This week on the HIPAA Insider Show, we’re diving into HIPAA-compliant WordPress hosting, again! Whether you’re running a small healthcare blog, a growing medical practice, or a large enterprise managing patient data, your website must be HIPAA-compliant. But not all hosting is created equal.
We’ll break down the four tiers of HIPAA WordPress hosting, each designed to balance compliance, security, and performance for different needs. From fully managed solutions for small practices to enterprise-grade infrastructure with load balancing and auto-scaling, we’ll help you determine which level best suits your organization.
Stay tuned as we explore the security features, management levels, and capabilities of each plan—and how they help keep your website both secure and fast while meeting HIPAA regulations!
Transcript
Adam Zeineddine
Hello and welcome back to the HIPAA Insider show from HIPAA Vault, where we simplify HIPAA compliance and technology for businesses of all sizes. I’m Adam and with me, as always, is our HIPAA expert, Gilbert Al’s Gil. Today we going to be talking about HIPAA compliant WordPress hosting. We touched on it in the past, but it’s something that every healthcare business with a website or application should care about.
Gil Vidals
Yeah, that’s right, Adam. If your website is collecting, storing or even just processing ephi, that’s electronic protected health information, it has to be stored in a HIPAA compliant platform. So there’s really no exceptions to that. But of course, not all hosting solutions are the same. Today what we’re going to do is we’re going to go over three or four different tiers of HIPAA WordPress hosting so the business audience can listen and decide which one is right for them.
Adam Zeineddine
Yeah, no, absolutely. Let’s get into it. Before we break down the different tiers, Gil, let’s talk about why WordPress hosting needs to be HIPAA compliant and well, maybe we could start with when, in what case WordPress hosting needs to be HIPAA compliant and then why.
Gil Vidals
Yeah, that’s a great place to start, Adam. So WordPress out of the box. If you just install WordPress, it’s not going to be HIPAA compliant. And so you do need some expertise and you need a provider that will know how to secure it. And it’s. So it’s not that WordPress is a bad product. I don’t want to give that impression. Just like in pretty much any application that you can get for web server that you buy or that you get open source, you have to do certain things to button up, to button it up. So it’s kind of like getting a house. Is your house secure? Well, it depends. You get an alarm system, do you leave the windows open at night? Do you have all the security that you need for your home? So home could be secure, but maybe it’s not.
Gil Vidals
It just really depends what you add to it. So I think that’s a good analogy for the audience to grasp. And there’s data encryption, there’s regular security monitoring and updates that have to be done. So you could have a Poor example, a WordPress site that might start off secure, but no one’s maintaining the house. They’re not cleaning it regularly, they’re not updating it, they’re not adding the latest security patches. And so eventually it degrades so we’re no longer really secure or HIPAA compliant. Then there’s the business associate agreement. You have to make sure your hosting provider signs that and you have the access controls and the audit log. So I think these are the major ones. But without these, even a simple patient contact form could put you at risk.
Gil Vidals
So, so if you have a weak plugin, let’s say you put a plugin to your site, Adam, that’s supposed to be collecting patient information, but it’s kind of a weak plugin or God forbid you got a plug in that was written by some bad actor that you thought was a good plugin and meanwhile you’re giving them all the information. So you have to proceed with caution.
Adam Zeineddine
Okay.
Gil Vidals
Yeah.
Adam Zeineddine
And I suppose it’s not just about security, it’s also about liability and staying compliant with HIPAA regulations.
Gil Vidals
Yeah, exactly. That’s why HIPAA compliant hosting providers offer different tiers to fit different needs.
Adam Zeineddine
Okay, so let’s talk about those tiers. We’ll start off appropriately with the first Tier. Fully managed HIPAA WordPress. Who’s this designed for and what’s included?
