Compliance & Security

Built to keep your compliance surface small

Accessible patient-facing pages, deliberate data minimization, and a directory you own — so the burden that scares people off most medical plugins never lands on you.

Start your 14-day free trial
Read this first. This page describes how the plugin is built. It is not legal advice, and regulatory deadlines and obligations change. Confirm what applies to your organization with qualified counsel, and see our Compliance Claims Disclaimer for the full statement.

Accessibility

WCAG 2.1 AA on every patient-facing page

Every patient-facing template the plugin ships is built to WCAG 2.1 Level AA — semantic HTML, full keyboard navigation, proper ARIA labeling, skip links as the first focusable element, and polite ARIA live regions so screen readers hear dynamic search updates. Accessibility is emitted with the page, not added afterward.

WCAG 2.1 AA is the technical standard the HHS Section 504 rule sets for organizations that receive federal financial assistance through Medicare, Medicaid, or CHIP. In May 2026, HHS extended the conformance deadline to May 11, 2027 for organizations with 15 or more employees (May 10, 2028 for smaller ones); the underlying nondiscrimination obligations are already in effect. You can hand any shipped template to your accessibility auditor and check it directly. See the Accessibility Statement for scope and current conformance status.

HIPAA scope

Public by design — out of HIPAA scope on purpose

A public “find a provider” directory generally sits outside HIPAA, because provider names, credentials, locations, and accepted insurance are not patient health information. WP Medical Directory is built to stay in that lane deliberately:

  • It does not collect patient health information.
  • It does not create patient accounts or a patient portal.
  • Its appointment-request forms capture only routing details and tell patients not to include health details.

That data minimization is a feature, not a gap. If your organization later needs full HIPAA-covered workflows — patient records, logins, messaging — you’d add those in a dedicated system built for it. We do not offer a Business Associate Agreement, because the directory is architected to avoid creating that relationship in the first place. This is not legal advice; your counsel knows your obligations.

Data ownership

Your data stays on your infrastructure

WP Medical Directory is a plugin on your own WordPress site, not a hosted service. Your Brand, Location, Provider, and Insurance Plan records live in your database. Deactivating the plugin doesn’t touch your content; fully uninstalling cleans up the plugin’s own options and tables but never deletes your directory posts. No vendor holds your provider data hostage — the own-it, don’t-rent-it model is deliberate.

Security posture

Sensible defaults, verifiable behavior

Form anti-spam

The appointment form ships with a honeypot field, a timing check, and input sanitization, plus a hook where your site can add reCAPTCHA or hCaptcha. Leads are stored in the plugin’s own table.

No standing patient data

No patient logins and no per-patient stored records. A request is a routing message, not a health record — which keeps the attack surface and the compliance surface small.

Runs on current WordPress

WordPress 6.9.4+ and PHP 8.2+, so you’re on a supported, patched platform. AI runs through WordPress’s own framework rather than credentials you manage.

Graceful lifecycle

If a license lapses, the public directory keeps rendering. Renaming or removing an entity registers a 301 to the parent or a 410 for gone, so links don’t break.

We describe security in terms of what the plugin actually does. As a maintained product, security patches ship as part of an active license — we don’t make claims we can’t substantiate.

AI and privacy

You control whether any AI runs

The AI features use WordPress’s native AI framework, so you don’t manage a third-party API key and you’re not locked to one vendor — provider-agnostic through the WP AI Client on WordPress 7.0+, with an Anthropic adapter on 6.9. Every AI feature is optional and has a manual fallback, so you can run the entire directory with no AI provider configured at all. Whether any content is processed by an AI model is your decision, made in your WordPress settings.

Common questions

Compliance FAQ

Is a WordPress medical directory HIPAA compliant?

A public find-a-provider directory generally sits outside HIPAA, because provider names, credentials, locations, and accepted insurance aren't patient health information. WP Medical Directory is built to stay in that public, out-of-scope lane on purpose: it doesn't collect patient health information, doesn't create patient accounts, and its appointment-request forms tell patients not to include health details. If your organization later needs full HIPAA-covered workflows, you'd add those in a dedicated system. This isn't legal advice; your counsel knows your specific obligations.

Does WP Medical Directory meet WCAG 2.1 AA for HHS Section 504?

Every patient-facing template the plugin ships is built to WCAG 2.1 Level AA, with semantic HTML, keyboard navigation, ARIA labeling, and no screen-reader dead ends. WCAG 2.1 AA is the technical standard the HHS Section 504 rule sets for organizations that receive federal financial assistance through Medicare, Medicaid, or CHIP. In May 2026 HHS extended the conformance deadline to May 11, 2027 for organizations with 15 or more employees, and May 10, 2028 for smaller ones. This isn't legal advice; confirm your obligations and current deadlines with counsel.

Who owns the directory data, and what happens if I uninstall?

You do. WP Medical Directory is a plugin on your own WordPress site, so your Brand, Location, Provider, and Insurance Plan records live in your database, not a vendor's SaaS platform. Deactivating the plugin doesn't touch your content. Fully uninstalling cleans up the plugin's own options and tables but does not delete your directory posts — they stay in the database and return if you reinstall. If you want them gone, you delete the posts first. Owning your infrastructure is the point.

Evaluate it against your own requirements

Run the full plugin free for 14 days and hand any patient-facing template to your accessibility auditor. See exactly how it’s built before you commit.

Start your 14-day free trial

14-day money-back guarantee. This page is not legal advice.