Choosing the Right CMS for Healthcare Clinics, Practices and Hospitals

Posted on in Blog
graphic with text reading choosing the right cms for healthcare

So, you’ve been tasked with finding the best Content Management System (CMS) for your healthcare website.

There are so many options to choose from that it can get overwhelming. But, don’t let the world of CMS choices scare you: Fortunately, there are a few well-established content management systems that most healthcare organizations choose from, and we happen to use them every day here at Oneupweb.

Today’s patients expect their healthcare provider to have a website that can give them information about their service provider, book appointments, give them lab results, and more. That’s a lot of content, so making sure that the CMS you’re using to manage it is user-friendly and robust is important.

To help in your hunt for a great healthcare content management system, we discuss a few options below and look at how HIPAA plays a role in each one.

“When it comes to deciding between WordPress vs. Drupal or Joomla vs. WordPress, WordPress will be the easiest solution, which is why we love to build websites in it, and it will probably the best bet for most healthcare organizations.”

What does CMS stand for?

A CMS is a content management system. More often than not, it’s a web-based platform that helps to organize all the content that goes on a website. This includes images, blog posts, top-level brand pages, third-party portals like telemedicine, email, etc.

It also has a system for adding users and giving them different levels of permission depending on what you would like them to be able to see or do. This can be valuable when you have more than one person managing the website. Perhaps you have a writer that you want to give the ability to place content in draft form on the site, but you don’t want them to have the ability to publish anything. The right CMS can do that.

HIPPA-compliant Healthcare Content Management System Options

One of the biggest priorities is whether the CMS can be made HIPPA-compliant. If your site will have any type of Protected Health Information (PHI) on it, then you need to make sure your site – and your CMS – is HIPAA-compliant. This includes forms, emails, live chats and anything that has information considered to be PHI.  Here are five HIPPA-compliant content management systems:

Most of the HIPAA concerns fall on the hosting side of things, but your CMS does still need to be compliant, and part of that is making sure you can get a Business Associate Agreement (BAA) signed by the vendor. Vendors include any organization you hire to create or maintain your website, as well as any other organizations involved in the hosting, storing and transferring data with your website. Liquid Web, AWS and Rackspace all offer HIPAA-compliant hosting, just to name a few. You will also need to make sure your email is HIPPA-compliant.

As far as CMS solutions, in most cases, WordPress will work just fine. There are some simple plugins that will handle most of the heavy lifting for you, and if you purchase proper hosting and email service providers, you should be all set.

Joomla and Drupal will require a little more effort, with the latter being the most difficult. Compared to WordPress, Drupal and Joomla are more complex systems, so they have more bells and whistles to check to make sure all your bases are covered. Also, Drupal needs add-ons to help pass the HIPPA test, while the others don’t.

When it comes to deciding between WordPress vs. Drupal or Joomla vs. WordPress, WordPress will be the easiest solution, which is why we love to build websites in it, and it will probably the best bet for most healthcare organizations. However, Vitalsite is the only one made specifically for healthcare.

The increased complexity that comes with other content management systems doesn’t always mean it’s a better option.

HIPPA’s Security Rule and How You Can Help

Today’s world is all about accessibility. Housing medical documents (such as operative notes, progress notes, physician orders, physician certification, physical therapy notes, and ER records) online can be beneficial for patients. Having all their information available at their fingertips can help patients keep track of their health. It’s crucial to have all electronic medical documents as well as the rest of your CMS data stored in a way that’s private and secure. Make sure your CMS is secure by following all HIPPA protocols.

HIPPA’s Security Rule ensures that medical documents and CMS data are secure. While CMS are popular targets for hackers, there are ways to protect your Content Management System from threats that are HIPPA-compliant.

  1. Use a strong password – This one seems like a no-brainer. But if a hacker gets access to your admin permissions, they are able to do anything they want with your CMS. Don’t let that happen. Take the most elementary precaution there is and start by using a strong password.
  2. Back up your data – This habit also bleeds into everyday life. Always keep an up-to-date record of all your data. That way, you can pick up right where you left off in the unlikely event of a crash or other loss of data.
  3. Use prepared statements – SQL-injections are a real threat to all CMS. Separate the structure of your site from the data in your CMS. That way, the SQL server can access both without compromising the security of your CMS.
  4. Add an SSL Certificate to your site – An SSL Certificate is now the standard way to determine whether a site is secure or not. An SSL will also help with your SEO – an added bonus!

All the data on your CMS should remain secure, especially your patients’ medical documents. Medical documents house many different types of patient health information. By taking your own measures to ensure your CMS security, you’re following HIPPA’s Security Rule and helping your patients’ private medical information remain secure.

How to Choose the Right Healthcare Content Management System

If you already have a relationship with an agency or another marketing partner, sit down and have a conversation with them. The team helping you get your site up and running is going to know your brand and what you will and will not need for your website. Let their team figure out what CMS would work best for you and make sure it can pass HIPAA requirements.

Your partner may also be able to handle compliant hosting, email services and sign any BAAs that you need. Most of the time, having something smaller and simpler like WordPress would be the best option, unless you can provide a specific use case for something more robust.

If you aren’t already working with an agency, start doing some research on agencies that work in healthcare web design and marketing. If an agency has never worked in the healthcare field, it may be best to avoid working with them.

If you settle on a CMS and it isn’t HIPPA-compliant, another option is using third-party portals for anything PHI-related. This might work well if you already have an existing site that people in your company know how to use and edit. If it’s strictly a matter of budget, leveraging a third-party portal might be the most useful solution. The more information you can bring to your IT department or to the agency you work with, the better the solution will match your need.

Doctor shows his healthcare website
A doctor shows a patient their healthcare website.


In the healthcare field, there are only a few HIPAA-compliant CMS choices. Most of the time, WordPress is your best solution if you don’t have to worry about working around things that already exist and can create something from scratch. If you already have something up and running, you may want to consider a third-party portal of some kind like Formstack or Telehealth. There are many to choose from. Just make sure you check with your IT department to make sure it will work with your current CMS before you pay for anything.

Don’t forget that web-related HIPAA compliance is not as black and white as you would expect it to be. Having a meeting with an agency that knows what they’re doing is the best place to start. Find someone who can take the time to get to know your organization and help move you in the right direction. If you find someone who wants to skip steps and not worry about healthcare-specific needs, run the other direction immediately.

If you’re looking for an agency that knows healthcare marketing and can navigate its way around building websites for hospitals, clinics and medical private practices, reach out to the team at Oneupweb.

Up Next

Businesses and organizations face many hiring decisions, especially when comparing the value of hiring a web developer full-time or working with a dedicated vendor. There’s no one-size-fits-all solution or formula, so the right choice depends on your current and anticipated needs.  Before you bring on a developer full-time, consider paying less to have a web...

Read More