Wix is not HIPAA compliant and websites built on the platform should not be used to collect Protected Health Information unless an exception to HIPAA applies, or unless a third party product is used to ensure PHI is not maintained or transmitted by Wix servers.
The question of is Wix HIPAA compliant is answered in the platform’s Help Pages. The relevant Help Page states Wix services are not specifically designed to comply with HIPAA. As such – the Help Page continues – we are unable to operate as a business associate, subcontractor, or agent of a covered entity, as these terms are defined in HIPAA.
What this means for HIPAA covered entities and business associates is that it is not possible to use a website built and hosted on Wix to create, receive, store, or transmit Protected Health Information (PHI) without relying on an exception to HIPAA, or without using a third party product to make the use of Wix HIPAA compliant.
When is it Possible to Use Wix in Healthcare?
Although it is not possible to use a website built and hosted on Wix to create, receive, store, or transmit PHI, it is possible to create, receive, store, and transmit other personally identifiable information that does not qualify as PHI – provided information such as names, email addresses, and cellphone numbers are not maintained in the same record sets as PHI.
This is because PHI is identifiable information about an individual that relates to the individual’s health condition, treatment for the condition, or payment for the treatment. If none of this information is exchanged via a Wix website or service, it is possible to use Wix in healthcare for purposes such as submitting contact forms and booking appointments.
When Exceptions to HIPAA May Apply
Exceptions to HIPAA can apply for many reasons. For example, HHS’ Office for Civil Rights publishes Notices of Enforcement Discretion during emergencies; and, if Outlook or Gmail were to suffer a long term outage, it is not inconceivable HHS would permit email communications via the Wix platform due to the platform’s advanced security measures.
Other events include when an individual authorizes communications or requests confidential communications via unsecured email. In such circumstances, provided the requests are reasonable – for example, if an organization uses an email service hosted on Wix servers – covered entities are required to comply with the requests.
Products to Make the Use of Wix HIPAA Compliant
When websites are built on Wix, the underlying platform uses proprietary software that prevents customers building a website on Wix and hosting it elsewhere. This means you cannot make Wix HIPAA compliant by using the service to build a website and then exporting the website to a third party HIPAA compliant hosting service.
What it is possible to do to make the use of Wix HIPAA compliant is to isolate PHI from Wix servers using products that can either embed encrypted contact forms (i.e. JotForm) or encapsulate emails in an additional layer of encryption (i.e. Paubox). If using either of these vendors, it will be necessary to enter into a Business Associate Agreement with them.
Considerations before Using Wix in Healthcare
Wix is not HIPAA compliant but can be used by covered entities and business associates to build and host websites that do not collect information (i.e., includes a contact telephone number for further information). It is also possible to collect personally identifiable information that does not qualify as PHI, or collect PHI when exceptions apply.
To use a Wix website to collect information in any circumstances requires a thorough understanding of HIPAA, while deploying products to make the use of Wix HIPAA compliant requires a thorough understanding of software configuration. If Wix servers can access PHI collected by an embedded form or transmitted via an encapsulated email, Wix will be considered to have “no view” persistent access to PHI and required to comply with HIPAA.
Healthcare organizations that require further information about when personally identifiable information does not qualify as PHI should speak with a HIPAA compliance expert. Healthcare organizations wanting to know more about products that can make the use of Wix HIPAA compliance should speak with product vendors.