What Platform Should Your Practice Choose For Its Website?

When considering HIPAA compliance, choosing a CMS platform to build your website on is daunting.  Choosing the wrong one can cause a host of issues: revenue, costly rebuilds, potential fines, and headaches.

Should care about your website as much as your electronic health record system?  You should read our post about commonly overlooked HIPAA risks or take our HIPAA risk quiz.

There are many options to choose from (literally hundreds) we would love to analyze all of them but that post would be massive.

We have laid out a helpful table for each platform (for those who want a quick answer) as well as a more in-depth review of each platform.

 

*Full disclosure:  If you use our affiliate link for Hushmail you get a lifetime discount on their service and we get a small amount for referring you.  However, do not mistake that as influencing our decision to include them in this post.  Any of our affiliate choices are only based on quality of service and if they align with giving value to our clients (discounts or upgrades).   All of the forms listed offer a great service and were chosen for quality of service.

Drupal

Free
  • The platform is Free. The monthly cost depends on the host.

  • 4.8

  • Standard MySql database with most hosts. Integrates well and fully supported

  • Drupal has a robust security team and is utilized because of their security. In addition to Drupal Security you can utilize Sucuri for an additional layer of protection. Sucuri addresses HIPAA concerns. Sucuri provides website firewall, CDN, active hardening, site scanning for malware and hacks, malware/ hack fixes, IP Blocking, (Blocks unusual admin logins from unknown IPs), and much more. These are only part of a HIPAA security solution and do not replace good security practices.

  • Depends on the host. Some hosts explicitly state they are not compliant and will not sign a business associate agreement.

  • Drupal is a content management system and not a packaged platform. It can be built in a way that is compliant. There are many HIPAA Compliant Web Design Agencies and hosting providers who will sign a business associate agreement.

  • Recommended. If you are a larger organization and need a more robust platform, Drupal is trusted by many banking, government organizations, and large health care providers.

WordPress

Free
  • The platform is Free. The monthly cost depends on the host.

  • 4.6

  • Standard MySql database with most hosts. Integrates well and fully supported

  • Top 3rd party security solutions for WordPress are Wordfence and Sucuri. However, Sucuri addresses HIPAA concerns while Wordfence does not speak to HIPAA anywhere on their site. Sucuri provides website firewall, CDN, active hardening, site scanning for malware and hacks, malware/ hack fixes, IP Blocking, Whitelist IP (Blocks unusual admin login’s from unknown IPs), and much more. Wordfence is also a great plugin for security and some protection is better than none.

  • Depends on the host. Some hosts explicitly state they are not compliant and will not sign a business associate agreement.

  • WordPress is a content management system and not a packaged platform. It can be built in a way that is compliant. There are many HIPAA Compliant Web Design Agencies and hosting providers who will sign a business associate agreement.

  • Recommended. WordPress can be built in a way that is HIPAA compliant. Some of the highest traffic sites online are built on WordPress. It is a great choice for a HIPAA compliant website. Making a compliant site on WordPress can be affordable as well. There are many tools to assist you in building your own site even if you have limited coding skills. If you build your own site it is important that you carefully vet what you install on your site. It is advised that you utilize a HIPAA consultant or a web designer that understands the risks and can recommend compliant options.

Squarespace

$16-46/mo
  • The monthly cost varies from $16 to $46.

  • 3.6
  • Squarespace does not support with MySql Database and can’t be connected externally

  • Provided by Squarespace. They offer passive scanning periodically. Not real-time. Hacking issues are dealt through with support.
  • States that their servers and most parts of the platform are not HIPAA compliant, including their forms. They recommend you use a HIPAA compliant third party service Acuity Scheduling. (That is cover their own butt speak).Squarespace integrates analytics, logs your visitor’s IP addresses, and your patients will interact with the site. All of this becomes PHI if they can be used to identify your patient. You are also responsible if they suffer a breach or your site is hacked. As thousands of sites found out in 2018.

  • No

  • Not Recommended based off HIPAA Risk and performance. If you understand the risk that you may fail an audit if you have a breach then Squarespace can be an option. We don’t advise our clients to use it for this reason. The performance of the site in terms of load speed and limited search engine optimization options also make Squarespace less than ideal.

