does not offer a HIPAA BAA and cannot be used for any PHI-collecting functionality. Self-hosted WordPress — the open-source software installed on a server — is just software. HIPAA compliance for a self-hosted WordPress site depends on the hosting provider and its BAA, not on WordPress itself.

This distinction trips up many small clinics. Understanding it is the first step toward making a compliant decision.

WordPress.com: no BAA, no HIPAA coverage

WordPress.com is the consumer and business hosting platform run by Automattic. It is a convenient all-in-one website solution — Automattic provides the hosting, the software, the CDN, the email handling, and the database. This is the platform many small clinic websites land on.

Automattic does not offer a HIPAA BAA for WordPress.com accounts. No plan — not Personal, Business, or Commerce — provides HIPAA compliance. If a clinic website runs on WordPress.com and collects any PHI through a contact form, appointment request form, symptom checker, or any other feature, that data is being processed by a system with no HIPAA contractual protection.

This is a clear, documented limitation. Automattic’s privacy policy governs how your data is handled — and it is not a Business Associate Agreement.

Self-hosted WordPress: the right question is your host

Self-hosted WordPress (the software distributed at WordPress.org) is installed on a server. The server is managed by either the clinic’s own IT team or a hosting provider. WordPress itself is open-source software — it has no data processing obligations, no BAA to offer, and no HIPAA compliance in any direct sense.

The HIPAA compliance question for a self-hosted WordPress site is: who hosts the server, and do they offer a BAA?

If the hosting provider offers a HIPAA BAA and the clinic has executed that agreement, then the hosting infrastructure is covered. From there, the clinic must ensure that:

• The specific services covered under the BAA match how the site operates (database, backups, email handling, CDN, object storage)
• The form tools used to collect patient data also meet HIPAA requirements
• Access controls to the WordPress admin panel are appropriate
• Audit logging is enabled at the server and application level

WP Engine’s healthcare tier is one example of a managed WordPress hosting provider that offers a HIPAA BAA for qualifying accounts. Other managed WordPress hosts may also offer healthcare compliance options — verify with each provider before committing.

When a clinic website creates PHI exposure

Not every clinic website collects PHI. A site that lists services, provides contact information, posts blog content, and displays staff profiles is not collecting patient health information.

PHI enters the picture through forms and interactive features:

Appointment request forms. A form that asks for the patient’s name, phone number, preferred appointment time, and the reason for the visit collects PHI at the point of submission. “Reason for visit” combined with patient identity is health information.

Symptom or condition questionnaires. Any form that asks patients to describe their symptoms, current medications, or health history is collecting clinical health information — PHI by definition.

Insurance verification forms. Collecting insurance carrier, member ID, and subscriber information from a named patient is collecting payment-for-healthcare information — a category of PHI.

Prescription refill requests. A form that asks patients to request medication refills by name, medication, and dosage collects PHI.

Patient portal login pages. If the WordPress site serves as a front door to a patient portal, login credentials combined with the portal’s health data create a PHI-handling relationship with the web server.

General contact forms (“Name / Email / Message” with no health context) are lower risk, but should still be evaluated based on the types of messages patients are likely to submit.

The form plugin problem

Even on a HIPAA-compliant host, the form plugin used on a WordPress site is a separate compliance consideration.

Popular WordPress form plugins include Contact Form 7, Gravity Forms, WPForms, Ninja Forms, and Formidable Forms. These plugins handle the submission processing — they receive the form data, store it in the WordPress database, and often email it to a staff member.

The email component is particularly problematic: form plugins that email submissions to clinic staff are sending PHI through a standard email system, which may not be encrypted in transit or stored securely at the receiving end.

For PHI-collecting forms on a HIPAA-compliant WordPress host:

• Use a form plugin that stores submissions only within the WordPress database (on the compliant host) rather than emailing them
• If email notification is required, use a HIPAA-compliant email service for that notification
• Consider a dedicated HIPAA-compliant form service (like Formstack Workspace) embedded in the WordPress site rather than a standard WordPress form plugin

What a compliant WordPress healthcare site requires

For clinics committed to self-hosted WordPress with PHI-collecting features:

1. A HIPAA-compliant managed WordPress hosting provider with a signed BAA covering hosting, database, and backups
2. Form tools that are either HIPAA-covered directly or configured to route PHI only through covered services
3. HTTPS enforced across the entire site (no HTTP mixed content)
4. Access controls on the WordPress admin panel: unique credentials per admin user, multi-factor authentication, user roles scoped to least privilege
5. Regular security updates applied to WordPress core, themes, and plugins (vulnerabilities in WordPress plugins are a significant attack surface)
6. Audit logging at the server and application level with appropriate retention

PHIGuard and the clinic’s internal compliance operations