Compliance & Security
Built to keep your compliance surface small
Accessible patient-facing pages, deliberate data minimization, and a directory you own — so the burden that scares people off most medical plugins never lands on you.
Start your 14-day free trialAccessibility
WCAG 2.1 AA on every patient-facing page
Every patient-facing template the plugin ships is built to WCAG 2.1 Level AA — semantic HTML, full keyboard navigation, proper ARIA labeling, skip links as the first focusable element, and polite ARIA live regions so screen readers hear dynamic search updates. Accessibility is emitted with the page, not added afterward.
WCAG 2.1 AA is the technical standard the HHS Section 504 rule sets for organizations that receive federal financial assistance through Medicare, Medicaid, or CHIP. In May 2026, HHS extended the conformance deadline to May 11, 2027 for organizations with 15 or more employees (May 10, 2028 for smaller ones); the underlying nondiscrimination obligations are already in effect. You can hand any shipped template to your accessibility auditor and check it directly. See the Accessibility Statement for scope and current conformance status.
Deadlines and applicability vary by organization and can change. This is not legal advice.
HIPAA scope
Public by design — out of HIPAA scope on purpose
A public “find a provider” directory generally sits outside HIPAA, because provider names, credentials, locations, and accepted insurance are not patient health information. WP Medical Directory is built to stay in that lane deliberately:
- It does not collect patient health information.
- It does not create patient accounts or a patient portal.
- Its appointment-request forms capture only routing details and tell patients not to include health details.
That data minimization is a feature, not a gap. If your organization later needs full HIPAA-covered workflows — patient records, logins, messaging — you’d add those in a dedicated system built for it. We do not offer a Business Associate Agreement, because the directory is architected to avoid creating that relationship in the first place. This is not legal advice; your counsel knows your obligations.
Data ownership
Your data stays on your infrastructure
WP Medical Directory is a plugin on your own WordPress site, not a hosted service. Your Brand, Location, Provider, and Insurance Plan records live in your database. Deactivating the plugin doesn’t touch your content; fully uninstalling cleans up the plugin’s own options and tables but never deletes your directory posts. No vendor holds your provider data hostage — the own-it, don’t-rent-it model is deliberate.
Security posture
Sensible defaults, verifiable behavior
Form anti-spam
The appointment form ships with a honeypot field, a timing check, and input sanitization, plus a hook where your site can add reCAPTCHA or hCaptcha. Leads are stored in the plugin’s own table.
No standing patient data
No patient logins and no per-patient stored records. A request is a routing message, not a health record — which keeps the attack surface and the compliance surface small.
Runs on current WordPress
WordPress 6.9.4+ and PHP 8.2+, so you’re on a supported, patched platform. AI runs through WordPress’s own framework rather than credentials you manage.
Graceful lifecycle
If a license lapses, the public directory keeps rendering. Renaming or removing an entity registers a 301 to the parent or a 410 for gone, so links don’t break.
We describe security in terms of what the plugin actually does. As a maintained product, security patches ship as part of an active license — we don’t make claims we can’t substantiate.
AI and privacy
You control whether any AI runs
The AI features use WordPress’s native AI framework, so you don’t manage a third-party API key and you’re not locked to one vendor — provider-agnostic through the WP AI Client on WordPress 7.0+, with an Anthropic adapter on 6.9. Every AI feature is optional and has a manual fallback, so you can run the entire directory with no AI provider configured at all. Whether any content is processed by an AI model is your decision, made in your WordPress settings.
Common questions
Compliance FAQ
Is a WordPress medical directory HIPAA compliant?
A public find-a-provider directory generally sits outside HIPAA, because provider names, credentials, locations, and accepted insurance aren't patient health information. WP Medical Directory is built to stay in that public, out-of-scope lane on purpose: it doesn't collect patient health information, doesn't create patient accounts, and its appointment-request forms tell patients not to include health details. If your organization later needs full HIPAA-covered workflows, you'd add those in a dedicated system. This isn't legal advice; your counsel knows your specific obligations.
Does WP Medical Directory meet WCAG 2.1 AA for HHS Section 504?
Every patient-facing template the plugin ships is built to WCAG 2.1 Level AA, with semantic HTML, keyboard navigation, ARIA labeling, and no screen-reader dead ends. WCAG 2.1 AA is the technical standard the HHS Section 504 rule sets for organizations that receive federal financial assistance through Medicare, Medicaid, or CHIP. In May 2026 HHS extended the conformance deadline to May 11, 2027 for organizations with 15 or more employees, and May 10, 2028 for smaller ones. This isn't legal advice; confirm your obligations and current deadlines with counsel.
Who owns the directory data, and what happens if I uninstall?
You do. WP Medical Directory is a plugin on your own WordPress site, so your Brand, Location, Provider, and Insurance Plan records live in your database, not a vendor's SaaS platform. Deactivating the plugin doesn't touch your content. Fully uninstalling cleans up the plugin's own options and tables but does not delete your directory posts — they stay in the database and return if you reinstall. If you want them gone, you delete the posts first. Owning your infrastructure is the point.
Evaluate it against your own requirements
Run the full plugin free for 14 days and hand any patient-facing template to your accessibility auditor. See exactly how it’s built before you commit.
Start your 14-day free trial14-day money-back guarantee. This page is not legal advice.