WIX

$13-500/mo
  • The monthly cost varies from $13 to $500

  • 3.2
  • A database can only connect to an externally hosted one through custom API

  • Security is only provided by WIX. They offer passive scanning periodically. Not real-time. Hacking issues are dealt with through support.
  • HIPAA is not addressed on the Wix site. It has to be assumed they are not compliant.

  • No

  • Not Recommended based off HIPAA Risk. The performance of the sites on this platform have been less than ideal for most. While they did a rebranding campaign advertising new search engine optimization tools, in the greater professional web development community, Wix still comes up short.

Weebly

$5-38/mo
  • The monthly cost varies from $5.0 to $38

  • 2.3
  • Platform does not support with MySql Database and cant be connected externally

  • Security is only provided by Weebly. They offer passive scanning periodically. Not real-time. Hacking issues are dealt through support.
  • HIPAA is not addressed on the Wix site. It has to be assumed they are not compliant.

  • No

  • Not Recommended based off HIPAA Risk. Weebly has lagged behind in terms of website builders. It was acquired by Square in 2018. The potential for this platform to become better is possible with the backing of Square. This may become a good alternative for small providers in the future.

Drupal

Free
  • The platform is Free. The monthly cost depends on the host.

  • 4.8

  • Standard MySql database with most hosts. Integrates well and fully supported

  • Drupal has a robust security team and is utilized because of their security. In addition to Drupal Security you can utilize Sucuri for an additional layer of protection. Sucuri addresses HIPAA concerns. Sucuri provides website firewall, CDN, active hardening, site scanning for malware and hacks, malware/ hack fixes, IP Blocking, (Blocks unusual admin logins from unknown IPs), and much more. These are only part of a HIPAA security solution and do not replace good security practices.

  • Depends on the host. Some hosts explicitly state they are not compliant and will not sign a business associate agreement.

  • Drupal is a content management system and not a packaged platform. It can be built in a way that is compliant. There are many HIPAA Compliant Web Design Agencies and hosting providers who will sign a business associate agreement.

  • Recommended. If you are a larger organization and need a more robust platform, Drupal is trusted by many banking, government organizations, and large health care providers.

WordPress

Free
  • The platform is Free. The monthly cost depends on the host.

  • 4.6

  • Standard MySql database with most hosts. Integrates well and fully supported

  • Top 3rd party security solutions for WordPress are Wordfence and Sucuri. However, Sucuri addresses HIPAA concerns while Wordfence does not speak to HIPAA anywhere on their site. Sucuri provides website firewall, CDN, active hardening, site scanning for malware and hacks, malware/ hack fixes, IP Blocking, Whitelist IP (Blocks unusual admin login’s from unknown IPs), and much more. Wordfence is also a great plugin for security and some protection is better than none.

  • Depends on the host. Some hosts explicitly state they are not compliant and will not sign a business associate agreement.

  • WordPress is a content management system and not a packaged platform. It can be built in a way that is compliant. There are many HIPAA Compliant Web Design Agencies and hosting providers who will sign a business associate agreement.

  • Recommended. WordPress can be built in a way that is HIPAA compliant. Some of the highest traffic sites online are built on WordPress. It is a great choice for a HIPAA compliant website. Making a compliant site on WordPress can be affordable as well. There are many tools to assist you in building your own site even if you have limited coding skills. If you build your own site it is important that you carefully vet what you install on your site. It is advised that you utilize a HIPAA consultant or a web designer that understands the risks and can recommend compliant options.

Squarespace

$16-46/mo
  • The monthly cost varies from $16 to $46.

  • 3.6
  • Squarespace does not support with MySql Database and can’t be connected externally

  • Provided by Squarespace. They offer passive scanning periodically. Not real-time. Hacking issues are dealt through with support.
  • States that their servers and most parts of the platform are not HIPAA compliant, including their forms. They recommend you use a HIPAA compliant third party service Acuity Scheduling. (That is cover their own butt speak).Squarespace integrates analytics, logs your visitor’s IP addresses, and your patients will interact with the site. All of this becomes PHI if they can be used to identify your patient. You are also responsible if they suffer a breach or your site is hacked. As thousands of sites found out in 2018.

  • No

  • Not Recommended based off HIPAA Risk and performance. If you understand the risk that you may fail an audit if you have a breach then Squarespace can be an option. We don’t advise our clients to use it for this reason. The performance of the site in terms of load speed and limited search engine optimization options also make Squarespace less than ideal.