Gil Vidals
Okay, so fully managed is what you would expect. It’s the infrastructure, the WordPress core, the plugins, everything that makes up WordPress is locked down, all the patches are secure and it’s been pre configured for HIPAA compliance. It’s really optimized more for security than for performance and even the access controls that are limited. So not just anyone can have administrative rights. Only certain people get administrat. And this would be ideal for medical practitioners, a small practice that really don’t need deep or frequent customization to their website. It’s more about a static website that maybe has a patient form, an intake form or some, or maybe they have some other application that runs once you configure it as static and you don’t have a lot of hands in the pot.
Adam Zeineddine
Okay, so if it’s just set it and Forget it, then HIPPA, WordPress, the tier one is the way to go.
Gil Vidals
Yeah, that would be a, that’s a good way to look at it. Set it and forget it. You’re not in there constantly making changes.
Adam Zeineddine
Okay, Next up is the standalone HIPAA WordPress server. Tier 2. How is this different and who’s it for?
Gil Vidals
Okay, so this one is different. The first, the first one we talked about, I want to clarify. The infrastructure would be a multi tenant infrastructure where you have multiple tenants on the same platform. And so that’s a key point. To make. It’s still secure, but it’s locked down between tenants. But think about like an apartment building where each tenant, each apartment resident has, is secure. They all have their own locks, you know those secure, but they’re still in the same building. Okay, that’s what we’re talking about in this case, a standalone.
Adam Zeineddine
If there’s a fire, then everyone’s susceptible to it.
Gil Vidals
That, that’s true. Good point. If there’s a problem that could affect everybody. But on the standalone version here, now think about little houses. Everybody has a little house separate. You have to go across the street to get to the other guy’s house or across the lawn. Each one is in their own house. And that seg. That’s called segregation. In the technical world, you’re segregated from everybody else. You’re not in a shared platform. And that would be for, and also you have more resources. So that would be for a higher scale operation. Not, not big in scope but something or in scale, something more on the moderate light side. You do have administrative level WordPress access. You’d have an optional VPN. You’d have a little bit more storage and you could support a couple of WordPress sites and even WooCommerce e commerce plugin.
Gil Vidals
And the security is good, it’s pretty tight, but you’re giving more leeway to the owner, to the tenant. They could go in there and touch things and they may misconfigure something. They could go in there and they could for example, open up permissions more broadly and then go, oh, dinner time and they go have dinner and they forget to close the permissions back when they were done. And so now they left the permissions wide open. Now that’s what happens when you have too many people going in there doing things. And of course the hosting provider would have tools to try to detect when security has been left open. But I think that describes the second tier, the standalone HIPAA WordPress server.
Adam Zeineddine
Yeah, I agree. One other thing to note is I’ve seen this one being compatible when the site, like you said, is not a huge site, it’s a medium site. But crucially it has some E commerce components as well, which isn’t supported on the tier one. So for example, if there’s a medical equipment company that wants to sell certain pieces of equipment online and they’re get, you know, getting set up and they want everything to be HIPAA compliant, then they often start with this, skip a tier and start with a tier two.
Gil Vidals
Yeah. And I Did want to emphasize, Adam, that this solution allows for more leniency and customization. So, so the site owner could have much more leeway in terms of how adding plugins. Maybe they wrote a plugin or maybe it’s an application they custom wrote or something. They have more leeway to add that. Whereas in the first one we talked about they couldn’t add and they couldn’t change something that’s fundamental to WordPress core. They couldn’t really touch any of that.
Adam Zeineddine
Okay, so it’s for growing businesses that need more flexibility but still want fully managed and HIPAA compliant.
Gil Vidals
Yeah. Okay.
Adam Zeineddine
So now we’re getting into the higher performance tier with dedicated HIPAA WordPress servers. Now we talked about standalone being dedicated to how does this tier improve things like who’s it for? Yeah, what’s special about it?
