HIPAA Compliance for Small Practice Websites: What You Need to Know

If you run a medical practice, dental office, therapy clinic, or any other healthcare business, your website is subject to HIPAA regulations. The Health Insurance Portability and Accountability Act governs how Protected Health Information (PHI) is handled, and that includes information transmitted through your website. Many small practice owners do not realize that a simple contact form, an appointment request page, or even a live chat widget can create HIPAA compliance obligations.

The consequences of non-compliance are serious. Fines range from $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category. Beyond fines, a breach of patient information can destroy the trust that is the foundation of any healthcare practice.

This guide explains what HIPAA compliance means for your website specifically and walks you through the practical steps to get it right.

HIPAA Basics for Websites

HIPAA was enacted in 1996, long before most businesses had websites. But the law has been updated and interpreted to cover digital communications and data storage. The key rules that affect your website are:

The Privacy Rule establishes standards for when and how PHI can be used and disclosed. It gives patients rights over their health information, including the right to access it and request corrections.

The Security Rule requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI). For your website, this means encryption, access controls, and audit trails for any system that handles patient information.

The Breach Notification Rule requires you to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media if a breach of unsecured PHI occurs.

For a broader look at data privacy obligations that apply to all businesses (not just healthcare), see our guide on data privacy and compliance for small businesses.

What Counts as PHI Online

Protected Health Information is any individually identifiable health information. On your website, PHI can be created in ways you might not expect.

Obviously PHI:

• Patient portal data (medical records, test results, prescriptions)
• Appointment details submitted through online forms (patient name + reason for visit)
• Billing information associated with healthcare services
• Messages sent through a patient messaging system

Less obviously PHI:

• A contact form submission where a patient describes their symptoms or condition
• An appointment request that includes the patient's name and the type of visit
• A live chat conversation where a patient asks about treatment for a specific condition
• Email correspondence between your practice and a patient about their care
• Reviews or testimonials that include specific health information (even if the patient shared it voluntarily)

The key principle: any information that can identify a specific person AND relates to their health condition, healthcare services, or payment for healthcare is PHI. When that information is transmitted or stored electronically through your website, it becomes ePHI and falls under the HIPAA Security Rule.

Contact Forms and HIPAA

This is where many small practices unknowingly create compliance problems. A standard contact form on your website (the kind built into most website builders or WordPress themes) is typically not HIPAA compliant.

Here is why: when a patient fills out a contact form and mentions a health concern, that submission contains PHI. If the form data is transmitted without encryption, stored on a non-compliant server, or sent to a regular email inbox without proper safeguards, you have a potential HIPAA violation.

How to make your contact forms HIPAA compliant:

1. Use a HIPAA-compliant form provider. Not all form builders are created equal. Standard tools like Google Forms, Typeform, and basic WordPress contact form plugins are not HIPAA compliant. Instead, use form providers that offer Business Associate Agreements (BAAs) and HIPAA-compliant data handling. Options include JotForm (with HIPAA compliance plan), Formstack, and Hushmail's secure web forms.

2. Ensure SSL/TLS encryption. Your entire website should use HTTPS (SSL/TLS encryption), but it is especially critical for pages with forms. This encrypts data in transit between the patient's browser and your server. Most modern websites already have this, but verify that your SSL certificate is active and properly configured.

3. Limit what you ask for. Consider whether your contact form actually needs to collect health information. A simple form that asks for name, phone number, and "preferred appointment time" is much lower risk than one that asks patients to describe their symptoms. If you need detailed health information, collect it through your patient portal or during the appointment, not through a website form.

4. Secure where submissions go. Form submissions should not be sent to a standard Gmail or Outlook inbox. Use a HIPAA-compliant email service or have submissions stored in a HIPAA-compliant system with access controls and audit logging.

5. Add a privacy notice. Include a statement near the form that informs patients how their information will be used and stored. Something like: "The information you provide will be used to contact you about your inquiry. For sensitive health information, please contact us through our secure patient portal."

Business Associate Agreements (BAAs)

A Business Associate Agreement is a contract between your practice (the "covered entity") and any vendor that handles PHI on your behalf (the "business associate"). Under HIPAA, you must have a BAA in place with every vendor that has access to patient information.

For your website, this potentially includes:

• Your web hosting provider. If patient information passes through or is stored on their servers, you need a BAA. Not all hosting providers offer BAAs. HIPAA-compliant hosting options include AWS (Amazon Web Services), Google Cloud, and specialized healthcare hosting providers like LiquidWeb and Atlantic.Net.

• Your form provider. As mentioned above, any service that processes form submissions containing PHI must sign a BAA.

• Your email service provider. If you receive PHI via email, your email provider must sign a BAA. Google Workspace and Microsoft 365 both offer BAAs for their business plans, but you must specifically request and execute them.

• Your scheduling software. If patients book appointments online and provide health-related information during the process, the scheduling platform is a business associate.

• Your analytics provider. This is a gray area. Standard Google Analytics does not typically process PHI, but if your website's URL structure or page titles reveal health information (for example, a URL like "/appointments/dermatology/acne-treatment"), there is a potential issue. Configure your analytics to avoid capturing PHI.

• Your live chat provider. If patients share health information in chat conversations, the chat platform must be HIPAA compliant with a BAA in place.

If a vendor will not sign a BAA, you cannot use them for any function that involves PHI. Period.

Email Compliance

Email is one of the riskiest areas for HIPAA compliance because it is so commonly used and so easy to mishandle.

