Is Bookly HIPAA-Compliant?
By Gil Vidals, , HIPAA Blog, HIPAA Hosting, HIPAA WordPress, Resources, Security


It’s 7 pm and your office is closed. Your patients could go to the ER, but you know they’d rather die (figuratively) than sit in a waiting room for 3 hours to be seen. 

Besides, there are way too many sick people there, they’ll reason. I might be worse when I’m done!

Waiting until tomorrow’s work day to make the appointment isn’t an attractive option either – not when things get busy and they’re on hold for a while.  

No wonder almost 70% of patients will tell you that they prefer online booking. 94% are even willing to switch to a provider that offers it, to enjoy the convenience and ease their mind when that late night, off-hours need arises.

But you already know these things. That’s why you’ve implemented an online scheduling tool for your practice, as part of your WordPress healthcare site.

You weighed the benefits, and it turns out it was a no-brainer:

An online scheduling tool is convenient and saves your staff from juggling phone calls. Besides the money and time saved, you’re also saving paper. And there’s no appointment book to misplace in the office! 

Best of all, it provides that “always on” service your patients love. 

In addition, your online scheduler actually helps you balance your appointments and prevent double bookings. And the added features like sending out appointment reminders are worth their weight in gold.

Really, what’s not to like? Who doesn’t want improved patient satisfaction surveys and positive feedback? Staff that is more available for patients? 

So you did a bit of research and chose a scheduling plugin for your WordPress site. You liked the features it offered: text notifications before appointments, calendar, and its user-friendly interface. 

A number of plugins offered similar features, but you decided on Bookly.

But there’s one thing you forgot to check before it slipped out of your brain altogether: Is this scheduler HIPAA compliant?

Insecure Plugins

It’s an important question. Your “virtual” file cabinet’s privacy and security are paramount, after all. 

So how do you know if Bookly – or any plugin you chose – is vulnerable? Sure it offers great features, but how certain are you that the protected health information (PHI) your patients enter won’t be accessed by unauthorized parties? 

If it is, you might be opening yourself to a world of trouble: stolen data may be encrypted by the hacker and held for ransom; HIPAA violations and fines may be assessed to you; patient lawsuits may be brought to your door. You may even lose your business.

What to look for in a plugin

The answer lies in ensuring that you have 2 important things: compliant hosting, and well-maintained, reputable plugins. 

Let’s look at the plugins first. Here are four questions to bear in mind when selecting reputable plugins: 

1. Is this plugin well-tested and highly rated?  

The WordPress.org plugin repository is the place to find mature, tested plugins that are approved by WordPress. Consult the reviews and starred ratings to see how the plugin has performed, and if it has been tested with the latest version of WordPress.

CodeCanyon is another great site to find out more about a particular plugin, and even view some live demos. 

2. Has the plugin been actively maintained and updated? 

Review the Changelog tab in the plugin repository to see how often the plugin has been updated by its developer. Actively maintained plugins will have a regular record of updates (the latest security patches). 

A good rule of thumb is to avoid a plugin that hasn’t been updated in the last six months. 

3. Where was the plugin made? 

This might not have entered your mind, but since HIPAA compliance is a specifically US requirement, it doesn’t make sense to rely on a plugin from a country that has no experience with, or concern for, HIPAA regulations. 

4. How is the plugin’s support?

Fast, responsive support is a strong indicator of a plugin’s reliability and longevity. You want to know that there’s a team working behind the scenes to keep their plugin up-to-date with the inevitable “bug fixes” that will be required.   

One more thing to keep in mind with plugins. You’ll want to be sure to disable all your unused plugins. Why? 

Unused plugins are typically overlooked and tend to fall off the radar when it comes to receiving regular updates. You may not even realize that you have a vulnerability because you haven’t been paying attention to it. 

Keeping plugins at a minimum (ie, using only essential plugins) decreases the chances of this happening. 

HIPAA-Compliant Scheduling

Which brings us to our second essential: the need for HIPAA-compliant hosting. 

You won’t get the assurance of a secure site – as we’ve often mentioned – from “free” scheduling plug-ins with cheap hosting – despite the great functionality they may bring to your site. 

So is the free version of Bookly, for example, HIPAA compliant? By itself, the answer is no.

What you really need then is a fully-managed WordPress site to oversee all aspects of your WordPress platform – plugins as well as data – to keep it secure. 

 A HIPAA-compliant host, as we mentioned in our previous article, will essentially provide the “secure ship” to carry the contents (“cargo”) of your WordPress. They’ll also provide you with a BAA – a HIPAA requirement – which is a pledge to do their part to protect your data.  

HIPAA Vault will ensure your WordPress site meets HIPAA compliance requirements, by providing the following:

  • the latest, updated security plugins
  • scanning for malware and providing 24/7 monitoring
  • configuration and optimization of your site, to keep it running smoothly, and fast.
  • the setting of permissions – limiting who has access to PHI to only those that really need it (including editor role access to the WordPress backend)
  • Apache server configuration, and updated versions of MySQL and PHP
  • securing your database connection
  • our full range of managed security services
  • enforcing strong passwords and two-factor authentication
  • audit controls to log site access for any activity that involves ePHI

Not currently hosting with a HIPAA-compliant host? We’ll take care of your new host configuration and provide migration services to transfer all your web content for you, including up to 2 databases.  

And we’ll manage it all for one low, monthly cost – providing you peace of mind and freeing you up to concentrate on being available for those first-thing-in-the-morning patients who need your care! 

HIPAA Vault is a leading provider of HIPAA-compliant hosting and WordPress solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault’s secure infrastructure and 24/7 managed security to actively monitor and protect their infrastructure, mitigate risk, and ensure that systems stay online at all times.

Avatar photo

Gil Vidals is the president and CTO of HIPAA Vault. He is a passionate, subject matter expert on HIPAA compliance and the healthcare cloud, and co-host of the HIPAA Vault podcast. Since 1997, Gil’s mission has been to provide uncompromising and affordable HIPAA compliant hosting solutions to commercial and government clients, helping protect their sensitive health information from data breaches and security vulnerabilities. HIPAA Vault has been recognized as an Inc. 5000 company and a Clutch Top B2B company. He can be reached here on Linkedin.

Is Contact Form 7 HIPAA-Compliant?
February 7, 2023
Enterprise Cloud Hosting Solutions: Leveraging Server Migration to Containers  
March 13, 2023