HIPAA compliance for a website is one of those things that sounds more complicated than it actually is. What I tell therapists is: you do not need to become a security expert. You just need to follow a specific checklist, and most of it is handled by choosing the right tools.
Many therapists believe HIPAA compliance is only relevant for their practice management software. This is incorrect. Your website itself must meet HIPAA requirements if it has a contact form or connects to systems that handle PHI.
This checklist covers every element of a HIPAA compliant therapy website. Use it as a reference when building your site or auditing your existing one. Non-compliance can result in significant financial penalties — at the highest tier of culpability, HIPAA fines can reach up to $1.9 million per violation category per year (adjusted for inflation post-2023). Lower tiers carry smaller fines, but the exposure is substantially higher than older published figures suggest.
The HIPAA Compliance Framework for Websites
HIPAA compliance for websites rests on three pillars: technical safeguards, administrative safeguards, and physical safeguards. For website purposes, technical safeguards are the most relevant. These include access controls, encryption, audit controls, and integrity controls.
Not every website needs the same level of compliance. A website that only displays information and does not collect any data has minimal HIPAA obligations. A website with contact forms, client portals, or appointment booking features must implement full technical safeguards.
| Website Feature | HIPAA Risk Level | Required Safeguards |
|---|---|---|
| Informational pages only | Low | Standard SSL certificate, privacy policy |
| Contact form (name + email + message) | Medium | SSL, secure form processing (not email), privacy policy, BAA with host |
| Appointment booking | Medium-High | SSL, encrypted form, BAA, access controls, audit logs |
| Client portal (access to PHI) | High | Full HIPAA compliance: encryption, 2FA, audit trails, access controls, BAA |
| Blog / educational content | Low | Standard SSL, no PHI in comments or content |
SSL Certificate: The Minimum Requirement
Every website, regardless of its function, should have an SSL certificate. SSL (Secure Sockets Layer) encrypts data transmitted between the visitor’s browser and your web server. Without SSL, any data sent through your website can be intercepted by third parties.
An SSL certificate is visible in the browser as a padlock icon next to your URL. If your website URL starts with “https://” instead of “http://,” you have an SSL certificate. Most modern web hosting providers include free SSL certificates through Let’s Encrypt.
SSL is the absolute minimum security measure for a therapy website. If you have a contact form without SSL, any information a potential client submits through that form is transmitted in plain text and can be read by anyone who intercepts the connection.
Contact Forms: Secure Processing Is Essential
The contact form is the most common HIPAA vulnerability on therapy websites. Many therapists configure their contact form to send submissions via standard email (SMTP without encryption). This means client information is transmitted in plain text through your email server.
The correct approach is to use a form processing service that encrypts form submissions end-to-end. Services like FormSubmit, JotForm, or a HIPAA-compliant form plugin encrypt the data before it enters your email system. Alternatively, use the secure messaging feature in your practice management software instead of a website contact form.
Your contact form should include a clear disclaimer: “Do not include confidential or sensitive information in this form. This form is not a secure method of communication. For urgent matters, please call [your phone number].” This disclaimer reduces risk, but note that if a client shares PHI despite the disclaimer, that information has still been collected and is subject to HIPAA obligations. The disclaimer does not eliminate your responsibility if PHI is disclosed. The safest approach is to use a HIPAA-compliant form processor from the start, so even if a client shares sensitive information, it is properly protected.
Web Hosting and Business Associate Agreements
Your web hosting provider must sign a Business Associate Agreement (BAA) if your website collects or processes PHI. A BAA is a contract that establishes the hosting provider’s responsibilities for protecting PHI under HIPAA.
Not all web hosting providers offer BAAs. Standard shared hosting plans typically do not include HIPAA compliance. You need a hosting provider that specifically offers HIPAA-compliant hosting. Providers like WP Engine (HIPAA plan), Kinsta (with BAA add-on), or dedicated HIPAA hosting services meet this requirement.
If you use a website builder like Squarespace, Wix, or Shopify, review their HIPAA compliance documentation carefully. Most website builders do not sign BAAs and explicitly state that their platforms are not HIPAA compliant. In that case, your website should not collect any PHI, including through contact forms.
Privacy Policy: Legal Requirements
Your website must have a privacy policy that clearly explains how you collect, use, store, and protect visitor information. This is required by various privacy laws including HIPAA’s Privacy Rule, and potentially GDPR (if you serve European clients) or CCPA (if you serve California residents).
Your privacy policy should include: what information you collect (name, email, phone number, etc.), how you collect it (contact forms, cookies, analytics), how you use the information (responding to inquiries, marketing), how you store and protect the information, whether you share information with third parties, and how visitors can request deletion of their data.
A HIPAA-specific notice of privacy practices should be provided when a therapeutic relationship is established. This is separate from your website privacy policy. The website privacy policy covers general data collection, while the HIPAA notice covers PHI handling in the therapeutic context.
Cookie Consent and Analytics
Many therapy websites use analytics tools like Google Analytics to track visitor behavior. Google Analytics collects IP addresses, pages visited, time on site, and referral sources. While this data is not typically PHI, it can become PHI if you can identify individual visitors through the analytics data.
