If you’re looking to build a website for your business, one of the tools you’ll find right out of the gate is WordPress. It’s a powerful and popular content management system behind over 400 million websites.
You will also discover that WordPress takes some technical prowess to set up. And that’s why web hosting companies often build WordPress into their offerings.
WP Engine, as you might gather from their name, makes WordPress hosting their primary business. Today we’ll determine if it’s HIPAA compliant or not.
What is WP Engine?
Based in Austin, Texas, WP Engine is a web hosting company that specializes in WordPress websites. Founded in 2010, it now has over 90,000 customers in 140 countries, and offices in San Francisco, California; San Antonio, Texas; London, England; Limerick, Ireland and Brisbane, Australia.
The company embraces open-source technology, using more than 30 open-source technologies in its operations in addition to WordPress itself.
Are WP Engine sites HIPAA compliant?
If you are looking to use WordPress to build and manage a website for your business, WP Engine seems like a smart choice. But if your business is a covered entity, like a medical clinic or doctor’s office, you must ensure all of your systems are HIPAA compliant, including your website.
And if you plan to use your website to help clients contact or submit information to you, you’ll likely be working with protected health information (PHI), making HIPAA compliance even more critical.
The WP Engine support library doesn’t have any entries that mention HIPAA. Although the company does provide information on the secure handling of payment information, the only mention of health information is in the company’s overarching Acceptable Use Policy: Under “Regulated and Sensitive Information,” WP Engine states:
You are not permitted to use or cause the Services to store or process sensitive or otherwise regulated health or financial information, including Protected Health Information (as that term is defined under HIPAA). […] You acknowledge and agree that we are not responsible for any liabilities arising from your violation of this restriction.
WP Engine makes clear that it does not want to handle health information, and that customers bear all responsibility should they violate HIPAA.
Although WP Engine is a solid web host for WordPress websites, it is not HIPAA compliant, and the company expressly forbids using its services for regulated health information.
Furthermore, as we’ve covered in other blog posts, WordPress itself is not HIPAA compliant either.