WIX

$13-500/mo
  • The monthly cost varies from $13 to $500

  • 3.2
  • A database can only connect to an externally hosted one through custom API

  • Security is only provided by WIX. They offer passive scanning periodically. Not real-time. Hacking issues are dealt with through support.
  • HIPAA is not addressed on the Wix site. It has to be assumed they are not compliant.

  • No

  • Not Recommended based off HIPAA Risk. The performance of the sites on this platform have been less than ideal for most. While they did a rebranding campaign advertising new search engine optimization tools, in the greater professional web development community, Wix still comes up short.

Weebly

$5-38/mo
  • The monthly cost varies from $5.0 to $38

  • 2.3
  • Platform does not support with MySql Database and cant be connected externally

  • Security is only provided by Weebly. They offer passive scanning periodically. Not real-time. Hacking issues are dealt through support.
  • HIPAA is not addressed on the Wix site. It has to be assumed they are not compliant.

  • No

  • Not Recommended based off HIPAA Risk. Weebly has lagged behind in terms of website builders. It was acquired by Square in 2018. The potential for this platform to become better is possible with the backing of Square. This may become a good alternative for small providers in the future.

Drupal Features & HIPAA Compliance

Drupal Overview

Drupal is a free open source platform that can be used by groups or individuals to manage a website with large volumes of content or users. It can be very user friendly but it has to be built that way.

Drupal is commonly chosen by larger organizations who need a highly secure website. The platform is light weight and fully customization which is great for developing a responsive website.

Platform is Free.  Monthly cost depends on host.
Yes
4.8 Out of 5
Standard with most hosts. Integrates well and fully supported.
Yes
Yes

Drupal has a robust security team and is utilized because of their security.  In addition to Drupal Security you can utilize Sucuri for an additional layer of protection.

Sucuri addresses HIPAA concerns.

Sucuri provides website firewall, CDN, active hardening, site scanning for malware and hacks, malware/ hack fixes, IP Blocking,

(Blocks unusual admin logins from unknown IPs),

 and much more. 

These are only part of a HIPAA security solution and do not replace good security practices. 

Depends on the host.  Some hosts explicitly state they are not compliant and will not sign a business associate agreement.
Drupal is a content management system and not a packaged platform. It can be built in a way that is compliant.

There are many HIPAA compliant web design agencies and hosting providers who will sign a business associate agreement. Just make sure you do your due diligence. 

That depends on how the site is built.  Drupal is an open source content managment platform that you host and build your website on.  That means if you do not have a HIPAA compliant hosting, a server set up correctly, and your forms are not built compliantly then it is not. However, HIPAA compliant hosting can be slightly cost prohibitive for smaller practices.

You can embed a HIPAA compliant form into Drupal for a less than optimal solution.  Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack. Most electronic health record systems also have options to embed into or connect to your site.

It is important to note that if you are building on Drupal you web design agency will likely already choose a HIPAA compliant host and create a custom form.

Recommended. 

 

If you are larger organization and need a more robust platform, Drupal is trusted by many banking, government organizations, and large health care providers.  

Key Features Of Drupal

Custom domain and any email service

Bring your own domain name and email service of choice.

Security

What sets Drupal apart is their commitment to security. They have a dedicated security team to ensure the infrastructure is secure and new threats are addressed timely. By hiring a good web developer, Drupal can maintain HIPAA data integrity and confidentiality. Just being on Drupal does not make your secure but it does help.

Ease Of Use

Drupal site owners can set up a good-looking site but they need HTML or CSS knowledge.  There are some pre-made themes out there as well as marketplaces.  It is important to remember that Drupal is geared towards larger sites and developers.  But a Developer can make a very easy to use and edit site on Drupal.

Performance

The platform is built lightly so the Drupal platform will not be the reason for a slower site.  A good website developer can create custom code that performs exceptionally on Drupal.

Hosting

Drupal can be hosted on nearly any HIPAA compliant host or self-hosted.  The server just has to have Drupal installed.  Drupal Does have a list of prefered hosts here.  This means Drupal can connect or create any database or web application API without limitation. In laymen’s terms you have more flexibility.

Drupal Drawbacks

While the platform is free the cost quickly mounts due to the need for custom code. Like WordPress, Drupal has many “plugins” or modules. However, unlike WordPress, to get them to do what you want will require a developer. Think of Drupal modules as frameworks made by developers for developers on a truly open source platform. While WordPress is consumer focused and a majority of plugins only do some of what they say and have bloatware (extra code or gated sales pitches) that can slow down a site significantly the more that are used.

