WordPress encryption for HIPAA compliance


I’m wondering to what extent encryption of parts of the wordpress database is possible. Any use of wordpress for medical/patient interaction will require any patient information to be encrypted (HIPAA compliance), and unfortunately I haven’t come across a solution in my search so far.

For example, a patient’s email address, physical address, name, time of appointment, messages (pretty much anything that could identify them) will need to be encrypted on the wordpress database. Then when the user logs in, decrypted and displayed. Is this possible?

I’ve come across the following on wordpress support:


Obviously a SSL certificate needs to also be in place, and while encryption won’t stop someone from eventually getting the data, it offers the site owner legal protection. Any advice would be appreciated! Thanks

  • David
    • Design Lord, Child of Thor

    Thanks Vinod, I’ve contacted the plugin author to see what sort of stage it is at and how it could potentially be adapted.

    Does anyone here already have some experience of working with this and could advise me of potential problems I might run into?



  • Vaughan
    • Support/SLS MockingJay

    Hi @david,

    I don’t have much experience of this, especially where wordpress is concerned, but keeping the private keys secure is the number 1 priority, it might take a hit on your loading time too, so the site might be a bit slower to load than without encryption, but that would be unavoidable due to the encrypting/decrypting process.

    You should also make sure that any caching is properly configured if you plan to use any cache, as that could inadvertently leave a cached page unencrypted in cache files etc.

    I can’t really say much else as i’m no expert on this level of security.

    Hope this helps

  • Imperative Ideas
    • HummingBird

    I love WordPress. It’s the ultimate rapid prototyping platform for web apps in today’s market.

    I would never, ever put something HIPPA related on it. I would grab the data from an API after establishing a dual authentication. Typically you’d pull the data in as JSON or something, display it on a nocache page, and force a refresh after 15 minutes, or on a back press (like a bank uses) in order to verify continued authentication.

    You sure as hell wouldn’t want to take legal responsibility for patient data in stored on an inherently insecure medium.

  • David
    • Design Lord, Child of Thor

    @Impertative Ideas,

    Yes, I think I’ve come to the same conclusion, the risk is far greater than the reward. A data breach would pretty much destroy a public image, not to mention the money that would have to be spent on the required press releases.

    I do however think that it is an area of WordPress that could be monetized. For example, the Appointments+ plugin can not be used for any medical use involving clients booking, unless encryption is used in the database. Their names, appointment times and who they have the appointment with is HIPAA data and a breach falls under the law. If you do a risk analysis and opt for no encryption of stored data, you have to pray that those investigating a breach come to the same conclusion you did…that’s unfortunately what brought me to the same conclusion as you.

    Thanks @jack Kitterhing and @vaughan for your input and help. I appreciate it.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.