Is Your Therapy Website HIPAA-Compliant?

By: Irina Shvaya | September 13, 2025

Key Takeaways

  • Your therapy website collects Protected Health Information the moment a client submits a contact form, books online, or signs up for a health-focused newsletter.
  • An SSL certificate encrypting data between browser and server is the most basic requirement, so verify your URL shows https:// and a padlock.
  • Standard WordPress or Squarespace contact forms send unencrypted emails and are not HIPAA-compliant, putting client PHI at serious risk.
  • Use dedicated HIPAA-compliant form services like Hushmail, Paubox, or properly configured Google Workspace for any client communication.
  • You must have a signed Business Associate Agreement with every third-party tool that handles PHI, since you are liable for vendor breaches.

As a therapist, you are a guardian of your clients' most private thoughts and feelings. The trust they place in you is the bedrock of the therapeutic relationship. This duty of care extends beyond the therapy room and into every aspect of your practice, including your website. In our digital age, your website is often the first point of contact, and it must be a fortress for protecting client privacy.

This brings up a critical question: is your therapy website compliant with the Health Insurance Portability and Accountability Act (HIPAA)? Many well-intentioned therapists unknowingly operate websites that put Protected Health Information (PHI) at risk, exposing themselves to significant legal penalties and, more importantly, eroding client trust. This guide will clarify what HIPAA compliance means for your website and provide actionable steps to ensure you are protecting your clients and your practice.

What is PHI and Why Does Your Website Handle It?

HIPAA’s privacy rules are centered on protecting PHI. Protected Health Information is any individually identifiable health information. This includes obvious data like a diagnosis or treatment plan, but it also covers any information that could be used to identify a client. This includes a name, email address, phone number, IP address, or even just the fact that a person has contacted your therapy practice.

You might think your simple website doesn't handle PHI, but consider this:

  • A person fills out your contact form asking about your services for depression.
  • A potential client uses your online scheduler to book a consultation.
  • Someone signs up for your newsletter focused on trauma recovery.

In all these cases, you are collecting information that links an individual to a health-related service, creating PHI. The moment your website collects, transmits, or stores this data, it falls under the purview of HIPAA.

The Cornerstones of a HIPAA-Compliant Website

Ensuring your website is compliant involves several key technical and procedural safeguards. Ignoring these is not an option; it's a fundamental professional responsibility.

Get a FREE Audit

We'll perform a comprehensive SEO, AEO, GEO & CRO audit of your website — completely free — and show you exactly how to outrank your competitors.

Don't have a site yet? Get in touch →

1. Secure Your Website with an SSL Certificate

The most basic requirement for any website that handles sensitive data is an SSL (Secure Sockets Layer) certificate. This is the technology that encrypts the data transferred between a user's browser and your website's server.

You can tell if a site has SSL because the URL will start with https:// instead of http://, and a padlock icon will appear in the address bar. This encryption prevents hackers from intercepting data in transit. Without SSL, any information a client submits through your site is sent as plain text, making it vulnerable to being read by third parties.

Actionable Tip: Check your website’s URL right now. If it doesn't have the padlock and https://, contact your web host or designer immediately to have an SSL certificate installed. Most hosting providers offer free SSL certificates, so there is no excuse to go without one.

2. Use HIPAA-Compliant Contact Forms

This is one of the most common and dangerous mistakes therapists make. A standard contact form built into a WordPress theme or a Squarespace template is not HIPAA-compliant. These forms typically send unencrypted emails, which is like sending a postcard with a client's PHI written on the back for anyone to see.

When a potential client uses your contact form to share their struggles or ask about your services, they are transmitting PHI. This information must be handled with end-to-end encryption.

Actionable Tip: Do not use default website forms for any client communication. Instead, use a service that is specifically designed for HIPAA compliance. These services will provide you with a secure, embeddable form and ensure all data is encrypted. Options include:

  • Hushmail: Offers secure, encrypted web forms and email.
  • Paubox: Provides encrypted email and form solutions.
  • Google Workspace: When configured correctly with a signed Business Associate Agreement (BAA), Google Forms can be used compliantly.

3. Vet All Third-Party Tools and Plugins

Your website likely uses various third-party tools for analytics, scheduling, or marketing. Each of these tools that has access to your website data is a potential point of failure for HIPAA compliance. You are responsible for any data breaches caused by your vendors.

