healthcare

Healthcare Website HIPAA Compliance: What You Actually Need to Know

By Waleed Faruki·

Healthcare Website HIPAA Compliance: What You Actually Need to Know

HIPAA compliance for websites is surrounded by confusion and fear. Some healthcare providers avoid having a website entirely because they are terrified of violations. Others have websites that are clearly non-compliant because they did not know the rules applied to them.

The truth is somewhere in the middle. Your healthcare website does need to meet certain standards, but it is not as complicated as the compliance consultants want you to believe.

Does HIPAA Apply to Your Website?

HIPAA applies to your website if it collects, transmits, or stores any protected health information (PHI). PHI includes:

  • Patient names combined with health information
  • Medical record numbers
  • Health conditions or diagnoses
  • Treatment information
  • Insurance information
  • Appointment details that include health-related context

If your website has any of the following, HIPAA applies:

  • Contact forms where patients describe symptoms or conditions
  • Online appointment request forms
  • Patient portal access
  • Online bill pay
  • Prescription refill requests
  • Telehealth integration
  • Patient intake forms

If your website is purely informational — no forms, no portal, no data collection beyond basic contact info (name, phone, email without health context) — HIPAA requirements are minimal. But most modern healthcare websites go beyond that.

The Three Key Requirements

1. Encryption in Transit (SSL/TLS)

Every page on your website must use HTTPS. This encrypts data as it moves between the patient's browser and your server. This is not optional and it is not just for forms — the entire site must be encrypted.

How to check: Look at your URL bar. If there is a padlock icon and the URL starts with "https://", you are good. If it says "Not Secure" or starts with "http://", you have a problem.

How to fix: Install an SSL certificate. Most modern hosting providers include this for free. If your host charges extra for SSL in 2026, switch hosts.

2. Encryption at Rest

Any PHI stored on your server must be encrypted. This includes form submissions saved to a database, uploaded documents, and patient records.

What this means practically:

  • Your hosting provider must offer encrypted storage
  • Database backups must be encrypted
  • If you use a CMS like WordPress, any plugin that stores patient data must encrypt it

3. Access Controls

Only authorized personnel should be able to access PHI collected through your website. This means:

  • Strong passwords and multi-factor authentication for admin access
  • Role-based access (not everyone on your team needs access to patient form submissions)
  • Audit logs showing who accessed what data and when
  • Automatic session timeouts

Where Most Healthcare Websites Fail

Contact Forms

A standard contact form that sends submissions via email is not HIPAA-compliant. Why? Because standard email is not encrypted, and the form data passes through servers that may not have a Business Associate Agreement (BAA) in place.

The fix: Use a form provider that offers a BAA (JotForm HIPAA, Formstack, or a custom-built encrypted form system). Or, design your contact form to explicitly avoid collecting PHI — "Describe your inquiry" instead of "Describe your symptoms."

Email

If patients email you health information through a contact form, that email is PHI. Standard Gmail, Outlook, or your hosting provider's email is not HIPAA-compliant unless you have the right plan and a BAA.

The fix: Use a HIPAA-compliant email service (Google Workspace with BAA, Microsoft 365 with BAA, or Paubox for encrypted email). Route form submissions to a secure system, not an unencrypted inbox.

Analytics and Tracking

This is the one most healthcare websites miss entirely. Google Analytics, Facebook Pixel, and other tracking tools collect data about website visitors. If a patient visits your "Diabetes Treatment" page, that browsing data combined with their IP address could constitute PHI.

The fix: Be careful with tracking pixels on health-condition-specific pages. Use privacy-focused analytics (Plausible, Fathom) that do not collect personal data, or configure Google Analytics with IP anonymization and restricted data processing.

Third-Party Widgets

Live chat widgets, scheduling tools, review platforms — every third-party tool on your website that could come into contact with PHI needs a BAA from that vendor.

Questions to ask vendors:

  • Do you offer a BAA?
  • Where is data stored and is it encrypted?
  • Who has access to the data?
  • What happens to the data if we cancel the service?

Business Associate Agreements (BAAs)

A BAA is a contract between your practice (the covered entity) and any third party that handles PHI on your behalf (the business associate). You need BAAs with:

  • Your web hosting provider
  • Your website developer (if they have access to systems that store PHI)
  • Your email provider
  • Any form or scheduling tool that collects patient data
  • Your analytics provider (if applicable)

No BAA = no compliance. Even if a vendor's technology is secure, without a BAA you are liable if they have a breach.

Most major providers offer BAAs on their healthcare or enterprise tiers: AWS, Google Cloud, Microsoft Azure, Hetzner (for EU hosting), and many SaaS tools. You just need to request them.

What a HIPAA-Compliant Healthcare Website Looks Like

Here is the practical setup for a compliant healthcare website:

  1. HTTPS everywhere with a valid SSL certificate
  2. HIPAA-compliant hosting with a signed BAA (AWS, Google Cloud, or a healthcare-specific host)
  3. Encrypted forms that route to a secure system, not standard email
  4. Patient portal through a certified EHR system (Epic MyChart, Athenahealth, etc.)
  5. BAAs in place with every vendor that touches patient data
  6. Privacy policy clearly stating how patient data is collected, used, and protected
  7. Access controls with MFA, role-based permissions, and audit logs
  8. Privacy-focused analytics that do not inadvertently collect PHI

The Cost of Non-Compliance

HIPAA violations are not theoretical:

  • Tier 1 (unknowing): $100-$50,000 per violation
  • Tier 2 (reasonable cause): $1,000-$50,000 per violation
  • Tier 3 (willful neglect, corrected): $10,000-$50,000 per violation
  • Tier 4 (willful neglect, not corrected): $50,000 per violation
  • Annual maximum: $1.5 million per violation category

Beyond fines, a data breach destroys patient trust. In healthcare, reputation is everything.

Moving Forward

HIPAA compliance is not a reason to avoid having a modern website. It is a reason to build it right from the start. The requirements are straightforward when you work with a developer who understands healthcare.

At North Shore Labs, we build healthcare websites with compliance built into the foundation — not bolted on as an afterthought. Every hosting decision, form system, and third-party integration is vetted for HIPAA compliance before it touches your site. Schedule a consultation to discuss your practice's needs.

Want to talk about your project?

Related articles

How to Choose a Web Developer for Your Small Business

A practical guide to finding and hiring the right web developer — what to ask, what to look for, and red flags to avoid.

Client Intake Forms on Your Law Firm Website: Best Practices

How to design online intake forms for your law firm website that collect the right information without scaring off potential clients.

Local SEO for Veterinary Clinics: A Practical Guide

How to get your veterinary clinic to show up when pet owners search 'vet near me' — a step-by-step local SEO guide for vet practices.