Is Your Therapy Website HIPAA Compliant? 

In this post, I am breaking down what HIPAA compliance means for your therapists website, the most common compliance gaps, and how to build a digital presence that protects your clients and your practice. I am a web designer and technologist, not a HIPAA attorney or compliance officer. What I share here is a practical starting point, not legal advice. For anything specific to your practice, Person Centered Tech is the resource I most recommend.

Introduction

You built your practice with intention, and your website reflects that. It looks professional, it represents you well, and people are finding you. It feels like a massive win.

But looking professional and being compliant are not the same thing.

Most private practice websites have at least one compliance gap. It’s not due to lack of care, or lack of awareness. It happens because the standard web tools are designed for traditional businesses, not healthcare.  This is why hidden compliance gaps are incredibly common.

The good news? This is entirely fixable. 

So let’s look at how to bridge those gaps easily so you can protect your practice and permanently cross compliance off your worry list.

First, let’s start with the basics.

What Triggers HIPAA Compliance on a Therapist Website

To secure your digital space, you first have to understand the rules at hand. Let's go over the jargon and look at what’s actually required.

What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act.  This is a US federal law that was put in place in 1996 to make sure medical information is protected from being accessible without proper patient consent.  

You probably recall having to sign a privacy disclosure form when you visit a new physician, or completing a release form when requesting that your records be sent to a new health service provider. That is HIPAA in action: you must give explicit permission for your records to be shared. It is the law.

The law applies to what are called "covered entities."  This includes things like health plans, healthcare clearinghouses, and healthcare service providers. As a therapist, you fall into that last category. But what exactly are you having to protect?

What is PHI?

Another term you’ll frequently hear is PHI, which stands for Protected Health Information. This includes patient demographics, payment details, medical histories, test results, and any past, present, or future healthcare services. This is applicable whether the information is written on paper, stored electronically, or spoken out loud. 

The critical piece to understand here is that health data on its own isn’t what’s protected, it only becomes PHI when it can be tied back to a specific person. For example, a screenshot of blood glucose readings over a month is just data. But if that screenshot includes details that let you figure out exactly whose readings they are, it then becomes PHI.

What Makes Information Personally Identifiable? 

HIPAA specifies about 18 distinct identifiers that can turn otherwise anonymous health data into information tied to a specific individual.  Common examples you need to watch out for include:

  • Full Names

  • Geographical location smaller than state, e.g. City, County, Street, Zipcode

  • Exact Dates (only years are non identifiable) e.g. date of birth, admission date, discharge date, etc

  • Telephone Number or Fax Number associated with the patient

  • Patient Email Address, IP Addresses, web urls, phone serial numbers, mac addresses

  • Social Security Number

  • Medical Account Numbers

  • Vehicle Identification Numbers, licence numbers, and licence plate numbers

  • Biometrics:  Fingerprints, Retina Scan, Voiceprint

  • Photographs for full face, as well as pictures of scars, tattoos or any distinctive features

  • More

The moment any single one of these details connects back to health or treatment information on your website, you are handling PHI.  That data requires a secure, and compliant way to handle it.

The Reality Check

Now that we know what turns data into PHI, the next question is: Does this actually apply to your specific business model?

There is a common myth in the wellness industry that if you don't take insurance, you don't have to worry about HIPAA.A therapist's website needs to be HIPAA compliant because most mental health professionals operate as covered entities legally obligated to protect patient data. Under federal law, you officially become a 'covered entity' the moment you transmit health information electronically to conduct standard transactions such as billing insurance or checking client eligibility.

But even if you don’t take insurance and don't technically meet the definition of a covered entity, expanding your website security is still vital. State laws, licensing boards, and professional ethical codes (like those from the ACA or APA) normally mandate the exact same strict privacy standards as HIPAA. Also, if you think about it, clients expect their interactions to be private and confidential.

The Digital Boundary

For therapist websites, HIPAA rules apply the moment a site touches Protected Health Information (PHI). This can include:

  • Contact form submissions where a prospective client describes their struggles.

  • Online appointment or consultation requests.

  • Intake paperwork and screening data stored or transmitted through your site.

If your website handles any of these pieces, it must be secure.

Now let’s look at some of the pitfalls.

What Makes a Therapist Website
Non-Compliant?

Most therapist websites have at least one compliance gap. This rarely happens from a lack of attention to detail; it happens because the tools used to make a website look professional are rarely built for healthcare out of the box.  Below are some of the most common issues I see:

  1. Standard Contact Forms. The default forms built into Squarespace, Wix, or WordPress, for example, are not HIPAA compliant. If a prospective client types their name, email, and a message like "I think I am depressed and I am looking for some help”, that data is stored in clear text in the platform's database and then sent to your inbox (or to your desired end location, such as google doc). 

  2. Generic Email Platforms. Standard Gmail, Outlook, Yahoo, and Apple Mail are wonderful for traditional businesses, but they are not compliant for handling client communication or sensitive data. A therapist using these platforms to email active clients about their care, or sending intake links through them, has also an exposure gap.

  3. Booking Tools Without a BAA. A Business Associate Agreement (BAA) is a legal contract where a software company explicitly agrees to protect PHI according to healthcare laws. If a company won't sign one, you cannot use them. Popular tools like Calendly do not offer a BAA on their standard plans, so that is not a good match for appropriate client intake.