Are Drupal forms HIPAA compliant?

That depends on how the site is built.  Drupal is an open source content managment platform that you host and build your website on.  That means if you do not have a HIPAA compliant hosting, a server set up correctly, and your forms are not built compliantly then it is not. However, HIPAA compliant hosting can be slightly cost prohibitive for smaller practices.

You can embed a HIPAA compliant form into Drupal for a less than optimal solution.  Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack. Most electronic health record systems also have options to embed into or connect to your site.

It is important to note that if you are building on Drupal you web design agency will likely already choose a HIPAA compliant host and create a custom form.

How much is the true cost of a Drupal site?

Most Drupal site range from $30,000-$60,000 with additional costs depending on organizational requirements. That cost is largely development costs. Unless you are a clinician who is also a web developer, then the cost would be time and server costs.

Do not let the custom Drupal price tag fool you.

The Verdict

A custom Drupal site has more flexibility and lower cost in the long run for larger organizations in terms of performance and security. Because all or a majority of the code is custom, the potential for hacking is much lower. WordPress is the largest platform for creating websites and this makes it a common a target for hackers of all skill levels. Drupal has a much smaller user base and typically requires more advanced hackers to exploit. Both WordPress and Drupal can be very secure with the right web developers.

Drupal has an edge over WordPress when your clinic is much larger and handles more ePHI.

We highly recommend Drupal if you can afford development costs.

WordPress Features & HIPAA Compliance

WordPress.org VS. WordPress.com

WordPress.org is the open source version of WordPress that has a robust developer community and flexibility.  WordPress.com is the for-profit provider of WordPress hosting that has limited options in terms of development and limited plugins. Nearly all the plugin’s on WordPress.com are premium and have limited customization.  Also WordPress.com sites are only hosted by WordPress.com and they provide the security updates and server maintenance.

 

* This review of WordPress, is for WordPress.org.

Overview of WordPress.org

WordPress powers a third of all of the top websites on the internet. It was originally built to be an open source blogging platform but quickly became a powerhouse for other web content. It is now one of the largest content management system online.

WordPress is great for small to mid-sized clinics and solo practitioners.  However, it can be a security risk if you do not take proper steps to secure your site. That is why working with a Web designer who understands security and HIPAA is important.

Platform is Free.  Monthly cost depends on host.
Yes
4.6 Out of 5
Standard with most hosts. Integrates well and fully supported.
Yes
Yes

Top 3rd party security solutions for WordPress are Wordfence and Sucuri.  

However, Sucuri addresses HIPAA concerns while Wordfence does not speak to HIPAA anywhere on their site.

Sucuri provides website firewall, CDN, active hardening, site scanning for malware and hacks, malware/ hack fixes, IP Blocking, Whitelist IP (Blocks unusual admin login’s from unknown IPs), and much more.

Wordfence is also a great plugin for security and some protection is better than none.

Both solutions are only part of a HIPAA security solutions and do not replace good security practices.

Depends on the host.  Some hosts explicitly state they are not compliant and will not sign a business associate agreement.
WordPress is a content management system and not a packaged platform. It can be built in a way that is compliant. 

 

There are many HIPAA Compliant Web Design Agencies and hosting providers who will sign a business associate agreement. Just make sure you do your due diligence. 

That depends on how the site is built.  WordPress is an open source content managment platform that you host and build your website on.  That means if you do not have a HIPAA compliant hosting, a server set up correctly, and your forms are not built compliantly then it is not. However, HIPAA compliant hosting can be slightly cost prohibitive for smaller practices.

You can embed a HIPAA compliant form into WordPress for a less than optimal solution.  Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack. Most electronic health record systems also have options to embed into or connect to your site.

Recommended.

 

WordPress can be built in a way that is HIPAA compliant.  Some of the highest traffic sites online are built on WordPress. It is a great choice for a HIPAA compliant website.

Making a compliant site on WordPress can be affordable as well.

There are many tools to assist you in building your own site even if you have limited coding skills.

 

If you build your own site it is important that you carefully vet what you install on your site.  It is advised that you utilize a HIPAA consultant or a web designer that understands the risks and can recommend compliant options. 

