HOW TO: HIPAA Compliant Uploads in WordPress

March 13, 2019

Most hosting providers by default aren't HIPAA Compliant. If you run a WordPress site where you need to process personal healthcare information (ie. accept uploads of healthcare documentation), this can be a major problem.

Thankfully, there's a simple enough workaround: Dropbox

Integrating Dropbox with your sites' submission form(s) will allow uploads to become HIPAA compliant regardless of the server you're on because all the processing is being offloaded to Dropbox.

Dropbox allows you sign a BAA electronically from your Account page in the Admin Console. You'll need Dropbox business account in order to do so. If you don't have one you can signup for one here.

Once that agreement is in place you'll still need to take care of a few administrative steps to ensure you're not in breach.

User sharing should be significantly limited so that only authorized users can access the data stored on the system. DropBox allows users to configure sharing permissions to ensure that there is no breach of the HIPAA Uses and Authorization standard.

Files should never be permanently deleted, which can be configured in DropBox administrative controls.

DropBox use should be monitored by an administrator for unauthorized access, even with proper sharing controls in place.

Can You Make DropBox HIPAA Compliant? | Compliancy Group

Once that agreement is in place, you just need to finish the integration.

There are a number of ways to link your upload forms to Dropbox but the quickest way I've found is with 2 free plugins. First, install Contact Form 7 if you're not already using it. Then install Contact Form 7 Dropbox.

Once they're configured and connected to your Dropbox account, you can now accept HIPAA compliant uploads.