Weebly, a web hosting and web development company, offers customers professional business websites, mobile apps, and online stores. Many healthcare organizations use such solutions to help them better connect and communicate with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with companies that are HIPAA compliant.
In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Weebly still does not mention HIPAA or a BAA on its website though its parent company does offer an agreement. The web host may be HIPAA compliant.
What is Weebly?
Weebly provides organizations with powerful tools to build websites and apps that are integrated with marketing and advanced analytics. Websites can include blogging and ecommerce as well as an app center to add features. It was first launched as a free website host in 2006.
Eventually, Weebly was acquired by financial services giant Square in 2018. Now, the company places ads on the websites of those with free plans. To remove the ads, organizations must upgrade.
LEARN ABOUT: HIPAA compliant web hosts to consider for your practice
Is Weebly a business associate?
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:
- Permitted uses and disclosures of PHI
- Safeguards for protecting PHI
- Reporting and mitigation of security incidents
- Compliance with HIPAA regulations
- Dispute resolution and termination clauses
The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Weebly and its ability to be HIPAA compliant. Weebly is a business associate of a healthcare organization if it accesses or displays PHI, such as a name.
RELATED: How to know if you're a business associate
Weebly and the BAA
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. In 2020, Weebly did not mention, HIPAA, PHI, or a BAA on its website. At that time, on a Weebly community support site, a handful of people asked about HIPAA, but none of the answers were definitive nor from the company itself.
The community support chat is no longer available. Moreover, there is still no mention of healthcare-related issues or a healthcare agreement on its website. Interestingly, Square will enter into a BAA with its healthcare clients. There is no mention of which Square businesses might be included under the agreement, though the document states,
“We agree to ensure that any Subcontractors that create, receive, maintain, or transmit PHI on our behalf agree in writing to the same restrictions and conditions that apply through this HIPAA BAA to us with respect to such PHI, including complying with the applicable requirements of the Security Rule.”
Weebly, web hosting, and data security
Maintaining a website is complex, and covered entities need to ensure that their websites are HIPAA compliant. While web hosts can be HIPAA compliant as business associates, that is not always the case. Covered entities must consider the administrative, physical, and technical safeguards that a vendor utilizes to protect PHI. With the increasing importance of data privacy and security, all healthcare business associates who collect, store, or process PHI are subject to HIPAA regulations.
Weebly cybersecurity features include secure socket layer (SSL) encryption. Moreover, the company gives full control of website building to its clients and provides password-protected pages. In fact, each website built with Weebly includes a custom transport layer security (TLS) certificate to ensure end users have secure transactions.
Additionally, it is backed by Square, known for its safe payment processing with encryption, access controls, patches and updates, and audit controls.
Is Weebly HIPAA compliant?
The BAA is a necessary component of HIPAA compliance and Weebly does not mention a BAA. Its parent company, however, is willing to sign a BAA with healthcare clients and may include Weebly as part of the agreement. Healthcare customers should discuss the issue further with Weebly and/or Square customer support. Conclusion: Weebly may be HIPAA compliant.
Understanding HIPAA compliance
Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA:
- Technical safeguards: Mitigate risks associated with cyber threats, hacking, malware, and other security incidents with strong technical safeguards. Such tools as perimeter defenses (e.g., firewalls) and HIPAA compliant email are equally vital for extra protection.
- Employee training: Ensure all staff members have up-to-date knowledge of HIPAA regulations and best practices. Regular training sessions can help prevent unintentional, employee-related breaches.
- Regular audits: Perform periodic assessments of all systems and processes to ensure that they remain compliant. Adapt to any changes in regulations or technology.
- Data access controls: Implement stringent controls, such as multifactor authentication, on who can access PHI and under what circumstances.
Kapua Iao
