Healthcare websites & HIPAA basics
What healthcare providers need to know about building a trustworthy website that handles patient information responsibly.
Your website is often the first place a potential patient encounters your practice. It needs to convey trust, make it easy to book or contact you, and — critically — handle any patient information in a way that respects the law.
This guide covers what a healthcare website typically needs, what HIPAA means for your web presence, and the features we most commonly build for healthcare clients.
Quick summary
Healthcare websites must balance approachability with strict rules around patient data. Any form, chat widget, or booking system that collects health information is subject to HIPAA. We build these systems with business associate agreements and compliant tooling in place. Read this guide, then see our deeper HIPAA explainer at HIPAA for websites.
We are not lawyers
This guide reflects our practical experience building healthcare websites. It is not legal advice. HIPAA compliance involves your entire organization, not just your website. Always consult a qualified healthcare attorney or compliance officer for your specific situation.
What healthcare websites need to do
Patients visiting your site want to answer a few questions quickly:
- Are you accepting new patients?
- What does the practice specialize in?
- How do I book an appointment or get in touch?
- Are you covered by my insurance?
- Can I trust you?
A healthcare website that answers these questions clearly — without jargon, with real photos and bios, and with an easy path to contact — converts visitors into patients. Everything else is secondary.
Typical website goals
| Goal | What we build |
|---|---|
| New patient acquisition | Clear service pages, call-to-action on every page |
| Appointment booking | Online scheduling widget (HIPAA-compliant where needed) |
| Patient trust | Provider bios, credentials, patient testimonials |
| Existing patient info | Patient portal links, forms, after-visit summaries |
| Local SEO | Location pages, Google Business Profile integration |
Compliance & legal considerations
What HIPAA means for your website
HIPAA (the Health Insurance Portability and Accountability Act) is a US federal law that protects patient health information. The parts relevant to your website are:
Protected Health Information (PHI) — any information that could identify a patient and relates to their health condition, treatment, or payment. A name combined with an appointment date is PHI. A contact form asking about symptoms is PHI.
Business Associate Agreement (BAA) — if a third-party tool processes PHI on your behalf (an email platform, a booking system, a chat tool), you need a signed BAA with that vendor. Not every vendor offers one. We only use HIPAA-eligible tools in healthcare projects, and we handle the BAA paperwork with you.
Where this commonly catches practices off-guard:
- Standard contact forms — a general "contact us" form where someone describes their symptoms is collecting PHI. It needs to be handled by a HIPAA-compliant form and email provider.
- Live chat widgets — most generic chat tools (Intercom, Drift, etc.) are not HIPAA-eligible. We use compliant alternatives.
- Google Analytics — standard GA4 collects IP addresses and can combine them with health-related page visits. HIPAA-compliant analytics requires additional configuration or an alternative tool.
- Email notifications — appointment confirmation emails sent through non-BAA providers are a violation if they include health details.
- Online reviews & testimonials — you cannot publicly disclose that someone is your patient, even to respond to a review, without written authorization.
Don't assume your booking tool is compliant
Many popular scheduling tools (Calendly standard plans, Acuity basic plans) are not HIPAA-eligible. We verify compliant options — such as Spruce Health, Jane App, or Acuity's HIPAA tier — before recommending them for your project.
State-level rules
Many states have privacy laws stricter than HIPAA. California (CMIA), New York, and others add layers on top of federal requirements. Your compliance officer can advise; we build to accommodate whatever they specify.
Recommended features
Always recommended
- Provider bios with credentials and photos
- Clear specialty and service pages
- Prominent phone number and location
- Online appointment request or booking
- Insurance accepted (even a partial list)
- Patient forms available to download or fill online
- ADA-accessible design (required by law for most practices)
Often recommended
- Telehealth booking separate from in-person
- Multi-location pages with unique SEO per location
- Patient portal link (to your EHR system)
- Blog or health education content
- Before/after gallery (with patient consent — get legal sign-off)
- Video introductions from providers
Tech & integrations we use
The right tools depend on your specialty and patient volume. Here are the categories and our typical choices:
| Category | Compliant options we work with |
|---|---|
| Appointment scheduling | Jane App, Acuity Scheduling (HIPAA tier), Spruce Health |
| Patient intake forms | JotForm HIPAA, Cognito Forms HIPAA tier |
| Telehealth | Doxy.me, Spruce Health |
| Email platform (BAA available) | Google Workspace (with BAA), Microsoft 365 (with BAA) |
| Analytics | GA4 with IP anonymization, or privacy-first alternatives |
We do not use Mailchimp, standard Calendly, or HubSpot Free for any data-collecting touchpoints in healthcare builds — they do not offer BAAs.
Common pitfalls
- Launching with a generic contact form. Any form asking about conditions, medications, or symptoms is PHI. We scope this from day one.
- Using stock photos of "doctors." Patients want to see your real team. Generic stock undermines trust immediately.
- Ignoring mobile. Over 60% of healthcare searches happen on a phone. Your booking flow must work perfectly on mobile.
- Forgetting accessibility. WCAG 2.1 AA compliance is not optional for healthcare. It is both a legal requirement under the ADA and the right thing to do for your patients.
- Review responses that confirm someone is a patient. Never confirm or deny a patient relationship publicly online.
Common questions
Related guides
- HIPAA for websites — the full guide
- Web accessibility basics
- Data privacy basics for your business
- Working with contact forms
- Accepting payments online
Need a hand?
Learn more
- HHS: HIPAA for Professionals — the official US Department of Health & Human Services HIPAA resource
- HHS: Guidance on HIPAA and Online Tracking Technologies — specific guidance on analytics and pixel trackers
- ADA National Network: Web Accessibility — accessibility requirements for healthcare websites