Gil Vidals
So this one I’d like to kind of draw a mental picture. So we’re talking about a multi dimensional scale. One dimension is security, the other and security and compliance. That’s one dimension. The other dimension is flexibility to customize and do things that you want to do. The third one is load, be able to handle higher load. So you have these three different dimensions. And so this one here, tier three, which is a dedicated WordPress environment, you’re going to have multiple servers. Up until now we’re talking about a single instance or a single server. Now we’re talking about multiple servers. So you have a web server, you have a database server, you have a web application firewall that sits in front of them to protect them. That scales better because the database server can handle more queries than when it’s combined with the web server.
Gil Vidals
The web server is now separate from the database server and the phi, the protected health information is going to be on the database server. So if somebody hacks through into the web server, they haven’t got the golden eggs. Right. Those are over here in the database server. So by segregating the functionality of the servers of the service, then you have better security architecture. So from a security point of view it’s tighter. From a performance point of view it’s better and I think it’s going to be more secure because of the architecture as well.
Adam Zeineddine
Yeah, it sounds like a more serious setup for organizations that are handling larger amounts of patient data and more complex applications. Patients.
Gil Vidals
Yeah, it is. And if you’re running a patient portal telemedicine platform or high traffic healthcare, you need this level of security and performance, I think.
Adam Zeineddine
Okay. And then finally the most powerful Option potentially is custom tier four, load balanced and auto scaling. WordPress. Who’s this designed for and what are the benefits? You know, load balance, auto scaling.
Gil Vidals
Talk about that a bit. Yeah. So the, this level, now you’re at the highest level, which is the enterprise. This enterprise is, you know, making a lot of revenue and they have a lot of traffic. And this is considered more of a, what’s called a mission critical application. Contrast that to the first tier where like what if the site goes down? I mean it’s brochure where it’s important, don’t get me wrong, but it’s not stopping the medical practitioner from doing his work that day.
Adam Zeineddine
Yeah.
Gil Vidals
Whereas mission critical means that thing, that thing’s not working. You’re, you’re stopped making money. How is this done? Why is this enterprise? Well, you have load balancing. That means you have several different instances or servers that are all behind a load balancer. So some of the traffic will go to one server, some to the other, some to a third. You’re spreading the traffic across multiple servers. And you can auto scale. What does that mean? Auto scale means that let’s say you have two web servers behind an auto scaler and then there’s a lot of traffic. You having a special sale or promotion, it’s a very busy day. This thing will launch more web server. It goes from 2 to 10. You have 10 different servers and then in the evening it shrinks back down. So that’s important.
Gil Vidals
And then you can have as many WordPress sites on this platform as you want. You can have three or four or 10. You can have 100 of them if you want. And you also have custom storage that have faster tiers of storage to have what they call input, output operations, iops. And then you have full control. You’re the master of your ship here. You can captain that boat the way you want. Of course there’s some risks to that if you’re not sure what you’re doing. You still have the backup of the hosting provider to help you when you have questions about it. And this is built for large scale operations like hospital systems, insurance companies, or any other organization that needs maximum uptime and performance.
Adam Zeineddine
Okay, so we’ve covered the four tiers. The, and listeners and viewers. Check out our plans. We’ve, we’ve released them on our website, hipvot.com under HIPAA, WordPress. They’re all available and the pricing is there. The, the custom tier, the final tier, you’ll have to reach out to us and we can discuss a little bit more because it you know it can range depending on what your use case is. But all the plans are there and there’s full transparency on the prices so do check them out. And we’re also Gil I believe running special promotion this month as well on the monthly plans. Is that right?
Gil Vidals
Yeah, that’s right. If you sign up on the monthly plan you can get we have a save 99s a v e 99 if you type that in you can get a 99 discount for the first month.
Adam Zeineddine
Awesome.
Gil Vidals
Yeah.
Adam Zeineddine
And if you do check out the website also while you’re doing that give us a like give us a subscribe and if you have any questions reach out to us hippobot.com podcastipault.com and we’ll be happy to go through any of the plans and see which one works. So until joining us and thanks for stopping.