Is Wix HIPAA Compliant?
When this article was first published in early 2025, Wix was not a HIPAA-compliant service; however, the company has since implemented comprehensive measures to allow its platform to be used by HIPAA-regulated entities, and the company is prepared to sign a business associate agreement with HIPAA-regulated entities.
Wix is a service that helps businesses in all industries easily design, build, and host websites. Depending on the type of subscription, customers’ websites can include appointment scheduling software, e-commerce platforms, and loyalty programs. The service scores highly for performance, reliability, and security, and is certified PCI DSS and ISO 27001 compliant.
With regard to collecting data from website visitors, Wix enables customers to comply with the California Consumer Privacy Act (CCPA) and other state privacy laws that require an affirmative opt-in before data can be used for marketing purposes.
When it comes to collecting Protected Health Information (PHI) from website visitors, HIPAA-regulated entities must ensure that they use a platform that incorporates all of the necessary safeguards to ensure the confidentiality, integrity, and availability of PHI, and a regulated entity must enter into a business associate agreement (BAA) with the platform provider.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Wix has now incorporated a comprehensive range of measures to allow its platform to be used by HIPAA-regulated entities and provides both the tools and contractual safeguards to support HIPAA compliance. Provided customers have the appropriate Wix plan, take certain steps to make their Wix website HIPAA-compliant, and only use Wix’s HIPAA-designated apps and services, then Wix websites can be HIPAA-compliant.
How Does Wix Comply with HIPAA?
Customers with certain Wix plans (supported Premium or Studio plans) can activate a PHI protection feature from the Compliance, Privacy & Cookies section of their site dashboard. Activating this feature provides enhanced administrative, physical, and technical safeguards. These include encryption of ePHI at rest and in transit, access controls, audit logging, and the automatic restriction of non-HIPAA-compliant features and applications.
After activating this feature, users can execute a formal BAA with Wix. The BAA establishes Wix’s obligations under the HIPAA Rules. Wix agrees to comply with the permitted and required uses and disclosures of PHI, maintain appropriate safeguards, comply with data access, amendment, and accounting requirements, and the breach reporting requirements of the HIPAA Breach Notification Rule.
A HIPAA-regulated entity may request a copy of all PHI data on the site and submit a request to have the information securely and permanently deleted. Wix has published resources on its website to help HIPAA-regulated entities ensure HIPAA compliance when using its services: Wix Services and HIPAA and HIPAA Compliance for Your Wix Site.
In order to comply with HIPAA, users must ensure that they only use specific services and apps on their website that have been approved for HIPAA use. Wix has curated a collection of apps in the Wix App Market and explicitly designates which apps and services support HIPAA compliance, allowing regulated entities to clearly identify which apps and services may be used to create, receive, maintain, or transmit ePHI.
What this Means for HIPAA Covered Entities and Business Associates
HIPAA-covered entities and business associates can use a website built on Wix to collect non-health information such as names, phone numbers, and email addresses. This is because information of this type is not considered PHI when it is not maintained in the same designated record set as individually identifiable health information.
Provided that forms are limited in the information they collect, that the appointment scheduling software does not reveal the nature of treatment, and that payment systems are just used for payment processing, covered entities and business associates will not be in violation of HIPAA for creating, receiving, maintaining, or transmitting non-health information via the service.
Before a website built on Wix is used to collect PHI, users must configure the options correctly, enter into a BAA with Wix, and only use apps and services that support HIPAA compliance. If those steps are taken, Wix websites are HIPAA compliant. Further, Wix’s HIPAA compliance features align with the international healthcare information security standard ISO 27799, to support healthcare providers in meeting strict data protection and security requirements, such as the EU’s General Data Protection Regulation (GDPR).
It should be noted that while a company can implement all of the necessary measures to support HIPAA-compliance, including signing a business associate agreement, it is up to each regulated entity to ensure that the product or service is used correctly.
