HIPAA basics for websites handling health info
What HIPAA means for your website if you work in healthcare or collect health-related information, and the technical safeguards we implement.
HIPAA — the Health Insurance Portability and Accountability Act — is a US federal law that protects the privacy and security of health information. If your business is a healthcare provider, health plan, healthcare clearinghouse, or a business associate of one, HIPAA affects how your website is built and operated.
Many healthcare-adjacent businesses underestimate how much HIPAA touches their online presence. A contact form asking about conditions, an online appointment booking system, a patient portal — all of these can bring HIPAA requirements into scope.
This is not legal advice
Chykalophia is a design and web agency, not a law firm. This article explains HIPAA concepts as they relate to website design and development, and describes best practices we follow. It is not legal advice. HIPAA is complex, and enforcement can be severe. Please consult a qualified healthcare attorney or compliance specialist to confirm your obligations and develop a complete compliance program.
Quick summary
HIPAA protects Protected Health Information (PHI) — data that can connect a person to their health condition or care. If your website collects, stores, or transmits PHI, you need technical safeguards including encrypted storage and transmission, access controls, and audit logs. Standard website contact forms and analytics tools are generally not HIPAA-compliant. We can help you implement a HIPAA-aligned website architecture, but you will also need legal counsel, internal policies, and Business Associate Agreements with your vendors.
What HIPAA protects
HIPAA protects Protected Health Information, or PHI. PHI is any information that:
- Relates to a person's past, present, or future physical or mental health condition, healthcare services, or payment for healthcare
- Can be used to identify the individual
PHI includes names, addresses, dates (including birthdates and treatment dates), phone numbers, email addresses, Social Security numbers, account numbers, URLs, and any other data that could identify a person — when combined with health information.
Electronic PHI (ePHI) is PHI stored or transmitted digitally, and it is what matters most for websites.
Who HIPAA applies to
HIPAA applies to two main categories:
Covered Entities — organizations that directly handle PHI as part of their core function:
- Healthcare providers (doctors, dentists, therapists, hospitals, clinics)
- Health insurance plans and payers
- Healthcare clearinghouses
Business Associates — companies that create, receive, maintain, or transmit PHI on behalf of a covered entity:
- A website agency that builds and hosts a patient portal
- A cloud storage provider storing ePHI
- An email service used to communicate health information
- A scheduling software vendor
If we build or host a site that handles ePHI for a covered entity, we become a Business Associate. This requires a Business Associate Agreement (BAA) — a formal contract that defines each party's HIPAA responsibilities.
Does your website handle PHI?
Use this as a quick guide — but verify with a lawyer:
| Your site has… | Likely handles PHI? |
|---|---|
| A general contact form (name, email, question) | Usually no — unless visitors frequently submit health details |
| A contact form that asks about medical conditions or symptoms | Yes |
| Online appointment booking that includes reason for visit | Yes |
| A patient login portal | Yes |
| A telehealth video or messaging feature | Yes |
| A health assessment or symptom checker | Yes |
| Standard Google Analytics without health data | Generally no — but see the pitfalls section |
| A staff-only admin area containing patient records | Yes |
'Contact us' forms can unintentionally collect PHI
Even a simple contact form can receive messages containing health details. If your business is a covered entity, you may need to treat your contact form infrastructure as potentially handling PHI — which affects what email service you use, how you store submissions, and what happens to that data.
Key technical safeguards for HIPAA-aligned websites
HIPAA's Security Rule requires covered entities and business associates to implement three types of safeguards: administrative, physical, and technical. Here are the technical ones most relevant to websites:
Encryption
All ePHI must be encrypted:
- In transit: Your site must use HTTPS (SSL/TLS). This encrypts data between the visitor's browser and your server.
- At rest: Data stored in databases, file systems, or backups must be encrypted.
Access controls
Only authorized people should be able to access ePHI:
- User accounts with strong passwords and two-factor authentication
- Role-based access (staff can only see what they need)
- Automatic session timeouts
Audit logs
HIPAA requires you to track who accessed, viewed, or modified ePHI and when. Your systems should generate and retain audit logs.
Integrity controls
Safeguards must ensure ePHI is not altered or destroyed improperly.
Secure disposal
When ePHI is no longer needed, it must be securely deleted — not just moved to a trash folder.
What this means for common website tools
Standard off-the-shelf website tools are often not HIPAA-compliant without additional configuration or replacement:
| Common tool | HIPAA-ready out of the box? |
|---|---|
| Standard WordPress contact forms (WPForms, Gravity Forms) | No — form submissions are typically stored unencrypted, sent via standard email |
| Standard email (Gmail, Outlook) | No — not encrypted end-to-end; PHI should not be sent via standard email |
| Google Analytics | Not recommended for sites handling PHI — Google's standard terms do not include a BAA |
| Standard web hosting (shared hosting) | Generally no — dedicated, encrypted infrastructure is needed |
| Secure HIPAA-compliant form tools (e.g., JotForm HIPAA, Cognito Forms with BAA) | Yes, when configured correctly and a BAA is in place |
| Telehealth platforms with BAA (e.g., Zoom for Healthcare, Doxy.me) | Yes |
Business Associate Agreements
A Business Associate Agreement (BAA) is a legal contract between a covered entity and a vendor (business associate) who handles ePHI. If your website agency, hosting provider, email service, or form tool handles ePHI for you, they must sign a BAA.
Not every vendor offers BAAs. When they don't, you generally cannot use that vendor for systems that handle PHI.
We can sign a BAA when we are contracted to build or host a site that involves ePHI. Discuss this with your project lead before work begins.
What we do to help
When we work on a healthcare website that involves ePHI:
- We use HIPAA-eligible hosting infrastructure (such as dedicated servers or HIPAA-compliant cloud environments)
- We implement SSL and, where required, encryption at rest
- We replace standard contact forms with HIPAA-compliant form tools
- We configure access controls and role-based permissions
- We review which third-party tools are in use and flag those that lack BAA availability
- We sign a BAA for our work when applicable and required
Technical work alone does not make you HIPAA compliant
HIPAA compliance requires more than a technically secure website. It requires internal policies and procedures, staff training, a breach notification protocol, a risk analysis, and often a compliance officer. We handle the technical layer. You and your legal counsel are responsible for the full compliance program.
Common pitfalls
- Using Google Analytics on a healthcare site. Google does not offer a BAA for standard Google Analytics. Using it on a site that handles PHI can create a HIPAA violation. There are HIPAA-compatible analytics alternatives.
- Standard contact forms. Most form plugins email submissions via standard (unencrypted) email and store them in a database that does not meet HIPAA standards.
- Not getting BAAs with all vendors. Every vendor that touches ePHI needs a BAA. This includes your hosting provider, your email service, your CRM, and your website agency.
- Thinking HTTPS alone is sufficient. HTTPS encrypts data in transit. But you also need encryption at rest, access controls, and audit logging.
- Patient-facing forms on a non-HIPAA platform. If you are collecting insurance information, reason for visit, or medical history through a standard web form, that is likely ePHI.
Common questions
Related guides
- GDPR basics for businesses
- Cookie consent law: when & how
- SSL & HTTPS, explained
- Data privacy basics for your business
- What to do if your site is hacked
- Backups as your safety net
Need a hand?
Learn more
Cookie consent law: when & how
When your website needs a cookie consent banner, what it must include, and how we implement one that meets GDPR and CCPA requirements.
PCI compliance for online stores
What PCI DSS means for your e-commerce site, how payment processing actually works, and why the way we build stores keeps you in a lower-risk category.