If your practice website collects any patient information, the answer is yes. And most practice websites do - even when the owner does not realize it.
When Your Website Triggers HIPAA
HIPAA applies the moment your website touches protected health information. That includes:
- Contact forms that ask for a reason for visit, symptoms, or insurance information
- Online appointment scheduling where patients select a provider or service type
- Patient portals with login access to records, lab results, or messaging
- Live chat widgets where patients describe health concerns
- Intake forms submitted before a first visit
A simple "Contact Us" form with just a name and phone number is borderline. But if it includes a field like "Describe your concern" or "Insurance provider," you are collecting PHI through your website.
What Makes a Website HIPAA Compliant
There is no official "HIPAA certified website" designation. Compliance comes down to how the site handles PHI in transit and at rest.
Encryption in transit. Every page must use HTTPS (SSL/TLS). This is table stakes in 2026 - Google flags HTTP sites as "Not Secure" anyway. But HIPAA requires it specifically for any page transmitting PHI.
Encryption at rest. If form submissions are stored in a database, that database needs encryption. If submissions go to an email inbox, that inbox needs to be HIPAA compliant for email.
Business Associate Agreements. Your website hosting provider, form handler, analytics platform, chat widget vendor, and anyone else who could access PHI through your site needs a signed Business Associate Agreement. GoDaddy, Wix, Squarespace - none of these sign BAAs on their standard plans. Some enterprise tiers do.
No PHI in analytics. Google Analytics, Facebook Pixel, and similar tracking tools must not capture PHI. This became a major enforcement focus after OCR's 2022 bulletin on tracking technologies. If a patient visits a page called "/appointments/mental-health-evaluation," that URL in your analytics contains PHI.
Common Website Mistakes
Using a standard contact form plugin. Most WordPress contact form plugins email submissions in plain text. That email is unencrypted and sits in a standard inbox. If a patient describes symptoms in the message field, you just transmitted and stored PHI without safeguards.
No BAA with the hosting provider. Your hosting company stores your website files, database, and email. If PHI passes through any of those, they are a business associate and need a BAA.
Embedded third-party scheduling tools. Calendly, Acuity, and similar tools may not be HIPAA compliant on their free or standard plans. If patients select appointment types that reveal health conditions, PHI is being processed by that vendor.
Patient testimonials with health details. A testimonial that says "Dr. Smith helped me manage my diabetes" includes PHI if the patient is identifiable. Even with consent, display it carefully.
What to Do Right Now
- Audit your forms. List every form on your website. If any field could capture health information, insurance details, or treatment context, it is collecting PHI.
- Check your hosting. Contact your hosting provider and ask if they offer a BAA. If they do not, you need to migrate or accept the risk.
- Review third-party tools. Chat widgets, scheduling tools, payment processors, email services - each one that touches patient data needs a BAA.
- Confirm HTTPS everywhere. Not just the homepage. Every page, especially form submission pages.
- Lock down analytics. Ensure no tracking tool captures URLs, form fields, or page titles that reveal patient health information.
The Bottom Line
Most small practice websites are not compliant because the owner assumed a simple site does not count. It counts the moment a patient types something health-related into any field on your site.
A Security Risk Assessment will catch website-related gaps. If you have not done one, that is where to start - your website is just one piece of the full compliance picture.
Related Reading
- HIPAA Email Compliance Guide
- Business Associate Agreement: Complete Guide
- HIPAA Encryption Requirements
- HIPAA and Social Media: Staff Mistakes to Avoid
- Physical Safeguards: HIPAA Security Rule Requirements
- HIPAA Assessment Guide: Security Risk Assessment Steps
This content is for educational and informational purposes only and should not be construed as legal advice.
Frequently Asked Questions
Does a simple contact form make my website subject to HIPAA?
It depends on what the form collects. A name and phone number alone do not constitute PHI. But if the form includes fields like "reason for visit," "describe your symptoms," or "insurance provider," the submission contains protected health information and HIPAA applies to how that data is transmitted and stored.
Is there an official HIPAA certification for websites?
No. There is no government-issued HIPAA certification or seal for websites. Any vendor claiming to offer one is selling a marketing label, not a compliance designation. Compliance depends on how the site handles PHI - encryption, access controls, BAAs with vendors, and proper analytics configuration.
Do I need a BAA with my website hosting provider?
Yes, if any PHI passes through your hosting environment - form submissions stored in a database, emails routed through the server, or patient portal data. Most shared hosting plans from providers like GoDaddy, Bluehost, and Squarespace do not offer BAAs. You may need to upgrade to a HIPAA-eligible hosting tier or migrate to a provider that signs one.
Can I use Google Analytics on a HIPAA-covered website?
You can, but only if it does not capture PHI. That means no tracking of URLs that reveal health conditions, no form field data in events, and no page titles that identify patient visits. After OCR's 2022 bulletin on tracking technologies, practices must audit every analytics and tracking tool to ensure PHI is not being disclosed to third parties without a BAA.
Does HIPAA apply to my practice's social media pages?
HIPAA does not regulate the social media platform itself, but it regulates what your practice posts. If you share patient photos, testimonials with health details, or respond to patient comments in a way that confirms someone is a patient, you may be disclosing PHI. Staff should never discuss identifiable patient information on any social media channel.