Key Features Of WordPress

Custom domain and any email service

Bring your own domain name and email service of choice.

Security

WordPress can be built very secure if your web developer knows what they are doing.  However, due to the popularity of the platform it does suffer more hacking attempts.  There are also 3rd party sites selling plugins and themes that are compromised.  There have been plugins that were available to download that were really malware. The convenience of installing a plugin or a new theme can lead to data breach if they are not properly vetted.

Ease Of Use

WordPress site owners can set up a good-looking site without much HTML or CSS knowledge.  With the Gutenberg update pages can be built with some more design options, there are also page builders, and pre-made themes.

Performance

While WordPress is not a light as other content management systems it can make a site that performs great if it is built right. Unfortunately, it can easily be bogged down by needless plugins, poorly developed themes to name a few issues. Typically, new site owners installing a plugin to do something that is easier and faster to do with a few lines of code.

Hosting

WordPress can be hosted on nearly any HIPAA compliant host or self-hosted.  This means WordPress can connect or create any database or web application API without limitation. In layman’s terms you have more flexibility.

WordPress Drawbacks

WordPress can be very un-secure and slow if built improperly.

You can’t set it and forget it. WordPress, themes, and 3rd party plugins have regular updates that are recommended because new vulnerabilities or bugs are discovered.

However, these updates can also have unexpected interactions on the site and can break sites if they are not tested. A regular backup schedule is recommended (it is good to backup your site no matter the platform you are on).

Performance can be degraded if you have a high-volume site.

High amounts of content can become difficult to work with in WordPress.

Are WordPress forms HIPAA compliant?

That depends on how the site is built.  WordPress is an open source content managment platform that you host and build your website on.  That means if you do not have a HIPAA compliant hosting, a server set up correctly, and your forms are not built compliantly then it is not. However, HIPAA compliant hosting can be slightly cost prohibitive for smaller practices.

You can embed a HIPAA compliant form into WordPress for a less than optimal solution.  Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack. Most electronic health record systems also have options to embed into or connect to your site.

How much does a WordPress site cost?

A WordPress site can range in price.  Sites can range from $1,000– $15,000+ depending on what you need.  A good rule of thumb, sites under a $1,000 are going to be more of a template theme set up with little to no customization, or fully outsourced out of the country.  Both have concerns with potential HIPAA violations and future ePHI. We have seen sites where they had a backdoor placed in the site by the outsourced web developer or all form data was logged and copies sent to the web “guy”.  You get what you pay for but also understand that with HIPAA the “get what you pay for” might also be a fine much much higher than the cost of a fully customized site.  (Since HIPAA fine caps per year range from $50k- $1.5 million)

In general, a WordPress site typically costs less than a Drupal site however, costs can become comparable if complex requirements are added.

The Verdict On WordPress

A custom or premade WordPress site has more flexibility and lower cost in the long run for solo practitioners, small to larger organizations in terms of performance and security. Because all or a majority of the code is custom, the potential for hacking is much lower. WordPress is the largest platform for creating websites and this makes it a common a target for hackers of all skill levels. Drupal has a much smaller user base and typically requires more advanced hackers to exploit. Both WordPress and Drupal can be very secure with the right web developers.

 

WordPress can be built in a way that is HIPAA compliant.  Some of the highest traffic sites online are built on WordPress. It is a great choice for a HIPAA compliant website.

Making a complaint site on WordPress can be affordable as well.

There are many tools to assist you in building your own site even if you have limited coding skills.

 

If you build your own site it is important that you carefully vet what you install on your site.  It is advised that you utilize a HIPAA consultant or a web designer that understands the risks and can recommend compliant options.

Drupal has an edge over WordPress when your clinic is much larger and handles more ePHI.

We highly recommend Drupal if you can afford development costs.

Squarespace Features & HIPAA Compliance

Overview of Squarespace

The Squarespace platform is a drag and drop grid website builder that uses pre-made templates that users can customize. It has grown in populularity due to it’s ease of use and quick ablity to get a site up and running.

$16- $46 Monthly
Yes
3.6 Out of 5
Not supported
No
No

Security is only provided by Squarespace. They offer passive scanning periodically.  Not real-time.  Hacking issues are dealt through support.

States that their servers and most parts of the platform are not HIPAA compliant, including their forms. They recommend you use a HIPAA compliant third party service Acuity Scheduling. (That is cover their own butt speak).

