Reviewing Your Business Associate Agreement for HIPAA Compliance
10 min
The Business Associate Agreement (BAA) is a contract between you and Wix that sets out how both parties protect and handle protected healthcare information (PHI) on your HIPAA-compliant Wix site.
Before you activate PHI protection for your Wix site and sign your BAA, you can review the terms of the contract.
Business Associate Agreement
This Wix Business Associate Addendum (“Addendum”) entered into by Wix.com Ltd. (“Wix”), and you the user receiving services from Wix (“User”), including but not limited to, Wix Website, the Wix mobile application, and/or any other services, applications and features offered by Wix (“Services”), as a supplemental document to Wix Terms of Use and Wix Data Processing Addendum (“DPA”), and will be made effective as of the signature date below or the date on which PHI (defined below) is first shared with Wix, which occurs later (the “Effective Date”).
This Addendum shall only cover the User’s disclosure of data considered as Protected Health Information, whether in an electronic form or not (“PHI”), as defined under the Health Insurance Portability and Accountability Act of 1996 as amended by the American Recovery and Reinvestment Act, including the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations issued by the U.S. Department of Health and Human Services (“DHHS”). All such laws and regulations referenced in this paragraph as may be amended from time to time and collectively referred to herein as “HIPAA”. Capitalized terms not defined herein, shall have the meaning ascribed to them under HIPAA.
This Addendum shall apply exclusively with respect to certain of the Wix Services that are designated for use by HIPAA Covered Entities, per the list outlined under Wix HIPAA compliant apps (“HIPAA Services”) and solely with respect to personally identifiable information combined with health information as specified herein. This Addendum shall not apply, under any circumstance, to any other information shared between Wix and the User through Wix’s HIPAA Services. By using Wix Services, User acknowledges and understands that Wix offers only the HIPAA Services as a HIPAA Business Associate and does not represent that any other Wix Services apart from the HIPAA Services comply with HIPAA. It is the User’s obligation to ensure that no PHI is transmitted by User to Wix or any third party using the Wix Services that are not expressly designated as HIPAA Services.
Structure and Applicability
- Purpose and Applicability: This Addendum shall apply solely if the User is a Covered Entity or a Business Associate who wishes to use Wix Services to store, transfer, or otherwise process regulated data considered as PHI. The availability and use of Wix HIPAA Services is limited exclusively to Users who maintain an active and valid Wix premium plan subscription (“Premium Plan”). Users without a Premium Plan are not eligible to access, enable, or use HIPAA Services. Wix reserves the right to verify the User’s subscription status at any time, and to suspend or terminate access to HIPAA Services for any User who does not comply with this eligibility requirement.
- Structure: The use of Wix Services is governed by the Wix Terms of Use, Wix Privacy Policy, and the DPA. This Addendum shall govern Wix’s Use and Disclosure of PHI received through the HIPAA Services. In the event of a conflict between this Addendum and the DPA, the provisions of this Addendum shall govern solely with respect to the processing of PHI.
- PHI Nature: The type, scope, and nature of the PHI to be shared with Wix and processed by it shall be determined and controlled solely by the User.
- Non-PHI Data: This Addendum applies solely to PHI. Personal information not considered as PHI, shall be governed by the DPA. De-identified or anonymized data, or Personal Data that does not include any medical- or health-related information, shall not be considered PHI, and the restrictions hereunder shall not apply to it.
Changes to HIPAA Services or this Addendum
- HIPAA Services may be amended from time to time at Wix’s sole discretion. Notification may be provided electronically, through designated direct messages within the Services, or where applicable, electronic email officially designated for notices. Users are encouraged to verify in advance and from time to time what Services are considered as HIPAA Services via the Wix HIPAA compliant apps.
- Any amendments shall be effective upon your continued use of the HIPAA Services after such amendment. Wix will provide you with the updated version of this Addendum, and your continued use of the HIPAA Services constitutes your agreement to, and acceptance of, the amended Addendum.
Permitted Uses and Disclosures
- Necessity and management: Wix may Use and/or disclose PHI only as permitted or required to perform the HIPAA Services and in accordance with this Addendum, or as otherwise Required by Law. Wix may disclose PHI to, and permit the Use of PHI by, its employees, contractors, agents, or other representatives to the extent necessary for the performance of the HIPAA Services. Subject to the terms in the Addendum including but not limited to Section 5, Wix shall not use or disclose PHI in a manner inconsistent with Wix's obligations under HIPAA. Wix may Use and disclose PHI for the proper management and administration of its business and to carry out its legal responsibilities.
