Implementing HIPAA-Compliant Login

Overview

Healthcare organizations handling Protected Health Information (PHI) must comply with HIPAA security requirements. This tutorial guides you through implementing HIPAA-compliant authentication, access controls, audit logging, and security measures required for handling electronic PHI (ePHI) in WordPress.

HIPAA Requirements You’ll Address

• Unique user identification (§164.312(a)(2)(i))
• Emergency access procedures (§164.312(a)(2)(ii))
• Automatic logoff (§164.312(a)(2)(iii))
• Encryption and decryption (§164.312(a)(2)(iv))
• Audit controls (§164.312(b))
• Person or entity authentication (§164.312(d))

Step 1: Configure Strong Authentication

Meet HIPAA’s person authentication requirements.

Password Policy Configuration

Navigate to Settings > Attributes Access > Security > Password Policies:

HIPAA-Compliant Password Requirements:
Minimum Length: 12 characters

Complexity Requirements:

  ✓ Uppercase letters (A-Z)

  ✓ Lowercase letters (a-z)

  ✓ Numbers (0-9)

  ✓ Special characters (!@#$%^&*)

  ✓ Block common passwords

  ✓ Block dictionary words


Password Expiration: 90 days maximum

Password History: Prevent reuse of last 10

Failed Login Lockout: 5 attempts = 30 min lockout

Apply to: All roles accessing ePHI

Two-Factor Authentication (Required)

Navigate to Settings > Attributes Access > Security > 2FA:

2FA Configuration:
✓ Enable 2FA (Required for HIPAA)

  Require for roles: All users accessing ePHI

  Methods: Authenticator App (Google Authenticator, Authy)

  Email 2FA: Secondary option only

  Grace Period: 24 hours maximum

  Backup Codes: Required (10 codes)

  Remember Device: 30 days maximum


Emergency Access Codes:

✓ Generate emergency administrator codes

  Store securely offline

  Document in emergency access procedure

Step 2: Implement Access Controls

Enforce role-based access to ePHI.

Role Definition for Healthcare Setting

Healthcare Roles:

Physician:

✓ Access all patient records

✓ Create/modify medical records

✓ Prescribe medications

✓ View audit logs for own actions


Nurse:

✓ Access assigned patient records

✓ Update patient charts

✓ View treatment plans

✓ Cannot delete records


Medical Assistant:

✓ Access basic patient info

✓ Schedule appointments

✓ Update demographics

✓ Cannot access medical records


Billing Staff:

✓ Access billing information only

✓ View insurance details

✓ Cannot access medical records

✓ Submit claims


Administrator:

✓ User management

✓ View all audit logs

✓ Security settings

✓ Cannot access patient records (unless also medical role)

Page-Level Access Controls

Patient Record Pages:
[attributes_restrict roles="physician,nurse" require_2fa="yes"]

  <div class="patient-record phi-content">

    <div class="hipaa-notice">

      ⚠️ Protected Health Information - Authorized Access Only

    </div>


    <h2>Patient: [patient_name]</h2>

    <p>MRN: [medical_record_number]</p>


    [patient_medical_history]

    [patient_medications]

    [patient_treatment_plan]

  </div>

[/attributes_restrict]

Step 3: Configure Automatic Logoff

Meet HIPAA’s automatic logoff requirement.

Session Management

Navigate to Settings > Attributes Access > Security > Session:

HIPAA Session Settings:
Idle Timeout: 15 minutes (recommended for ePHI)

Maximum Session Length: 8 hours

Concurrent Sessions: 1 per user

Force Logout on Browser Close: Yes

Display Warning Before Timeout: Yes (2 minutes warning)


Timeout Behavior:


Auto-save unsaved work


Log session termination reason


Require re-authentication


Clear session data completely

Step 4: Enable Comprehensive Audit Logging

Meet HIPAA’s audit control requirements.

Audit Log Configuration

Navigate to Settings > Attributes Access > Audit Log:

HIPAA-Compliant Audit Logging:
✓ Enable Comprehensive Logging

  Log Retention: 6 years (HIPAA requirement)

  Storage: Encrypted database + offsite backup


Events to Log (Required by HIPAA):

✓ Login/logout attempts (successful and failed)

✓ User authentication (including 2FA)

✓ Access to ePHI (page views, record access)

✓ Record modifications (create, read, update, delete)

✓ User account changes (role modifications)

✓ Security settings changes

✓ Password changes

✓ Export/download of ePHI

✓ Emergency access procedure usage

✓ Audit log access


Log Entry Details:


User ID and name


Date and time (synchronized with NTP)


Action performed


Resource accessed


IP address


Success/failure status


Device information

Audit Log Access Control

Audit Log Permissions:
View Logs: Privacy Officer, Security Officer, Administrator

Export Logs: Privacy Officer only

Modify Logs: Nobody (read-only)

Alert on: Failed access attempts, unusual patterns

Step 5: Implement Encryption

Ensure data encryption requirements.

HTTPS/SSL Configuration

Enforce HTTPS

Add to wp-config.php:

// Force HTTPS site-wide

define('FORCE_SSL_ADMIN', true);

if ($_SERVER['HTTP_X_FORWARDED_PROTO'] != 'https') {

    $_SERVER['HTTPS'] = 'on';

}


// Secure cookies

@ini_set('session.cookie_httponly', true);

@ini_set('session.cookie_secure', true);

@ini_set('session.use_only_cookies', true);

Step 6: Configure IP-Based Access Control

Restrict access to authorized locations.

IP Whitelisting for Healthcare Facilities

Navigate to Settings > Attributes Access > Security > IP Management:

Facility IP Whitelist:
Main Hospital: 203.0.113.0/24

Clinic A: 198.51.100.0/24

Clinic B: 192.0.2.0/24

VPN Endpoint: 203.0.113.254


Remote Access Policy:

✓ Require VPN for remote access

✓ Require 2FA for non-facility IPs

✓ Log all non-facility access attempts

✓ Alert security officer on suspicious access

Step 7: Create Emergency Access Procedure

Document and implement break-glass procedures.

Emergency Access Configuration

Emergency Access Account:
Username: emergency_access

Role: Emergency_Physician (full ePHI access)

2FA: Emergency codes (stored in secure location)

Usage: Break-glass only

Logging: All actions logged with alert to Privacy Officer


Emergency Access Procedure:


Verify genuine emergency


Retrieve emergency access credentials from secure storage


Log in with emergency account


Document reason for emergency access


Complete required actions


Log out immediately


Report usage to Privacy Officer within 24 hours


Privacy Officer reviews access within 48 hours

Step 8: Document and Train

Essential compliance documentation.

Required Documentation

User Training Requirements

• HIPAA security awareness training (annual)
• Password policy and 2FA usage
• Proper handling of ePHI
• Incident reporting procedures
• Emergency access procedures
• Session timeout and workstation security

Testing Checklist

Compliance Checklist

Ongoing Compliance Activities

Daily

• Monitor failed login attempts
• Review security alerts

Weekly

• Review audit logs for anomalies
• Check for unauthorized access attempts

Monthly

• Generate compliance reports
• Review user access rights
• Update risk assessment if needed

Annually

• Conduct comprehensive security audit
• Update all policies and procedures
• Provide staff training
• Review and update Business Associate Agreements