One of the most popular platforms to launch a business website is Squarespace.
Founded by a college student in 2004, the New York City-based company now hosts over one million websites and has over 700 employees.
But is it HIPAA compliant?
Why do businesses choose Squarespace?
Squarespace differentiates itself in the crowded webhosting space with its comprehensive online offerings and striking, elegant designs.
While Squarespace websites are prettier, they are also more expensive than other website builder services like Weebly and Wix.
Squarespace seamlessly integrates with ecommerce tools (including Stripe and PayPal), Google Apps, and other popular business platforms. The company is also is a domain name registrar, competing with giants like GoDaddy, and allowing it to provide a one-stop shop for business websites.
Squarespace and HIPAA
If you use Squarespace to design and host your business website, it will likely be an important way you attract new customers and interact with your clients.
If you are a covered entity under HIPAA — which includes doctors, dentists, clinics, hospitals, and health insurance providers — you must be careful to ensure you only partner with HIPAA compliant business associates.
According to HIPAA, a business associate is “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
Since your Squarespace website could potentially receive protected health information (PHI), HIPAA compliance is required.
How does Squarespace address HIPAA?
The good news is that Squarespace provides a “Squarespace and HIPAA” guide in its support documents. And it includes a lot of helpful information, such as how to make your Squarespace account HIPAA compliant and how to access your business associate agreement (BAA) once in place.
However, as the company explains, only one component of its overall offerings can be part of a HIPAA compliant website: Squarespace Scheduling.
Squarespace Scheduling does handle many of the interactions a customer or client would have with a covered entity, such as booking appointments.
To use Squarespace Scheduling, you will need to be on a “Powerhouse Player” plan.
Squarespace correctly notes that “many third-party integrations don’t support HIPAA,” and that covered entities should disable them.
Squarespace’s HIPAA guide explains:
Squarespace Scheduling is designed to allow you to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Other parts of the Squarespace platform, including contact form features like the Form Block, can’t be used as part of a HIPAA compliant solution. To collect secure patient information online for areas outside of Scheduling, we recommend linking to an external, compliant service.
If you would like to include a form on your healthcare practice’s website, you might consider using Jot Form, which can be HIPAA compliant.
What about Squarespace email?
You can configure Squarespace to manage your business email accounts, but behind the scenes, Squarespace uses Google Workspace.
Is Squarespace HIPAA Compliant?
Conclusion: Squarespace can be part of a HIPAA compliant operation if: 1) you are on a “Powerhouse Player” plan; 2) you only use the Squarespace Scheduling feature; and 3) you don’t use other third-party integrations that compromise HIPAA compliance.
Squarespace will provide a business associate agreement (BAA) for qualified customers.