  4. Google Analytics (GA4). This is a massive exposure point that most web designers completely miss. GA4 is a great tool for analytics that gives you a detailed picture of your website traffic and visitor behavior, so you can see what is working and what is not in your website from the marketing point of view. It tracks who visits your website, where they came from, how long they stayed, and what they clicked on. But because Google is not a covered entity, signing a BAA for standard analytics accounts is not available.  If you have GA4 turned on, you can potentially expose user IP addresses and MAC addresses.

  5. Standard Telehealth Platforms. Not all video tools are created equal. Standard Zoom or Google Meet do not meet compliance standards. To see clients or run groups via video the kosher way, you must use a dedicated platform built for healthcare, such as Doxy.me, or a specialized paid tier like Zoom for Healthcare that includes a signed BAA.

  6. Templates Lacking a PHI Privacy Policy. A generic privacy policy generated by a generic online tool for small businesses does not normally include PHI sections in their privacy policy. . A therapist's website requires a Privacy Policy that specifically addresses how PHI is collected, used, and disclosed under healthcare privacy standards.

The Phone-Only Route, And What It Costs You and Your Client

Some practices try to bypass all this HIPAA stuff entirely by keeping their website purely informational. If your site is just a digital brochure that lists your services and a phone number, with no contact forms or online scheduling, the website doesn't need to be HIPAA compliant because it never touches or transmits sensitive data.

But while a phone-only site might dodge a compliance headache (and no one likes extra headaches), it misses an opportunity to support a client at the exact moment they reach out for help.

When someone is looking for a therapist, they are often doing it late at night or during a moment of high stress. They don't want to wait until the next business day just to call and find that they have to leave a voicemail because you are in a session with another client. Providing an immediate way for them to take that first step, whether it’s requesting a consultation or asking a quick question right from your site, creates a much better client experience (and could you have a new potential client).

This builds trust from the very first click, and it signals to a potential client that you understand their needs and have their back right from the start.

The good news? You don't have to sacrifice that warm, immediate digital welcome just to stay compliant. You can absolutely provide a modern, seamless experience that lets clients connect with you anytime, as long as the infrastructure is built with compliance in mind.

The Solution: Three Non-Negotiables & Your Tech Stack

Building a secure digital presence doesn't mean you have to hire someone to write your own software. It simply means you need to ensure the tools you use meet three core technical requirements.

The 3 Pillars of a Compliant Web Presence

Before connecting any tool to your website, verify that it checks these three boxes:

  1. A Signed Business Associate Agreement (BAA): This is a legal contract where the software company agrees to protect health data according to legal privacy standards. If a company won't sign a BAA, skip them.

  2. A Secure Intake Pathway: Any place in your website where a client enters their personal details needs to be routed to a secure and compliant destination.

  3. End-to-End Encryption: Your website's standard SSL certificate (the HTTPS in your URL) encrypts data while it travels from the user's browser to your website, which is great.  However, the tool collecting that data on the other side must also store it using secure encryption, not in clear text.

Resource Tip: For a very thorough breakdown of these technical rules, Person Centered Tech is one of the most trusted compliance resources available to private practices.

The Streamlined and Compliant Tech Stack

The easiest way to build a compliant website is to keep the site itself informational and use secure links or embedded but secure widgets to route data directly into specialized, compliant platforms.

Instead of using standard tools you can swap them for healthcare-ready alternatives.  Here are a few tips: 

  • Contact Forms: Replace default website forms with a secure option like Hushmail or IntakeQ (both readily sign BAAs). 

  • Booking Platforms: Specialized Electronic Health Record (EHR) platforms like SimplePractice or Jane App are designed explicitly for private practices.  They sign BAAs, and allow you to link to a secure booking portal directly to your main website.

  • Analytics: Skip Google analytics entirely, the privacy risk simply isn't worth having the data. Instead, you can use Google Search Console that gives you all the traffic and search keyword metrics you actually need to grow your practice, without tracking individuals or exposing user IP addresses.

  • Email & Telehealth: Keep your ongoing client communications inside secure systems like Hushmail or your EHR's built-in messaging features. For video sessions, platforms like Doxy.me are free to try and compliant by design. Zoom for Healthcare offers compliance under a specific paid tier.

  • Website Hosting: Design platforms such as Squarespace do not sign BAAs. This is completely fine, as long as your website is strategically structured correctly. Ensure that your site acts as a front door that just passes the information directly to your secure third-party tools, and make sure you are not storing client messages in the website's database or google sheets.

Conclusion: An Extension of Your Care

Your private practice is built entirely on trust and emotional safety. The intentional environment you create in your practice communicates to your clients that they are safe in your care.

Your website is potentially the first place that this trust is either established or compromised.

A secure, compliant website isn't a technical hurdle or a legal checkbox to be afraid of. It is like a digital extension of the very same standard of care you already practice every day. When the underlying foundation is configured correctly, you can permanently take technology off your worry list and focus entirely on the meaningful work you were called to do.

About the Author

Veronica Diaz is the founder of Bloom Digital Design, a Squarespace web design and digital strategy studio serving wellness and mental health practitioners building independent practices. Before launching Bloom, she spent over a decade as a Director of Engineering overseeing the design, implementation, and annual recertification of compliance systems, ensuring sensitive data was protected throughout all systems. She brings that same standard of technical rigor to the websites she builds for practitioners today. She also holds HIPAA certification through TeachMeHIPAA and a 200-hour yoga teaching certification, and training in mindfulness and self-compassion for children and caregivers. She relocated to Portland, OR in the summer of 2026.