Configure your analytics to anonymize IP addresses. This reduces privacy risk while still providing useful aggregate data. Some therapists use privacy-focused analytics alternatives like Fathom, Plausible, or Umami, which do not collect personal data at all.
If you use cookies for analytics, marketing, or any functionality beyond essential site operations, you need a cookie consent banner. This banner informs visitors about cookie usage and allows them to opt out of non-essential cookies. Cookie consent is required under GDPR and some US state laws.
Client Portal Security
If your website includes a client portal where clients can access appointment details, invoices, or clinical documents, you need advanced security measures. The portal must require authentication, preferably with two-factor authentication (2FA) as an option.
Session timeouts should automatically log out inactive users after 15-30 minutes (this is a widely recommended security best practice, though HIPAA does not specify an exact timeout interval — choose a timeframe that balances security with usability). Access must be logged with timestamps, IP addresses, and actions taken. These audit logs must be retained for at least six years per HIPAA requirements.
Most practice management platforms (SimplePractice, TherapyNotes, TheraNest) provide HIPAA compliant client portals as part of their service. If you embed a client portal on your website, ensure the embedding process does not create security vulnerabilities.
| Security Feature | Required For | Implementation |
|---|---|---|
| SSL / HTTPS | All websites | Free via Let’s Encrypt or hosting provider |
| BAA with hosting provider | Websites collecting PHI | Request from your hosting provider |
| Encrypted form processing | Contact forms | Use HIPAA-compliant form service |
| Privacy policy | All websites | Custom policy on separate page |
| Cookie consent | Cookies used for tracking | Cookie consent plugin or banner |
| 2-factor authentication | Client portals | Via practice management platform |
| Session timeout | Client portals | 15-30 minute auto-logout |
Third-Party Plugins and Services
Every third-party service integrated with your website creates a potential HIPAA exposure point. This includes contact form plugins, analytics tools, live chat widgets, appointment booking systems, and newsletter signup forms.
Review each third-party service for HIPAA compliance. Does the service offer a BAA? Does it encrypt data in transit and at rest? Does it store data on US-based servers? If the answer to any of these questions is no, that service should not collect any PHI from your website visitors.
Live chat widgets are particularly risky. Many live chat services record conversations and store them on their servers. If a client shares PHI through a live chat, that information is stored on a third-party server that may not be HIPAA compliant. Use live chat with caution or avoid it entirely on therapy websites.
Blog and Content HIPAA Considerations
Your blog content must not contain PHI, even if de-identified. De-identification under HIPAA requires removing 18 specific identifiers, and even then, the risk of re-identification must be very low. The safest approach is to never use client information in your blog content.
Write blog posts about therapeutic concepts, techniques, and general mental health information. Use hypothetical examples that are clearly fictional. If you want to illustrate a point with a case-like example, make it generic enough that no person could be identified and clearly state it is a composite example.
Blog comments are another potential HIPAA concern. If a client posts a comment that contains PHI, you need to remove that comment promptly. Enable comment moderation so you can review comments before they appear publicly.
Email Communications from Your Website
When a potential client contacts you through your website form, the response email is subject to HIPAA rules if it contains PHI. Use encrypted email for responses that contain any client information. Many email providers offer TLS encryption as a standard feature. For higher security, use a HIPAA-compliant email service like Hushmail, LuxSci, or Virtru (note: these services also require a signed BAA to be fully compliant — confirm this during setup).
Include a confidentiality notice in your email signature. This notice should state that the email contains confidential information and should not be shared. While confidentiality notices have limited legal force, they establish your intent to protect privacy and put recipients on notice.
Regular Security Audits
HIPAA compliance is not a one-time setup. It requires ongoing monitoring and regular audits. Schedule a quarterly review of your website security: check that your SSL certificate is valid and not expiring, review your privacy policy for accuracy, test your contact form for data handling, review third-party services for continued compliance, and check that your hosting provider’s BAA is current.
Document all security reviews. HIPAA requires documentation of compliance efforts. If you ever face a HIPAA audit or investigation, your documentation is your primary defense.
Common HIPAA Website Mistakes
Review this list of common mistakes and address any that apply to your website.
- Contact form sends submissions via unencrypted email
- No SSL certificate or expired SSL certificate
- Privacy policy missing or outdated
- Website hosted on a platform that will not sign a BAA
- Google Analytics collecting full IP addresses without anonymization
- Live chat widget that records conversations
- Client portal without session timeout or 2FA
- Blog posts containing identifiable client information
- Email responses to client inquiries sent without encryption
- No cookie consent banner when tracking cookies are used
- Third-party plugins with unknown data handling practices
- Screenshots or photos of client communications shared on the website
HIPAA Compliance and Your SEO Strategy
HIPAA compliance does not conflict with your SEO goals. A well-secured website with SSL, a clear privacy policy, and good user experience actually supports your search rankings. Google prioritizes secure websites in search results.
For more on how website quality affects your search presence, see the guide on E-E-A-T for therapists. Security and trustworthiness are explicit factors in Google’s quality evaluation of your website.
A HIPAA compliant website also supports your technical SEO by ensuring your site is properly configured, secure, and performs well. Security and SEO go hand in hand when done correctly.