The HIPAA Guide - Celebrating Over 15 Years Online

Is it Possible to Make Wix HIPAA Compliant?

April 19, 2024HIPAA Advice Articles0

Is it possible to make Wix HIPAA compliant? HIPAAGuide.net

It is not possible to make Wix HIPAA compliant but there are ways in which websites built and hosted on Wix can collect personal data without violating HIPAA. In such cases, it is important healthcare organizations and their workforces are well-informed on the correct procedures for collecting personal data to avoid unintentional violations of HIPAA.

Wix is a popular service for building and hosting websites due to its ease of use. Because of the wide range of services and integrations, websites built and hosted on Wix can be used to – for example – schedule appointments, generate branded invoices, and collect payments. The platform can also be used to create and automate powerful email marketing campaigns.

However, for healthcare organizations subject to the standards of the Health Insurance Portability and Accountability Act (HIPAA), the use of Wix is limited by the service not being designed to support HIPAA compliance. This means it is not possible to use a website built and hosted on Wix to create, receive, store, or transmit Protected Health Information (PHI).

How to Collect Personal Data Without Violating HIPAA

There are three ways in which it is possible to collect personal data without violating HIPAA. The first is to only collect non-health information. The second is to obtain a patient’s consent to use or disclose Protected Health Information (PHI) via the service. The last is to use a third party service to isolate website components that collect and transmit PHI.

Only Collect Non-Health Information

The HIPAA Privacy Rule protects the privacy of individually identifiable health information. This means that information relating to an individual’s health condition, treatment for the condition, or payment for the treatment is protected along with other information that could be used to identify the individual when the other information is maintained in the same record set.

When the other (identifying) information is not maintained in the same record set, it is not protected by HIPAA – although other state privacy and breach notification laws may apply. This means that if a healthcare organization puts a contact form on its website the only collects (for example) a name, a phone number, and a convenient time to call, there is no need for the contact form or the website it is published on to be HIPAA compliant.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Obtain a Patient’s Consent

Under §164.522(b) of the HIPAA Privacy Rule, patients are allowed to request confidential communications via a channel of their choice. If the request is reasonable, it must be accommodated by the healthcare organization. In theory, a patient could request confidential communications via an email service hosted on a Wix server, which would bypass the requirement to make Wix HIPAA compliant before communicating with the patient via email.

Because the healthcare organization should know the service is not HIPAA compliant, it should warn the patient of the risks and request their consent to communicate in this way. The warning and the consent should be documented. Members of the workforce should also receive HIPAA training on the correct procedures for using the Wix-hosted email service in such a way as to mitigate the risk of an unintentional violation of HIPAA.

Isolate Website Components

It is possible to isolate website components that collect and transmit PHI by embedding an encrypted contact form into a website or by using an email service that encrypts the content of emails, rather than encrypting the connection between the sender and the recipient. In both cases, the services that embed encrypted contact forms or that encrypt email content would qualify as business associates and would need to be HIPAA compliant.

Configuring services to isolate website components requires a level of technical ability. If the configuration procedures are not followed correctly, it could result in Wix having “no-view persistent access” to PHI. In this case, even though Wix cannot access any PHI contained in a contact form or email, it would be a violation of HIPAA because Wix would qualify as a business associate and its services are not designed to support HIPAA compliance.

Conclusion: There is No Way to Make Wix HIPAA Compliant

There is no way to make Wix HIPAA compliant, but there are ways in which it is possible to use websites built and hosted on Wix to collect personal data – and in some cases data that qualifies as PHI – without violating HIPAA. Healthcare organizations requiring further information on how to use Wix without violating HIPAA are advised to speak with a compliance professional or the vendors of HIPAA compliant forms and email services.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

Copyright © 2007-2024 The HIPAA Guide       Site Map      Privacy Policy       About The HIPAA Guide       Terms and Conditions       Accessibility Statement