 

Squarespace integrates analytics, logs your visitor’s IP addresses, and your patients will interact with the site. All of this becomes PHI if they can be used to identify your patient. You are also responsible if they suffer a breach or your Squarespace site is hacked.  As thousands of sites found out in 2018.

No

No.  Squarespace states thier forms are not HIPAA compliant and they do not currently sign a business associate agreement.  However, you can embed a HIPAA compliant form into Squarespace for a less than optimal solution.  Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack.
Not Recommended based of HIPAA Risk and performance.

 

If you understand the risk that you may fail an audit if you have a breach then Squarespace can be an option.  We don’t advise our clients to use it for this reason.  

 

The performance of the site in terms of load speed and  limited search engine optimization options also make Squarespace less than ideal.

Key Features Of Squarespace

Custom domain and any email service

Bring your own domain name and email service of choice.

Security

You do not have control over your website’s security.  You get passive scanning of your website and for basic websites that do not handle ePHI this can be perfectly fine.  However, since hacking and malware issues are not identified in real-time and hacking issues are dealt through technical support, your site could be compromised for a while. With HIPAA that could translate into a significant breach.

Ease Of Use

Squarespace is very user friendly and the drag and drop editor can build a great looking website both on desktop and mobile, if you have time to build it.  You can also customize through HTML and CSS or hire a Squarespace designer to build the site you want.

Performance

This gets tricky since a Squarespace site can perform well but typically speed is an issue.  If your site loads slowly there a few things you can do to optimize such as uploading properly optimized images but the limiting factor is the Squarespace platform itself. Such as:  How it pulls resources into a page can be edited slightly if you know how to code and pay for the higher tier plans. Also limiting the amount of inline CSS but you risk breaking the site completely.

Hosting

Squarespace is only hosted by Squarespace. Their servers are also not HIPAA compliant.

Squarespace Drawbacks

First and foremost, Squarespace explicitly states they are not HIPAA compliant and their forms are not as well. The form you can use is Acuity for HIPAA but that does not ensure that you are compliant.

Security is not up to par when it comes to HIPAA. Like we said in the table Squarespace has been hacked recently causing thousands of sites to have a data breach.

Customization for slightly complex (or not that complex) requirements that need server access to implement efficiently are virtually nonexistent.

Are Squarespace forms HIPAA compliant?

No.  Like we said earlier, Squarespace states thier forms are not HIPAA compliant and they do not currently sign a business associate agreement.  However, you can embed a HIPAA compliant form into Squarespace for a less than optimal solution.  Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack.

How much does a Squarespace site cost?

Monthly costs range from $16- $46 with a discount if paid annually. If you hire a web designer costs vary greatly depending on your requirements and the designer’s fees.  Because of the ease of use there are a lot of overpriced novice designers. (Remember you get what you pay for, in this case you may pay more for less.)

The Verdict On Squarespace

We do not recommend Squarespace for those under HIPAA (We also don’t reccomend it for businesses that are not under HIPAA for SEO and performance reasons).  If in the future Squarespace changes their servers to be compliant and fix the performance issues then it can be a decent option for solo practices or small clinics.

However, at this time it is a business risk decision that falls on the owner.

If you are dead set on using Squarespace you can embed Hushmail, Jotform, or Formstack for at least a basic HIPAA compliant form that transfers securely to their servers.  This will limit the risk of a data breach in contact form data.

WIX Features & HIPAA Compliance

Overview of WIX

The WIX platform is a cloud-based drag and drop grid website builder that users can customize. WIX is an Israeli based company.

$13-$500 Monthly
Yes
3.2 Out of 5
Only can connect to an externally hosted database through a custom API and adaptor to translate requests.
No
No

Security is only provided by WIX. They offer passive scanning periodically.  Not real-time.  Hacking issues are dealt through support.

HIPAA is not address on the Wix site.  It has to be assumed they are not compliant.

No

No.  Out of the box, WIX forms are not HIPAA compliant because they do not currently sign a business associate agreement.  However, you can embed a HIPAA compliant form into wix for a less than optimal solution.  Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack.
Not Recommended based of HIPAA Risk and performance.

The performance of the sites on this platform have been less than ideal for most.  While they did a re-branding campaign advertising new search engine optimization tools, in the greater professional web development community, Wix still comes up short.

Key Features Of WIX

Custom domain and any email service

Bring your own domain name and email service of choice.

