Is WIX HIPAA Compliant

wix is not HIPAA Compliant

Key Points

  • Wix is not HIPAA compliant.
  • Wix clearly states that its services are not tailored to meet HIPAA requirements.
  • Wix cannot act as a business associate, subcontractor, or agent of a covered entity, as defined in the HIPAA guidelines.  
  • Wix does not actively filter or monitor information or dat.
  • If your business requires you to be compliant with HIPAA, you are responsible for compliance with all applicable laws governing the privacy and security of ePHI.
  • If you are subject to HIPAA as a Covered Entity or Business Associate, you should not use Wix services in a manner that causes Wix to create, receive, maintain, or transmit ePHI on your behalf.

 

Is WIX Pagebuilder HIPAA Compliant?

HIPAA Digital has identified that 11% of all US Healthcare Businesses use the WIX Pagebuilder for their websites.

There is a huge knowledge gap when it comes to Healthcare websites using the WIX Pagebuilder and HIPAA Compliance.

Many Healthcare business owners have been told by well-meaning friends and marketing companies that WIX is HIPAA Compliant either through lack of technical expertise, or because of a notion that a website .does not collect or store ePHI.

WIX & HIPAA

HIPAA, a U.S. law enacted in 1996, sets the standard for protecting sensitive patient data. Any entity dealing with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. Compliance is not just a matter of software or platform capability but also involves the policies and procedures adopted by the entity using the technology.

Myth Buster

WIX is NOT HIPAA compliant.

WIX offers users the tools to create and manage their websites. However, HIPAA compliance is not solely about the platform itself but how it is used and whether it can support the necessary safeguards for PHI.

WIX is not inherently HIPAA compliant. The platform does not claim to meet the specific technical and physical safeguards required under HIPAA rules.

WIX does not offer encryption at rest or in transit to the level HIPAA mandates, and it does not provide the audit controls and access management necessary for handling PHI securely.

Wix Technical and Physical Safeguards

To be HIPAA compliant, a service must have certain technical and physical safeguards in place. These include:

  • Encryption: PHI must be encrypted both in transit and at rest, ensuring unauthorized individuals cannot access the data.
  • Access Control: Only authorized personnel should have access to PHI, with controls in place to authenticate identities.
  • Audit Trails: There must be detailed logs of who accessed PHI and when, providing an audit trail for monitoring and investigating activities.

 

While WIX offers some level of security and data protection, it does not fully meet the  requirements set out by HIPAA for handling medical information.

Wix will not sign a Business Associate Agreement

Business Associate Agreement (BAA)

A critical component of HIPAA compliance is the Business Associate Agreement (BAA). This contract between a HIPAA-covered entity and its business associates (vendors or subcontractors who have access to PHI) outlines the responsibilities and expectations for safeguarding PHI.

WIX does not sign BAAs with its customers, which is a barrier to its use in a healthcare context where PHI is handled.

Without a BAA, any PHI breaches or non-compliance issues could lead to substantial legal and financial consequences for the healthcare provider.

Common Misconceptions About Wix Pagebuilder for Heatlhcare Websites

 

Contact Forms and Analytics

  • Contact Forms: Even if your site explicitly instructs users not to submit ePHI, there is still a risk that they might do so through contact forms. Implementing measures to minimize this risk is crucial. This means significant technical configurations that limit the type of information that can be submitted.
  • Analytics: Websites often collect data through analytics tools, which inadvertently capture PHI. It’s essential to ensure that any analytics implementation complies with privacy regulations and does not collect or store PHI.

Disclaimers and Policies

Having a disclaimer instructing visitors not to share PHI is an incorrect policy. Even though you have a disclaimer it is not legally binding and the person leaving the information still has their rights under HIPAA.

WIX HIPAA Limitations

While WIX is a good platform for general website building, it’s not designed with the specific intent of being HIPAA compliant. This means:

  • WIX does not offer the level of data protection and audit controls required for handling ePHI.
  • The will not sign a Business Associate Agreement (BAA), a critical element in the HIPAA compliance process.

Risks of using Wix

  • Lack of HIPAA compliance: Since Wix is not HIPAA compliant, you cannot use it to handle ePHI or electronic protected health information on your behalf. 
  • Limited security measures: Wix cannot incorporate external security plugins, limiting its ability to enhance website security beyond its built-in features.
  • Constant monitoring and maintenance: Constant surveillance and upkeep are necessary for Wix websites, preventing you from accessing and making changes to your website whenever you want. 

 

This is what Wix themselves have to say: https://support.wix.com/en/article/wix-services-and-hipaa

 

HIPAA Hosting

HIPAA Hosting is a critical component that healthcare providers must use to meet the absolute legal requirements under the Health Insurance Portability and Accountability Act (HIPAA).

This specialized hosting provides the necessary security measures, including physical, network and process safeguards, to protect electronic Protected Health Information (ePHI) from unauthorized access, use or disclosure.

Share it :
Facebook
Twitter
LinkedIn
Email
Get free tips and resources right in your inbox, along with 10,000+ others