This means you must have a Business Associate Agreement (BAA) in place with any third-party service that handles PHI on your behalf. A BAA is a legal contract that requires the vendor to uphold the same standards of PHI protection that you do.

Actionable Tip: Conduct an audit of all third-party tools connected to your website. This includes:

  • Scheduling Software: If you use a tool like Calendly or Acuity, ensure you are on a plan that offers HIPAA compliance and that you have signed a BAA. Similarly, if your practice uses workflow automation tools like Zapier, note that Zapier does not sign BAAs — consider a HIPAA compliant Zapier alternative instead.
  • Email Marketing Services: Services like Mailchimp are generally not HIPAA-compliant for sending PHI. Use a secure alternative or ensure your newsletters contain no PHI.
  • Analytics: Google Analytics can be used in a compliant way, but it requires careful configuration to ensure no PHI is collected.

If a vendor will not sign a BAA, you cannot use their service to handle PHI.

4. Post a Clear and Accessible Privacy Policy

Transparency is a key component of trust. Your website must have a comprehensive Privacy Policy that is easy for visitors to find. This document should explain in clear, simple language what data you collect, how you use it, how you protect it, and what a user's rights are concerning their information.

HIPAA requires you to post a Notice of Privacy Practices (NPP) that outlines how you handle PHI. Your website's Privacy Policy should align with this notice and be readily available to all visitors, typically via a link in the footer of every page.

Actionable Tip: Review your current Privacy Policy. Does it accurately reflect your data handling practices? Does it mention HIPAA? If you don't have one, work with a legal professional or use a reputable template generator to create a policy that is tailored to your practice.

Compliance is About Trust, Not Just Rules

Failing to comply with HIPAA can result in severe consequences, including fines that can reach tens of thousands of dollars per violation. Beyond the financial risk, however, is the damage to your professional reputation. A data breach can irrevocably destroy the trust you have built with your clients and your community.

Building a HIPAA-compliant website is not just about avoiding penalties; it's about demonstrating your commitment to your clients' safety and well-being. It shows that you respect their privacy from the very first click. By taking these essential steps—securing your site, using compliant forms, vetting your vendors, and being transparent—you create a digital environment that reflects the safety and integrity of your therapy room. Your clients deserve nothing less.

Frequently Asked Questions

Does my simple therapy website really handle PHI?
Yes. Protected Health Information is any individually identifiable health information, including a name, email, phone number, or IP address tied to a health service. When someone fills out your contact form about depression, books a consultation, or subscribes to a trauma-recovery newsletter, they create PHI that falls under HIPAA the moment your site collects it.
How do I know if my website has SSL?
Check your website's URL. A secure site starts with https:// rather than http://, and a padlock icon appears in the browser address bar. SSL encrypts data transferred between a user's browser and your server, preventing hackers from intercepting submissions. If your site lacks the padlock, contact your host immediately, as most providers offer free SSL certificates.
Why aren't standard WordPress or Squarespace contact forms HIPAA-compliant?
These default forms typically send unencrypted emails, which is like mailing a postcard with a client's PHI written on the back for anyone to read. When potential clients share their struggles through such forms, that data lacks the end-to-end encryption HIPAA requires. You should never use default website forms for any client communication.
Which contact form services are HIPAA-compliant?
Use a service specifically designed for HIPAA compliance that provides a secure, embeddable form and encrypts all data. Good options include Hushmail, which offers encrypted web forms and email, and Paubox, which provides encrypted email and form solutions. Google Workspace can also work compliantly when configured correctly with a signed Business Associate Agreement.
What is a Business Associate Agreement and when do I need one?
A Business Associate Agreement (BAA) is a legal contract requiring a vendor to uphold HIPAA safeguards. You need one with any third-party service that handles PHI on your behalf, including analytics, scheduling, or marketing tools with access to your website data. Because you are liable for breaches caused by your vendors, vetting each tool is essential.

Put this into action with eSEOspace

We help businesses grow with website development that actually performs. Explore the services behind this guide:

Book a free strategy call →

Get a FREE GEO/AEO/SEO Audit

We'll analyze your site's SEO, GEO, AEO & CRO — completely free — and show you exactly how to get found across Google and AI answers.

Don't have a site yet? Get in touch →

You Might Also like to Read