WooCommerce and HIPAA Security Rule

Two of the most important rules eCommerce platforms have to follow to ensure HIPAA (Health Insurance Portability and Accountability Act) compliance are the HIPAA Privacy and Security Rules. Having clients-patients moving their health-related appointments, treatments or general business online, means that there is a need for covered entities and their business associates to protect data submitted online, preserve client anonymity, and avoid data exposure at any point during online operations. (What are business associates? Click to find out.)

In this article we will elaborate on the details around Security Rule, what it covers, how it can be enforced, and what its compliance mean for eCommerce platforms built on WordPress using WooCommerce.

Safeguards Used to Secure ePHI Under HIPAA Compliance

HIPAA has provided a set of guidelines and safeguards that companies have to follow and apply, in order to ensure HIPAA compliance, especially with regards to the Security Rule. These safeguards can be allocated into three categories, namely administrative, physical and technical.

• Administrative Safeguards: The most important task required from businesses under this safeguard is to perform a HIPAA security risk assessment, not once and for all, but as an ongoing process. This assessment will evaluate the likelihood of ePHI leakage to occur, as well as the impact such an event would have. In addition, part of the risk analysis is the identification and implementation of measures to prevent and/or address data breach risks, as well as documenting the chosen security measures. Last but not least, part of the risk assessment to maintain a continuous and reasonable approach towards security protection. The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR) have launched a HIPAA Security Risk Assessment Tool, especially useful for healthcare practices of small and medium size, as well as their business associates, as they conduct HIPAA-related risk assessments.
• Physical Safeguards: These include any physical process related to ePHI security, such as putting alarm systems in place in ePHI storage areas, choosing secure areas to store such data, and limiting physical access to the ePHI storage area as a precaution for unauthorized access. Similarly to unauthorized access to storage areas, physical safeguards are HIPAA-required to ensure prevention of access on unauthorized access to ePHI from electronic portals. Furthermore, part of this line of safeguards is the strict policies regarding the transfer, reuse, and disposal of ePHI.
• Technical Safeguards: After administrative and physical safeguards, there should be systems in place to prevent electronic access to ePHI. Such systems include access, audit, and integrity controls, in an effort to monitor who is accessing ePHI, their level of authorization, and potential attempts from improper ePHI handling. Furthermore, technical safeguards include transmission security, preventing unauthorized transmission of data oven an electronic network. In simpler words, technical safeguards refer to firewalls, encryption, backup of data, and other measures to implement ePHI online security.

Can the Security Rule be Fulfilled for WooCommerce?

The answer is “conditionally yes”. Let’s take a step back thought, and explain what is going on with WooCommerce. This feature of WordPress which allows the creation of WordPress-based eCommerce platforms, is not HIPAA compliant, as it does not fulfill the Security Rule, making the HIPAA eCommerce platforms hosted by WordPress not agreeing with HIPAA compliance by default.

The reason for that is that business associates of the popular platform option are not HIPAA compliant, thus not allowing related entities to be compliant either. However, this does not mean that a healthcare-related eCommerce platform using WooCommerce cannot be rendered HIPAA compliant. The process to obey guidelines set by the Security Rule towards HIPAA compliance is long, requires some not straightforward steps and being constantly alert, but it is certainly applicable.

The first step to create a HIPAA eCommerce platform using WordPress and WooCommerce will be to conduct a risk assessment, as mentioned in the Security Rule safeguards, running a security scan and checking for vulnerabilities. All chosen plugins should be provided from trustworthy developers (if not WordPress) and updated regularly. Using security plugins is recommended, to reinforce data security.

Since ePHI should not be stored through WooCommerce or WordPress due to compliance issues, ePHI should be stored externally, using HIPAA-compliant data storage options that fulfill the guidelines as described earlier.

Having external data storage implies the need for an API to “connect” external with internal information. This means that an interface will have to be created on WordPress, where customers will be providing their ePHI on the platform, but data will be diverted and stored elsewhere. Data encryption and two-factor authentication for data access is also highly recommended for HIPAA-compliant online storage, as well as use of bulletproof passwords. Last but not least, a business associate agreement will have to be signed between the platform owner and providers of services that will handle ePHI (plugins, APIs).