Is it Possible to Make Wix HIPAA Compliant?
It is not possible to make Wix HIPAA compliant but there are ways in which websites built and hosted on Wix can collect personal data without violating HIPAA. In such cases, it is important healthcare organizations and their workforces are well-informed on the correct procedures for collecting personal data to avoid unintentional violations of HIPAA.
Wix is a popular service for building and hosting websites due to its ease of use. Because of the wide range of services and integrations, websites built and hosted on Wix can be used to โ for example – schedule appointments, generate branded invoices, and collect payments. The platform can also be used to create and automate powerful email marketing campaigns.
However, for healthcare organizations subject to the standards of the Health Insurance Portability and Accountability Act (HIPAA), the use of Wix is limited by the service not being designed to support HIPAA compliance. This means it is not possible to use a website built and hosted on Wix to create, receive, store, or transmit Protected Health Information (PHI).
How to Collect Personal Data Without Violating HIPAA
There are three ways in which it is possible to collect personal data without violating HIPAA. The first is to only collect non-health information. The second is to obtain a patientโs consent to use or disclose Protected Health Information (PHI) via the service. The last is to use a third party service to isolate website components that collect and transmit PHI.
Only Collect Non-Health Information
The HIPAA Privacy Rule protects the privacy of individually identifiable health information. This means that information relating to an individualโs health condition, treatment for the condition, or payment for the treatment is protected along with other information that could be used to identify the individual when the other information is maintained in the same record set.
When the other (identifying) information is not maintained in the same record set, it is not protected by HIPAA โ although other state privacy and breach notification laws may apply. This means that if a healthcare organization puts a contact form on its website the only collects (for example) a name, a phone number, and a convenient time to call, there is no need for the contact form or the website it is published on to be HIPAA compliant.
Obtain a Patientโs Consent
Under ยง164.522(b) of the HIPAA Privacy Rule, patients are allowed to request confidential communications via a channel of their choice. If the request is reasonable, it must be accommodated by the healthcare organization. In theory, a patient could request confidential communications via an email service hosted on a Wix server, which would bypass the requirement to make Wix HIPAA compliant before communicating with the patient via email.
Because the healthcare organization should know the service is not HIPAA compliant, it should warn the patient of the risks and request their consent to communicate in this way. The warning and the consent should be documented. Members of the workforce should also receive HIPAA training on the correct procedures for using the Wix-hosted email service in such a way as to mitigate the risk of an unintentional violation of HIPAA.
Isolate Website Components
It is possible to isolate website components that collect and transmit PHI by embedding an encrypted contact form into a website or by using an email service that encrypts the content of emails, rather than encrypting the connection between the sender and the recipient. In both cases, the services that embed encrypted contact forms or that encrypt email content would qualify as business associates and would need to be HIPAA compliant.
Configuring services to isolate website components requires a level of technical ability. If the configuration procedures are not followed correctly, it could result in Wix having โno-view persistent accessโ to PHI. In this case, even though Wix cannot access any PHI contained in a contact form or email, it would be a violation of HIPAA because Wix would qualify as a business associate and its services are not designed to support HIPAA compliance.
Conclusion: There is No Way to Make Wix HIPAA Compliant
There is no way to make Wix HIPAA compliant, but there are ways in which it is possible to use websites built and hosted on Wix to collect personal data โ and in some cases data that qualifies as PHI โ without violating HIPAA. Healthcare organizations requiring further information on how to use Wix without violating HIPAA are advised to speak with a compliance professional or the vendors of HIPAA compliant forms and email services.