Are Gravity Forms and WordPress HIPAA Compliant?

Jan 30, 2019 | Gravity Forms, WordPress Wednesday

While WordPress itself is quite secure, collecting user information can cause concern. Is your WordPress website HIPAA Compliant? Should you be collecting sensitive data with Gravity Forms? What’s best practice? Kori Ashton shares her opinion and answers a question from a subscriber. Thanks for the question, Paul!

Full Transcript

Hey ya’ll, welcome to another WordPress Wednesday. My name is Kori Ashton from AskKori.com. Be sure to check out over 300 videos that I have here on my YouTube channel, and subscribe, because every Wednesday, I’m creating videos just like this to help you improve your online marketing inside the world of WordPress.

Today we have a question from British Columbia, which I’m super excited about. It’s all about security for WordPress, specifically speaking about like form fill-outs and information gathered on your website through Gravity forms. Let’s go take a look. So Paul writes in and says,

“I would like to use Gravity forms in the subscriber part of my website. I would like to create forms for my clients whereby they can download or print the pdf. The forms will be pre-built, waiting for the client to fill in the blanks. However, some of the blanks are private, and I’m concerned about security. Can Gravity, meaning Gravity forms, and WordPress, handle this without being a genius security person? Question mark.

So I absolutely love this, Paul, because so many of us are not security experts, right? But here’s what I will tell you. While WordPress itself, the core of WordPress, is extremely secure as long as we’re keeping everything up to date. I do get concerned about us collecting information and having it live in my sequel database, which is what WordPress actually houses and stores all of its content in, right?

So this is where you have to start thinking about HIPAA compliance and all sorts of legal issues, and even for your own company, if you’re a freelancer, if you’re an agency and you’re developing these websites for clients, you should become at least knowledgeable, maybe not a total expert when it comes to IT and security and firewalls and all that jazz, but you need to be educated, right? So thank you for asking this question.

I think a lot of my viewers out here are going to be interested in knowing the answer to this. So while you can be running something like Sucurri, which is an extra add-on or an extra security plugin on your website. This really is more for people trying to hack into your site, people trying to get that information. This is also for any type of issues with plugins that can create holes, if you will, and access points into your database. So it’s important that you do add extra security, even if you’re adding in an SSL to the site, right. With Let’s Encrypt for free, you can add an SSL to your site. All of these things are important extra steps to do. This gets you that lock up here, which turns to https. That’s great to have.

But ultimately are these things enough to deal with what Paul’s issue is here whenever we’re talking about actually gathering information and having it live somewhere that could be private. Maybe we’re talking social security number. Maybe we’re talking address even, my personal address to my home. Children’s names, children’s ages, our birth dates, all that type of information really could be used against us and we don’t wanna just have that out there.

So here’s what I suggest. Absolutely check with your hosting company, ’cause a lot of this can be handled server side. Ask them if they actually do have HIPAA compliant data centers, so Liquid Web is one of the ones in the industry of WordPress that I know for absolutely certain that they have HIPAA compliant data centers.

Super important that you step up your level of security if you’re going to be helping folks in the medical industry, legal industry, insurance, whatever industry might be collecting that information, right. Here’s what I like to suggest, so overall best practices. This is what we’ve done here at WebTegrity all through the years, is if I’m dealing with a client who needs to collect data like that, I really try to push back and say to them, is there something in your industry that already has a portal-like environment that allows us to gather that information completely HIPAA compliant securely, in a lock-down mode, where we can pass off the liability onto them, right?

So look at those things, especially in the medical industry, the insurance industry, and the legal industry. There’re already solutions out there that create those portals that allow people to fill out information, whether they’re applying for a loan, or they’re trying to sign up and talk to their doctor about their medical issues. All of these things can live inside of that environment. And what you can do on the WordPress side of things, is maybe just have a simple form fill where we’re gathering the most minimum amount of information for the lead, right. That’s all we really need.

And then, as we gather that lead, the next step would be to automatically send them over to that portal area, and allow them to fill out that kind of more concerning information or more private information in that environment.

While that might not be the absolute fix-it you were hoping for, Paul, I think that that’s best practices, unless you can absolutely talk again with your hosting company. Be certain that maybe they carry some sort of insurance, or they have this HIPAA compliance in place, and that becomes your safety net when it comes to anything for liability issues, right?

So I hope this helps you. I know there’s a lot to it when we’re thinking about being actually sure that we’re providing the right solution for our clients.

But every single week, I’m trying to help you improve and do that here on YouTube, and if you’re interested in growing more with your freelance business, as well as your small agency business, be sure to check out a link I’ll put in the description box below to join my Vimeo community where we are talking about this type of stuff consistently every month. Come be a part of that conversation. I’d love to see you over there in our live webinars. Have a great one. I’ll see ya’ll on the next WordPress Wednesday. And, Paul, thanks so much for the question. You’re amazing, bye ya’ll.