- Wix’s Affiliates: Wix may perform its obligations under the HIPAA Services using relevant Wix worldwide subsidiaries, parent companies, or other entities controlled by them either directly or through common control. Wix may use and disclose PHI with the above-mentioned entities to the extent necessary to provide you with the HIPAA Services. Wix will ensure that a subcontractor business associate agreement with no less restrictive terms is in place with each such Affiliate with respect to the Affiliate’s processing of PHI.
- Sub-Processors: In addition, Wix may disclose PHI to any third party designated as a sub-processor under the DPA, who are obligated by terms not less restrictive than this Addendum to maintain confidentiality of the PHI.
- Required Disclosure: Wix may disclose PHI to report violations of law to appropriate authorities, consistent with 45 C.F.R. § 164.502(j)(1), to respond to requests to individuals exercising their rights under HIPAA, or to comply with a legally binding request by a competent authority.
- De-Identification. Wix may Use or disclose PHI to create aggregated data and to create de-identified information in accordance with the requirements set forth at 45 C.F.R. § 164.514(a)-(b). De-Identified Data is no longer PHI and is no longer covered under this Addendum.
- Disclosure Instructions: Wix Services offer Users the ability, at their sole discretion, to integrate with third-party platforms or products that may not be HIPAA compliant, for example, third-party applications from the application market available via the Services. Upon such integration, the User directs Wix to share personal information, which may include PHI, with third parties. User is solely responsible for all third-party integrations. User hereby undertakes to evaluate if such third-party platforms, products, and integrations are suitable for its compliance needs, including compliance with HIPAA, and not to direct Wix to disclose or share PHI with third parties that are not covered by Section 3.1, and to bear the sole responsibility and liability of any such directed disclosure.
Wix’s Obligations
- Safeguards:
- Wix has implemented and shall maintain commercially reasonable and appropriate security safeguards to protect the confidentiality and integrity of PHI received from or on behalf of the User in compliance with HIPAA in carrying out its obligations under the HIPAA Services.
- Only Wix’s authorized personnel, including employees, advisors, directors, sub-processors and sub-contractors, on a need-to-know basis shall have access to PHI. These personnel shall be bound by strict confidentiality obligations and undergo periodic training designed to prevent any unauthorized Use or Disclosure of PHI.
- Reporting:
- Wix shall notify the User, without unreasonable delay and in the time and manner specified under 45 C.F.R. § 164.410, of any Security Incident or Unauthorized Uses or Disclosure of any PHI upon becoming aware of it. Notwithstanding the above, the parties acknowledge that probes and reconnaissance scans are commonplace in the industry and as such, the parties acknowledge and agree that, to the extent such probes and reconnaissance scans constitute Security Incidents, this Section 4.2.1 constitutes notice by Wix to User of the ongoing existence and occurrence of such Security Incidents for which no additional notice to User shall be required, as long as such probes and reconnaissance scans do not result in Unauthorized Use or Disclosure of PHI. Probes and reconnaissance scans include, without limitation, pings and other broadcast attacks on Wix’s firewalls, port scans, and unsuccessful log-on attempts that do not result in Unauthorized Use or Disclosure of PHI.
- The parties acknowledge that Wix does not know the scope, nature, or quality of the PHI in the User account, therefore it will not be possible to provide the User with information about the identities of any affected data subjects in any event of a Security Incident or an Unauthorized Use or Disclosure; however, Wix will provide information about the nature of the Security Incident or Unauthorized Use or Disclosure to allow User to properly investigate the affected PHI.
- Wix’s reporting obligations will include the information held by Wix that is required to be reported under the Breach Notification Rule. Wix shall not be required to disclose any information that is subject to confidentiality obligations of Wix, trade secrets, or general confidential commercial information that is not directly related to the Security Incident.
- Individual Rights Requests:
- To the extent Wix receives a request from an Individual regarding exercising their rights under HIPAA (including for Access, Amendment, or an Accounting of Disclosures), Wix shall notify the User without undue delay. User shall be solely responsible for responding to such Individual requests, unless Wix determines in good faith that it is legally required to respond directly to the Individual.
