Is Wix HIPAA Compliant?
Wix is not HIPAA compliant, but it is still possible for covered entities and business associates to use Wix for building and hosting websites that collect non-health information. Potential workarounds for making Wix HIPAA compliant are complicated and could result in HIPAA violations if the workarounds are not configured properly.
Wix is a service that helps businesses in all industries easily design, build, and host websites. Depending on the type of subscription, customers’ websites can include appointment scheduling software, ecommerce platforms, and loyalty programs. The service scores highly for performance, reliability, and security, and is certified PCI DSS and ISO 27001 compliant.
With regards to collecting data from website visitors, Wix enables customers to comply with the California Consumer Privacy Act (CCPA) and other state privacy laws that require an affirmative opt-in before data can be used for marketing purposes. However, with regards to collecting Protected Health Information (PHI) from website visitors, Wix is not HIPAA compliant.
Why Does Wix Not Comply with HIPAA?
Wix states on its website that its services are not designed for HIPAA compliance. Because it is unable to meet the requirements for using, disclosing, and safeguarding PHI, Wix cannot act as a business associate on behalf of a HIPAA covered entity (or as a subcontractor on behalf of a business associate) and will not enter into a Business Associate Agreement.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The company reminds covered entities and business associates they should not use Wix services “in a manner that causes Wix to create, receive, maintain, or transmit PHI on your behalf”. While this does not prohibit covered entities and business associates from using Wix to design, build, and host websites, it limits what can be done with the website – but not a lot.
What this Means for HIPAA Covered Entities
Although Wix does not comply with HIPAA covered entities and business associates can use a website built on Wix to collect non-health information such as names, phone numbers, and email addresses. This is because information of this type is not considered PHI when it is not maintained in the same designated record set as individually identifiable health information.
Provided that forms are limited in the information they collect, that the appointment scheduling software does not reveal the nature of treatment, and that payment systems are just used for payment processing, covered entities and business associates will not be in violation of HIPAA for creating, receiving, maintaining, or transmitting non-health information via the service.
Potential Workarounds for Making Wix HIPAA Compliant
Because Wix uses proprietary software for designing and building websites, it is not possible to transfer a website built on Wix to a HIPAA-compliant hosting service. However, there are potential workarounds for making Wix HIPAA compliant. These include embedding forms into webpages and using an encrypted email services to collect PHI from website visitors.
These workarounds for making Wix HIPAA compliant involve creating accounts with third party service providers (i.e. JotForm, Paubox, etc.), entering into Business Associate Agreements with the service providers, and configuring the services so they are entirely isolated from any service provided by Wix. If the services are not entirely isolated, Wix would be considered to have “persistent access” to PHI and qualify as a business associate.
HIPAA Compliant Alternatives are Limited
Due to the compliance risks, costs, and increased administrative overhead of using third party service providers to make Wix HIPAA compliant, workarounds are not necessarily the best way forward. Unfortunately, there are few alternatives to Wix that support compliance, that have the same ease of use, and that offer the same range of services at a competitive price.
Atlantic, Liquid Web, and Rackspace are names that are frequently mentioned as HIPAA compliant alternatives to Wix, while organizations with skilled website development teams should be able to take advantage of Amazon Web Services or Microsoft Azure. However, covered entities and business associates are advised against considering WordPress or HubSpot as alternatives to Wix, as both require plug-ins to make them HIPAA compliant.
Conclusion: Does Your Website Have to be HIPAA Compliant?
Most covered entities and business associates that use Wix to design, build, and host websites are smaller organizations. Typically they lack the resources to take advantage of more technically complicated HIPAA compliant alternatives to Wix, or to ensure that the potential workarounds to make Wix HIPAA compliant are configured correctly.
As websites built and hosted on Wix can be used to create, receive, maintain, and transmit non-health information, this raises the question how important it is to have a HIPAA compliant website. If it is possible to use the website to initiate a contact, and then follow up the contact via a HIPAA compliant channel of communication (or phone) this may be the best way to use Wix.
