No, WordPress is not HIPAA compliant out of the box, and it never claims to be. WordPress.org will not sign a business associate agreement, the software does not encrypt stored data, and it keeps no audit log. That does not mean you cannot run a medical practice on WordPress in 2026, it means the responsibility for compliance sits with your setup, not the software.
Here is the honest version. Only the parts of your site that actually touch patient information need to be HIPAA compliant. Most small practice websites are marketing brochures, and the simplest, cheapest, safest path is to keep protected health information off the WordPress site entirely. This guide shows you how to tell which situation you are in, and what to do about each one.
Contents
- Is WordPress HIPAA compliant out of the box?
- Does your website even need to be HIPAA compliant?
- What counts as PHI on a website?
- What it takes to make WordPress HIPAA compliant
- Which WordPress form plugins are HIPAA compliant?
- The hidden trap: Google Analytics and the Meta Pixel
- What is a BAA, and who has to sign one?
- The simpler path most practices should take
Is WordPress HIPAA Compliant Out of the Box?
No, a standard WordPress install is not HIPAA compliant. WordPress.org does not sign a business associate agreement, the core software does not encrypt data at rest, and it does not keep the audit log HIPAA requires. So WordPress as a download can never be HIPAA compliant on its own.
The important shift is this: WordPress the software is not the unit of compliance. Your whole environment is, the host, the forms, the email, the plugins, the trackers, and the people with access. WordPress can support a HIPAA-compliant site when every one of those pieces is configured and contracted correctly. The platform is not the problem, neglect and a missing BAA are.
Does Your Medical Website Even Need to Be HIPAA Compliant?
Your website only needs to be HIPAA compliant if it collects, stores, or displays protected health information. If your site is a brochure with a basic contact form that does not ask for medical detail, you likely do not need full HIPAA hosting at all. If it takes intake forms, appointment requests with symptoms, or runs a patient portal, then yes, it does. That single question decides everything else.
Run your site through this quick test.
- No PHI path: a marketing site, services pages, a phone number, and a contact form that asks only for a name and a reason to call. This usually does not need a HIPAA host, just strong security.
- PHI path: intake forms that capture conditions or insurance, appointment forms with medical detail, document uploads, or a logged-in portal. This needs HIPAA hosting, a BAA, and compliant forms.
- The grey zone: a generic contact form where patients type their symptoms anyway. People volunteer PHI even when you do not ask, so design the form to discourage it and never email submissions in plain text.
Most practices we work with sit in the first group, and the smartest move is to stay there on purpose. We cover the medical-specific side of this on our WordPress maintenance for medical practices page.
What Counts as PHI on a Website?
Protected health information is any health detail that can be tied to a specific person, and on a website it shows up in more places than most owners expect. A name next to a condition, an appointment request that mentions a symptom, an uploaded insurance card, or even an IP address linked to a page about a treatment can all count as PHI.
Common places PHI leaks into a WordPress site:
- Contact and intake forms where a patient describes why they are reaching out.
- Appointment booking that captures the reason for the visit.
- File uploads, like photos or insurance documents.
- Email notifications that carry form contents in plain text.
- Analytics and ad trackers that record which condition pages a visitor viewed, tied to their IP.
If none of these exist on your site, your compliance burden is small. If any of them do, that specific feature has to be handled the compliant way.
What Does It Take to Make WordPress HIPAA Compliant?
To make WordPress HIPAA compliant, you secure the whole stack and get a signed BAA from every vendor that can touch PHI. That means HIPAA hosting, compliant forms, enforced SSL, multi-factor logins, role-based access, audit logging, encrypted backups, and carefully vetted plugins. Miss one link and the chain is not compliant, no matter how good the rest is.
- HIPAA hosting with a BAA. Most popular hosts, including WP Engine, SiteGround, Bluehost, GoDaddy, and Kinsta, do not sign BAAs. HIPAA-specialist hosts like HIPAA Vault, Atlantic.Net, Liquid Web, and AWS configured properly do.
- Compliant forms with a BAA. Covered in the next section.
- Enforced SSL/TLS on every page, not just checkout.
- Multi-factor authentication and role-based access so only the right people reach the data.
- Audit logging that records who accessed what and when.
- Encrypted, off-site backups and a tested restore.
- Vetted, updated plugins, since a single abandoned plugin is the most common way any WordPress site gets breached.
A breach is also a HIPAA incident, with reporting duties and fines, so the security baseline here matters more than on a normal site. If you want the general version of that baseline, see our WordPress security guide.
Which WordPress Form Plugins Are HIPAA Compliant?
A WordPress form is HIPAA compliant only when the vendor signs a BAA and the data is encrypted in transit and at rest, which rules out most default form setups. Plain Contact Form 7 or WPForms emailing a submission in clear text is not compliant. The compliant options either come with a BAA or are built to run inside a compliant environment.
- JotForm HIPAA offers a HIPAA plan with a signed BAA and encrypted storage.
