Squarespace provides a user-friendly website builder and hosting platform for various industries. However, if you use Squarespace in healthcare, you must ensure that it enables HIPAA compliance.
Here’s everything you need to know about Squarespace HIPAA compliance.
Table of Contents
Understanding the Need for Squarespace Compliance
With professional-looking templates, drag-and-drop features, and built-in e-commerce functionality, Squarespace is a popular choice for businesses selling their products and services online. However, web design features should not be your only consideration when building websites for healthcare. Complying with the Health Insurance Portability and Accountability Act (HIPAA) should be one of your priorities when choosing any online tool.
Healthcare websites collect data, including protected health information (PHI), to ensure the delivery of personalized and relevant healthcare services. DIY website builders like Squarespace can integrate tools that add website contact forms, chat boxes, appointment scheduling, payment options, and other online forms where clients can input sensitive data.
Protecting client data is the responsibility of healthcare providers and the software tools they allow to handle PHI. According to HIPAA rules, cloud-based providers that handle electronic PHI for covered entities such as healthcare providers are considered “business associates.”
Business associates are required to implement essential safeguards for HIPAA Compliance to protect data privacy. When a business associate fails to ensure HIPAA compliance, you risk violating the law and facing significant monetary fines.
Is Squarespace HIPAA Compliant?
No, Squarespace isn’t designed for HIPAA compliance. Only its Acuity Scheduling feature, which allows client self-scheduling on websites, enables HIPAA compliance. The rest of the website building and hosting platform isn’t suitable for handling protected health information. Moreover, you should be subscribed to Acuity’s Powerhouse plan if you will use the tool to collect client data.
Here’s what the Squarespace Help Center statement on Acuity Scheduling and HIPAA:
Acuity is the only Squarespace feature currently designed to offer services consistent with HIPAA obligations. Your Business Associate Addendum (BAA) doesn’t cover other Squarespace features. You shouldn’t maintain or transmit Protected Health Information through Squarespace outside of Acuity.
Squarespace even goes so far as to say that you should use another service for other website features that need HIPAA compliance:
To collect secure patient information online for areas outside of Acuity, we recommend linking to an external, compliant service.
However, Squarespace’s Terms of Service are confusing. The document suggests that Squarespace can be HIPAA compliant if you and Squarespace have a Business Associate Agreement (BAA) and a HIPAA-enabled account. However, you’re on your own to figure out how to enable this.
Here’s the statement on Squarespace and HIPAA compliance on the company’s Terms of Service:
If your use of the Services requires you to comply with industry-specific regulations applicable to such use, such as HIPAA, GLBA or FERPA (each, an “Industry-Specific Regulation”), you will be solely responsible for such compliance, except to the extent Squarespace has agreed with you in writing otherwise. You are not permitted to use the Services in any way that would subject Squarespace to an Industry-Specific Regulation without obtaining Squarespace’s prior written agreement. For example, you may not use any Services to collect, use, disclose, protect, or otherwise handle “protected health information” (as defined in 45 CFR §160.103) unless your Account for such Services is designated as HIPAA-enabled and you enter into a separate business associate agreement with Squarespace.
Squarespace includes strong security measures such as free SSL certificates, Denial of Service Protection, login activity panel, two-factor authentication, password-protected pages, 24/7 security monitoring, and GDPR compliance. However, based on the information above about Squarespace’s HIPAA compliance, it’s best to refrain from using the website builder for healthcare unless you’re ready to take extra steps to make your site comply with HIPAA rules.
Steps to Ensure HIPAA Compliance With Squarespace
Creating a HIPAA-compliant website with Squarespace can be challenging, given that the platform isn’t geared toward healthcare. However, here are some tips to better protect PHI on Squarespace:
- Enable Squarespace’s built-in security features, such as password protection and two-factor authentication. Carefully monitor user activity on Squarespace’s login activity panel.
- Subscribe to the Acuity Scheduling Powerhouse account and sign a BAA if you use the Acuity Scheduling for your website.
- Ensure you have a BAA with all other third-party tools that collect patient information on your Squarespace website. Carefully read the privacy policy of popular website tools like Google Analytics to know if they are HIPAA compliant before you use them.
- Never use the other features of the Squarespace platform to collect PHI unless you can secure a special agreement with the website building and hosting company.
- Conduct regular employee training and make sure that everyone in your staff understands HIPAA rules.
- Have a robust data recovery and backup plan in case of data loss, hardware failure, and other untoward incidents.
- Ensure your healthcare facility implements all HIPAA physical, technical, and administrative safeguards.
Alternatives to Squarespace For Creating HIPAA-Compliant Websites
If HIPAA compliance on Squarespace seems too challenging, choose other website builders willing to sign a BAA. These HIPAA-compliant websites are designed with healthcare providers and professionals in mind, so they should prioritize features beyond the standard privacy, data backup, and recovery options.
However, even with a subscription to a HIPAA-compliant website, you should still take extra steps to comply with regulations. Website compliance is only a tiny part of HIPAA compliance. You are still responsible for implementing HIPAA Rules in all areas that may compromise PHI beyond website building.