What WordPress says officially
WordPress.org describes WordPress as open-source publishing software. The project supplies code; it is not the hosting provider for a self-hosted site and does not receive a subscription that includes a healthcare BAA. Its technical requirements place the software on a web host with PHP, a database, and HTTPS support.
The project’s privacy documentation emphasizes that every site is different. Themes, plugins, embedded media, analytics, contact forms, and other components may collect or share data. WordPress’s built-in privacy tools help site owners handle requests, but the documentation says those tools do not constitute a complete compliance process.
WordPress therefore has a conditional architecture verdict, not a plan-level verdict. The software can sit inside a protected system, but WordPress.org does not supply the hosting contract, BAA, operational safeguards, or review of third-party code needed for that system.
What this means for a medical practice
A WordPress form may write a response to the site’s database, send a copy through PHP mail, attach a file to an email, sync a CRM, enter a backup, and appear in a security log. Each step may involve a different company. The host is only one part of the chain.
Ongoing administration matters too. A site with an eligible host can still expose data through a vulnerable plugin, a shared administrator account, a public upload URL, an old backup, or an analytics script. Conversely, a minimal site that keeps PHI out entirely has a much smaller compliance surface.
This is why our HIPAAconscious medical website guidance starts with data flow rather than a platform badge. A medical practice also benefits from a disciplined healthcare website redesign that removes unused plugins and obsolete forms instead of carrying them forward.
How to use it safely
- Decide whether the website needs to receive PHI at all. Prefer an external reviewed patient system when it does not.
- Choose a hosting provider that will sign an appropriate BAA for the exact managed services in use.
- Use HTTPS, encrypted storage and backups, managed identities, multifactor authentication, least privilege, and audit logging.
- Install only necessary themes and plugins. Review who operates each one and where it sends or stores data.
- Keep PHI out of ordinary email notifications, analytics, error logs, URLs, and support tickets.
- Establish tested patching, backup, restoration, retention, and incident-response procedures.
- Trace a fictional form submission through the database, notifications, integrations, backups, exports, and deletion process.
Compliant alternatives
Wix offers a vendor-managed PHI-protection mode and BAA on named plans, reducing some infrastructure choices while still requiring app review. Jotform can keep protected intake out of WordPress when the practice needs forms but not a custom PHI-processing website stack.
Maintain a current component inventory and repeat the vendor and data-flow review after every hosting, theme, plugin, form, or integration change.
Bottom line
WordPress is software, not a healthcare contract. It can be used within a carefully designed protected environment only when the host, plugins, storage, email, backups, administrators, and ongoing maintenance meet the practice’s documented requirements.