- Paubox provides HIPAA-compliant forms and email with a BAA.
- Hipaatizer wraps WordPress forms in a compliant pipeline.
- Formidable Forms and Gravity Forms can be part of a compliant setup when they run on HIPAA hosting and submissions are encrypted, not emailed in plain text.
- Not compliant by default: free Calendly, and any contact form that emails PHI in plain text. Calendly and similar tools can work only on a paid tier that includes a BAA.
We keep a working list of which form tools sign BAAs, and we cover the specifics on our healthcare maintenance page.
The Hidden Trap: Google Analytics and the Meta Pixel
The compliance mistake regulators care about most right now is not your form, it is your trackers. Federal health regulators have warned since 2022 that tools like Google Analytics and the Meta Pixel can transmit PHI when they run on pages tied to a person’s health, and that warning has driven a wave of enforcement and lawsuits against healthcare sites. A tracker that records a visit to a treatment page, with the visitor’s IP, can be a reportable disclosure.
What to do about it on a WordPress site:
- Audit every script loading on your health-related pages, most owners are shocked what is there.
- Keep standard Google Analytics and the Meta Pixel off pages that reveal a condition or treatment, or off the site entirely.
- If you need analytics, use a privacy-first or HIPAA-eligible setup with a BAA, configured to strip identifiers.
- Re-check after every marketing plugin install, since ad and chat plugins quietly add their own trackers.
This is the part almost no other guide covers, and it is the one most likely to cause a real problem in 2026.
What Is a BAA, and Who Has to Sign One?
A business associate agreement, or BAA, is a contract that makes a vendor legally responsible for protecting the PHI they can access. Under HIPAA, every third party that can touch patient data has to sign one, and a missing BAA is itself a violation even if no data ever leaks. It is paperwork, but it is the paperwork the rules are built on.
On a typical practice website, the vendors that may need a BAA include:
- Your web host.
- Your form or scheduling tool.
- Your email or SMTP provider.
- Your CDN, if it caches pages with PHI.
- Your analytics or tracking vendor, if it sees PHI.
- Your backup service.
- Your maintenance and support provider, anyone with login access.
That last one includes whoever maintains the site. We work within scope on the medical sites we support, and we are clear about what we do and do not touch.
The Simpler Path Most Practices Should Take
For most small practices, the smartest path is to keep PHI off the public WordPress site entirely, and link out to compliant tools for the parts that need it. Your marketing site stays a fast, secure brochure, and your booking or intake lives in a HIPAA-compliant scheduler that already has a BAA. You get a clean site and a much smaller compliance burden.
In practice that looks like a hardened WordPress brochure site on good hosting, with a Book Appointment button that opens a compliant scheduler, no symptom fields in your contact form, and no health-tied trackers. It is cheaper than full HIPAA hosting and far easier to keep compliant over time.
That is exactly the kind of setup we maintain and monitor on our WordPress care plans, and we run HIPAA-aligned maintenance for medical practices without ever hosting portals or records ourselves. See what WordPress maintenance costs if you want the numbers.
Is WordPress HIPAA compliant out of the box?
No. A standard WordPress install is not HIPAA compliant, because WordPress.org will not sign a business associate agreement, does not encrypt data at rest, and keeps no audit log. WordPress can support a compliant site only when the host, forms, plugins, and access are all configured and contracted correctly.
Does my medical practice website need to be HIPAA compliant?
Only if it collects, stores, or displays protected health information. A brochure site with a basic contact form that does not ask for medical detail usually does not need full HIPAA hosting. Intake forms, appointment requests with symptoms, or a patient portal do.
Is a WordPress contact form HIPAA compliant?
Not by default. A plain Contact Form 7 or WPForms setup that emails a submission in clear text is not compliant. You need a form vendor that signs a BAA and encrypts the data, like JotForm HIPAA or Paubox, or a form running inside a compliant environment.
Is Google Analytics HIPAA compliant on a medical site?
Standard Google Analytics is not. Federal regulators have warned since 2022 that trackers like Google Analytics and the Meta Pixel can transmit PHI on health-related pages, which has led to enforcement and lawsuits. Keep them off pages that reveal a condition, or use a HIPAA-eligible setup with a BAA.
What is a BAA and who needs to sign one?
A business associate agreement makes a vendor legally responsible for the PHI they can access. Every third party that can touch patient data needs one, including your host, form tool, email provider, backup service, and anyone with login access. A missing BAA is itself a HIPAA violation.
Can you make my practice’s WordPress site HIPAA-aligned?
Yes, within a clear scope. We harden and monitor the site, keep PHI off the public pages, audit your trackers and forms, and point booking to compliant tools. We do not host patient portals or medical records ourselves, and we are upfront about that line.
Want your practice site secure and compliant-aligned?
We harden medical practice websites, keep patient data off the public site, audit your forms and trackers, and monitor everything on a care plan. No portals, no records, just a clean and safe brochure site done right.