- To the extent Wix receives a legally binding request to disclose PHI or provide any information regarding the processing activities from the DHHS, Wix shall notify you without undue delay to the extent legally permissible. Wix shall provide any readily available records relating to the Use and Disclosure of PHI to the Secretary for the purpose of determining compliance with HIPAA.
- Wix shall provide the User with any readily available information regarding its processing activities to reasonably assist the User, without imposing any additional cost on Wix, upon the User’s written request. Wix may, at its sole discretion and to the extent not prohibited by law, charge reasonable fees from User, for assisting and cooperating with such requests.
User’s Obligations and Acknowledgements
- Compliance:
- User hereby warrants and represents that all PHI uploaded to Wix for the HIPAA Services was collected and disclosed in compliance with all applicable laws including HIPAA.
- To the extent required by any of the applicable laws, including regulations, court orders, competent authority, or other binding legislation, User hereby undertakes to provide its data subjects with sufficient notices for the collection, storage, transfer, and further processing of the PHI by Wix, and to the extent applicable, obtained all necessary consent, permission, and authorization in connection with it.
- User shall notify Wix of any restriction to the Use or Disclosure of PHI that User has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Wix’s Use or Disclosure of PHI.
- Uses of other Wix Services:
- User acknowledges that Wix’s Services are vast, including offerings that do not comply with HIPAA. Only the HIPAA Services are designed to support HIPAA compliance and are covered under this Addendum. To the extent relevant, the obligation to configure the account or its settings, or to use Wix Services in compliance with HIPAA, shall be imposed on the User.
- The User represents and warrants that it shall not use any of Wix Services that are not designated as HIPAA Services or where the Addendum has been terminated, for any processing, including but not limited to hosting, storing, or transferring, of PHI. Wix shall bear no liability or responsibility for any PHI uploaded to Wix Services that are not designated as HIPAA Services. User hereby undertakes to indemnify, defend, and hold Wix and its officers, directors, shareholders, employees, or any of its Affiliates or agents harmless from any and all damages, costs, obligations, losses, liabilities, expenses, fines, fees, attorney fees, that arise due to the User’s non-compliance with its obligations hereunder.
- User acknowledges and agrees that enabling HIPAA compliance for their account, or purchasing or activating any HIPAA Services, may cause certain existing Wix applications, features or tools to function differently, to be restricted, to be disabled, or to be removed altogether, both currently and in the future. Additional available or upcoming features and tools may also be blocked, suspended, or may not be made available to Users with HIPAA Services, if deemed necessary by Wix, in its sole discretion, to ensure or enhance compliance with applicable HIPAA regulations. Wix shall not be liable for any loss, limitation, or unavailability of such features, applications, or tools resulting from or related to the activation or ongoing operation of HIPAA Services.
Term and Termination
- Termination: This Addendum shall terminate on the earlier of either:
- Automatically upon the termination of the User’s use of the HIPAA Services, either due to the expiration of the applicable subscription to HIPAA Services, removal of the Services from the HIPAA Services list, or termination which arises from Wix Terms of Use.
- Upon notice of either party due to a material breach of this Addendum that was not cured within a 30-day period.
- Effect of Termination:
- Upon the termination of this Addendum, the User undertakes to remove any and all PHI from Wix Services as soon as possible. As Wix does not investigate what types of data are uploaded by Users, User represents and warrants to Wix that upon termination of this Addendum, User shall remove all PHI from Wix Services and Wix shall have no further obligations to User under this Addendum. Wix may assume that all User data that remains in the Wix Services following the termination of this Addendum is not PHI.
- Any remaining information on Wix Services following the termination of this Addendum, shall be governed Wix Terms of Use, and the Wix Data Processing Addendum.
General
- Unauthorized Amendments: In any event, Wix will not be bound by any terms, conditions, responses, requests, or otherwise sent by the User, unless accepted in writing pursuant to the execution of a legal document by Wix’s authorized personnel.
- No Third-Party Beneficiaries. Nothing expressed or implied in this Addendum is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors and permitted assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
The parties have executed this Wix Business Associate Addendum through their duly authorized representatives. Electronic signatures and counterparts are permitted and deemed originals.