Standard email is not HIPAA compliant. Sending patient information through regular, unencrypted email violates HIPAA. This includes replying to patient inquiries about their health, sending appointment details that include visit reasons, and forwarding lab results or prescriptions.

Options for HIPAA-compliant email:

• Encrypted email services. Platforms like Hushmail, Paubox, and Virtru offer email encryption designed for healthcare. Messages are encrypted in transit and at rest, and these services provide BAAs.

• Patient portals for sensitive communication. The safest approach is to use your patient portal for all health-related communication and reserve email for general, non-PHI messages like appointment reminders that do not include visit details.

• Google Workspace or Microsoft 365 with proper configuration. Both platforms offer BAAs and can be configured for HIPAA compliance, but out-of-the-box settings are not sufficient. You need to enable encryption, configure access controls, set up audit logging, and train staff on proper usage.

Patient consent for email. HIPAA allows you to communicate with patients via email if the patient has been informed of the risks and gives consent. Many practices include an email consent form as part of their new patient paperwork. However, even with consent, you should use encrypted email whenever possible and avoid including more PHI than necessary.

Hosting Requirements

Your website hosting environment matters for HIPAA compliance if any PHI passes through your website.

Requirements for HIPAA-compliant hosting:

• Data encryption at rest and in transit
• Access controls and authentication
• Audit logging and monitoring
• Regular backups with encrypted storage
• Physical security of data centers
• Willingness to sign a BAA

Shared hosting is generally not compliant. Most basic shared hosting plans do not meet HIPAA requirements because your data shares server space with other websites, and you have limited control over security configurations.

Dedicated or cloud hosting is preferred. A VPS (Virtual Private Server), dedicated server, or cloud hosting from a provider that offers HIPAA compliance gives you the control and security you need. AWS, Google Cloud Platform, and Microsoft Azure all offer HIPAA-eligible services and BAAs.

If your website only collects basic contact information (name, phone, email) and does not ask for or receive any health-related information, the hosting requirements are less stringent. But the moment your website handles any PHI, compliant hosting becomes necessary.

Patient Portal Security

If your practice offers a patient portal through your website, the security requirements are significant because portals handle large volumes of PHI.

Essential patient portal security measures:

• Strong authentication. Require strong passwords and offer (or require) two-factor authentication. Patients should not be able to access their health records with only a simple password.
• Session timeouts. Automatically log users out after a period of inactivity to prevent unauthorized access on shared or unattended devices.
• Encryption everywhere. All data displayed in the portal and transmitted between the patient's browser and your servers must be encrypted.
• Role-based access. Staff members should only have access to the patient information they need for their job. A receptionist does not need the same access as a physician.
• Audit trails. Log every access to patient records, including who accessed what information and when. This is both a HIPAA requirement and a valuable tool for investigating potential breaches.

Most practices use a third-party patient portal that integrates with their EHR system (like athenahealth, DrChrono, or SimplePractice). These platforms handle the security infrastructure, but you are still responsible for ensuring they are properly configured and that a BAA is in place.

Common Violations to Avoid

These are the HIPAA website violations that small practices most commonly commit:

Using non-compliant contact forms. As discussed, standard form plugins that send submissions to regular email without encryption are a common violation.

Patient testimonials with health details. Posting a patient review that says "Dr. Smith cured my chronic back pain" on your website, even if the patient wrote it themselves, can be a violation if you did not obtain a proper HIPAA authorization (which is different from general marketing consent).

Unsecured appointment request forms. Forms that ask patients to describe their health concerns alongside their name and contact information create PHI that must be protected.

Tracking pixels and analytics that capture PHI. If your website URLs contain health-related information and you are using standard analytics tools without proper configuration, you may be inadvertently sharing PHI with third parties. This became a major enforcement focus after the FTC and OCR cracked down on healthcare organizations using Meta Pixel and Google Analytics without proper safeguards.

Staff accessing patient information on unsecured devices. If your staff checks patient portal messages or form submissions on personal devices without proper security measures, this is a violation.

Lack of a website privacy policy. HIPAA requires that you provide a Notice of Privacy Practices. Your website should include this notice and make it easily accessible. This is separate from your general website privacy policy, though many practices combine them.

Your Action Plan

Getting your medical practice website HIPAA compliant does not have to be overwhelming. Here is a prioritized approach:

1. Audit your current website. Identify every point where patient information could be submitted or transmitted. This includes contact forms, appointment forms, chat widgets, and email links.

2. Secure or remove non-compliant forms. Either switch to a HIPAA-compliant form provider with a BAA, or redesign your forms to avoid collecting PHI (direct patients to call or use the patient portal for health-related inquiries).

3. Verify your hosting. Contact your hosting provider and ask if they offer HIPAA-compliant hosting and a BAA. If they do not, plan to migrate to a provider that does.

4. Execute BAAs with all vendors. Create a list of every vendor that touches patient data through your website and ensure a BAA is in place with each one.

5. Review your analytics configuration. Ensure that no PHI is being captured or transmitted to third-party analytics or advertising platforms.

6. Add or update your privacy notice. Make sure your Notice of Privacy Practices is current and accessible on your website.

7. Train your team. Every staff member who interacts with patient information through your website needs to understand HIPAA requirements and your practice's specific policies.

HIPAA compliance for your website is not optional, and it is not something you can set and forget. Regulations evolve, technology changes, and new vulnerabilities emerge. Make website compliance part of your regular HIPAA review process, and you will protect both your patients and your practice.