Paubox blog: HIPAA compliant email made easy

Does Wild Apricot offer HIPAA compliant web hosting?

Written by Ryan Ozawa | October 07, 2020
One of the more popular technology tools in the healthcare field is Wild Apricot. In addition to providing websites for medical associations, its software is designed to specifically help with membership management. From enrollment applications to payments, Wild Apricot provides support and automation for many of the main activities of an association. Having a product aimed directly at medical organizations, however, still requires due diligence to ensure it complies with HIPAA.

What is Wild Apricot?

Like Squarespace, Weebly, and Wix, Wild Apricot offers a proprietary website builder to help businesses quickly design and launch websites. The company provides mobile-friendly website templates that can be customized with an organization's color scheme, logo, text, and images. It lets customers use their own domain names, and offers embeddable widgets for those that already have WordPress websites. Wild Apricot promotes itself as a provider of Association Management Software, which typically automates management functions including fundraising, membership, event management, and other operations. It has over 30,000 customers. Wild Apricot aims to be an all-in-one tool for medical associations, providing customer relationship management (CRM) features like a member database, email newsletters, and event management. It also handles payments for member registration and renewals, and even offers a portal for members to log in to access member-only resources.

 

Is Wild Apricot secure?

Since Wild Apricot handles many types of information, security is of paramount importance. For example, handling payment information requires compliance with the Payment Card Industry Data Security Standard ( PCI DSS). Wild Apricot provides a detailed page describing its security and data protection measures. The company says that it secures online payments with PCI DSS version 3.2, and it reassures customers that they own their data and can easily export it at any time. Wild Apricot also says it's using globally-recognized testing methodologies, from those recommended by the Open Web Application Security Project ( OWASP) to perform penetration tests. It even says it's developing Security Operation Center software to detect attacks across various systems, including Windows, Linux, the network, and social media. But if Wild Apricot is going to handle medical information, it also needs to comply with HIPAA.

 

Is Wild Apricot HIPAA compliant?

Wild Apricot uses Amazon Web Services (AWS) to host its customers' websites and membership applications. Because AWS can be configured to be HIPAA compliant, Wild Apricot asserts that its technology complies with HIPAA as well. (AWS is also how Wild Apricot achieves compliance with PCI DSS.) The company also notes that its payment systems are hosted by Armor, which provides 24/7 threat detection and response to over 1,000 customers across 42 countries, including secure hosting and log and data management. However, we are unable to find any mention of whether Wild Apricot will sign a business associate agreement (BAA), which is required for full HIPAA compliance.

 

Conclusion

Wild Apricot leverages AWS to provide secure and reliable service to customers.  Similarly, Paubox uses AWS for our HIPAA compliant email solutions. However, unlike Paubox, although Wild Apricot says it is HIPAA compliant, it does not appear to offer a BAA. We recommend covered entities confirm this before becoming a customer.
 
Try Paubox Email Suite for FREE today.