Security

You do not have control over your website’s security.  You get passive scanning of your website and for basic websites that do not handle ePHI this can be perfectly fine.  However, since hacking and malware issues are not identified in real-time and hacking issues are dealt through technical support, your site could be compromised for a while. With HIPAA that could translate into a significant breach.

Ease Of Use

WIX is very user friendly and the drag and drop editor can build a great looking website if you have time to build it. Unlike Squarespace you can build much faster on WIX.  You can also customize through HTML and CSS or hire a WIX designer to build the site you want.

Like WordPress they have their own plugins and 3rd party plugins. Which makes integrating features if you are not tech savvy easier. This also means the site can slow down the more you add.

Performance

WIX sites have had performance issues and even after they have added Search Engine Optimization “tools” they still perform less than optimal.

We have moved many sites off WIX and almost immediately have seen a boost in organic traffic and performance.  Just saying.

That being said there are some very well performing sites on the WIX platform but those are on the higher paid plans.  Those are WIX powered but everything else is custom built.  Which means they can limit the bloat their 3rd party plugins can cause.

We will give credit to WIX. WIX has been working hard at cleaning up their image and performance issues.  The platform has improved since it started.

Hosting

WIX is only hosted by WIX. They do not address HIPAA in any documentation. Since they are an overseas company if you get a Business Associate Agreement (which we have not seen they provide) there are additional costs with more risk assessments required by HHS that are put on the healthcare provider or vendor.  Which doesn’t provide an incentive for WIX to cater to, and why would they since HIPAA and HITECH doesn’t currently apply to them.  In short do not send ePHI through any of their servers.

Unlike Squarespace you can connect your externally hosted database to your WIX site through a workaround.  This means WIX has more flexibility than Squarespace for custom coded sites.

WIX Drawbacks

HIPAA is big drawback for WIX.  Unlike Squarespace which is US based and has to address HIPAA, WIX is not and has chosen not to open the door to unneeded litigation or HITECH audits.

Squarespace has slightly better performance than WIX and their sites tend to look better due to the grid-based design.  We know that “look better” is subjective. In this case we are talking about the ability to move items where you want while staying in line with other elements.  You can also design mobile easier in this builder for Squarespace over WIX’s builder.

Are wix forms HIPAA compliant?

No.  Out of the box WIX forms are not HIPAA compliant because they do not currently sign a business associate agreement.  However, you can embed a HIPAA compliant form into wix for a less than optimal solution.  Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack.

How much does a WIX site cost?

The monthly cost for WIX ranges from $13-$500 (with discounts for paying yearly). They charge more to unlock more features.  This is not for the development of the site but just to use the platform features and the cost can go up depending on what plugins you decide to purchase.   Like Squarespace the cost to develop a site depends on the designer.

The Verdict On WIX

Like Squarespace we do not recommend WIX for those under HIPAA (or other businesses).  It is unlikely that WIX will invest in becoming HIPAA Compliant in the future.  If they fix the performance issues then it could be a decent option if you do not collect form data.

However, at this time with so many other compliant platforms that perform much better there isn’t really a reason to use WIX as a first, second, or even third choice for covered entities.

If you are dead set on using WIX you can embed a Hushmail, Jotform, or Formstack form for at least a basic HIPAA compliant form that transfers securely to their servers.  This will limit the risk of a data breach in contact form data.

Weebly Features & HIPAA Compliance

Overview of Weebly

The Weebly platform is a widget-based drag-and-drop website builder that users can customize. Weebly is a US based company that was recently acquired by Square Inc in 2018. (Not to be confused with Squarespace)

$5-$38 Monthly
Yes*
2.3 Out of 5
Not Supported.
No
No

Security is only provided by Weebly. They offer passive scanning periodically.  Not real-time.  Hacking issues are dealt through support.

HIPAA is not addressed on the Weebly site. It has to be assumed they are not compliant.

No

No.  Out of the box Weebly forms are not HIPAA compliant because they do not currently sign a business associate agreement.  However, you can embed a hipaa compliant form into Weebly for a less than optimal solution.  Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack.

Not Recommended based off HIPAA Risk.

Weebly has lagged behind in terms of website builders. It was acquired by Square in 2018. The potential for this platform to become better is possible with the backing of Square.  This may become a good alternative for small providers in the future.

 

Key Features Of Weebly

Custom domain and any email service

Free domain with the .weebly.com, custom domain*, and any email service.

*Bring your own domain name if it ends in, .weebly.com, .com, .net, .org, co, .info, or .us.

Security

You do not have control over your website’s security.  You get passive scanning of your website and for basic websites that do not handle ePHI this can be perfectly fine.  However, since hacking and malware issues are not identified in real-time and hacking issues are dealt through technical support, your site could be compromised for a while. With HIPAA that could translate into a significant breach.

Ease Of Use

Weebly is less flexible than Squarespace or WIX.  With both Squarespace and WIX you can edit your fonts, arrangements, literally everything.  With Weebly you have fewer options in their drag and drop widgets.  The issue with their widgets, if you want to customize the location you will need CSS and HTML knowledge.  Do not take this as a bad thing Weebly is slightly easier to use since it has less options to mess up.  However, you can break your site or lose your work a little easier with Weebly (no undo option).

Don’t mistake easier to use for great design, it takes a lot of skill, and custom code to do that.

Performance

Weebly sites have had performance issues (adding functionality that commonly comes with other platforms is plugin based and lowers performance) and they have added Search Engine Optimization “tools” they still perform less than optimally than Wix or Squarespace.  In the SEO community most answers to Weebly SEO is “move off it.”

We have moved many sites off Weebly and almost immediately have seen a boost in organic traffic and performance.

Hosting

Weebly is only hosted by Weebly. Like Wix, they do not address HIPAA in any documentation.  In short do not send ePHI through any of their servers.

Weebly Drawbacks

Performance issues as well as HIPAA are big drawbacks for Weebly.  Weebly has chosen not to open the door to unneeded litigation or HITECH audits.

Squarespace and Wix have slightly better performance than Weebly and their sites tend to look better and have a more modern feel.  However, recent updates have added modern elements such as adding H1-H6 html tags.  However, that is a plugin add-on and not part of the platform.

Are Weebly forms HIPAA compliant?

No.  Out of the box Weebly forms are not HIPAA compliant because they do not currently sign a business associate agreement.  However, you can embed a HIPAA compliant form into Weebly for a less than optimal solution.  Using a HIPAA compliant 3rd party service such as Hushmail, Jotform, or Formstack.

How much does a Weebly site cost?

The monthly cost for Weebly ranges from $0-$29 (with discounts for paying yearly). They charge more to unlock more features.  This is not for the development of the site but just to use the platform features and the cost can go up depending on what plugins you decide to purchase.   Like Squarespace and WIX the cost to develop a site depends on the designer.  (Any reputable web designer won’t work on Weebly.)

The Verdict On Weebly

Like Squarespace and Wix, we do not recommend Weebly for those under HIPAA (or other businesses).  There is potential that Weebly will invest in becoming HIPAA Compliant in the future.  If they fix the performance issues then it could be a decent option if you do collect form data.

However, at this time with so many other compliant platforms that perform much better there isn’t really a reason to use Weebly as a first, second, or even third choice for covered entities.

If you are dead set on using Weebly you can embed Hushmail, Jotform, or Formstack form for at least a basic HIPAA compliant form that transfers securely to their servers.  This will limit the risk of a data breach in contact form data.

With Square’s payment processing power, developers, and financial backing there is some potential that Weebly may change into a player.  We just wouldn’t hold our breath or risk putting a practice on it.

Conclusion

Drupal is a winner for large clinics with a large volumes of content, followed  closely by WordPress. A website is only as good as the person or website designer who builds it.  Websites can be built in a compliant way depending on how you use them.  Some platforms are much more risky than others and add performance issues they can limit your practice’s profitablity.  While they are easy to forget in your HIPAA audits; websites, social media, and other digital properties, they are becoming a leading cause of HIPAA fines.  If you work with a developer who doesn’t understand the complextities of HIPAA you may put your practice at risk.

Comments or Feedback?

Still feeling overwhelmed in choosing what to build your website on?

Do you have a platform you want us to review or features we missed?

We will keep this blog updated with any new updates or features.

 

Why not leave your comments below or reach out to us?

15 Website Design Trends to Avoid

15 Website Design Trends to Avoid

Website Design Trends to Avoid Good web design has the potential to drive sales, generate leads, and grow repeat business. No matter how valuable the product or service you offer, you need to make sure that the website representing you is clean, sleek, and easy to...

read more
X