Healthcare Website Design Guide

HIPAA (Health Insurance Portability and Accountability Act) governs the protection of Protected Health Information (PHI) and electronic PHI (ePHI). It applies to covered entities (hospitals, clinics, insurers) and their business associates (web designers, hosting providers, SaaS vendors).

HITECH Act (Health Information Technology for Economic and Clinical Health) strengthens HIPAA enforcement with breach notification requirements and increased penalties.

ADA (Americans with Disabilities Act) requires digital accessibility for websites that serve as places of public accommodation. Title II applies to government entities; Title III applies to private businesses including healthcare practices.

Section 504 of the Rehabilitation Act extends digital accessibility mandates to any healthcare provider receiving federal funds (including Medicare/Medicaid). HHS finalized a rule in May 2024 requiring WCAG 2.1 AA compliance by May 2026.

State Privacy Laws in California, Colorado, Connecticut, Virginia, and other states have enacted their own data privacy laws that may apply to healthcare data.

No single tool, platform, or vendor makes a website "HIPAA compliant" out of the box. HIPAA compliance is a system-level achievement requiring: - A signed Business Associate Agreement (BAA) with every vendor that touches PHI

• Encryption at rest and in transit (AES-256, TLS 1.2+)
• Access controls with role-based permissions and multi-factor authentication
• Audit logging that tracks every interaction with PHI
• Breach notification procedures defined and documented
• Regular risk assessments and vulnerability scanning
• Staff training on HIPAA policies and procedures
• Physical safeguards for servers and data centers
• Administrative safeguards including policies, procedures, and documentation

Any individually identifiable health information, including: - Patient names, addresses, dates of birth, Social Security numbers

• Medical records, lab results, treatment history
• Billing and payment records
• IP addresses, device identifiers, or cookies when combined with health-related page visits (e.g., visiting a "depression treatment" page)
• Appointment scheduling data
• Form submissions containing health information
• Email communications about a patient's health

A Business Associate Agreement is a legally binding contract required by HIPAA whenever a third-party vendor accesses, processes, stores, or transmits PHI on behalf of a covered entity. Without a signed BAA, using any tool to handle PHI is a HIPAA violation, regardless of that tool's security features.

Every vendor in your healthcare web stack needs a BAA if they touch PHI: - Hosting provider

• CMS platform
• Email service
• Form builder
• Analytics platform (if tracking on PHI-adjacent pages)
• Payment processor
• Telehealth platform
• CDN (if applicable)
• Backup/disaster recovery service

• Signed BAA
• Data encryption at rest and in transit
• Network firewalls and intrusion detection/prevention
• Physical security of data centers
• Regular vulnerability scanning and penetration testing
• Automated backups with encryption
• Disaster recovery and business continuity plans
• Detailed audit logs
• Role-based access controls

If your healthcare website is a static marketing site that does not collect, store, or transmit PHI (no forms, no patient portals, no login areas), standard hosting may suffice. However, any page that collects PHI (contact forms with health info, appointment scheduling, patient intake) needs HIPAA-compliant infrastructure.

If the CMS stores PHI (patient records, health data, clinical content tied to individuals), it must be HIPAA-compliant with a BAA.

If the CMS only stores marketing content (blog posts, service descriptions, provider bios) that gets pulled into a HIPAA-compliant front-end, PHI compliance requirements are less stringent for the CMS itself. But security best practices still apply.

These platforms are free to self-host but require deployment on HIPAA-eligible infrastructure with proper configuration.

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Signed BAA with the email provider
• Access controls with multi-factor authentication
• Audit logging of all email activity
• Automatic encryption (no user action required to secure emails)
• Secure archiving for compliance and record-keeping

Google has explicitly stated that GA4 does not meet HIPAA requirements and does not offer a BAA. Using Google Analytics on pages where users log in, submit forms, book appointments, or interact in ways linked to health-related services can constitute a HIPAA violation.

Since 2023, HIPAA enforcement around pixel tracking violations has resulted in over $100 million in fines.

1. Marketing pages (no PHI): Use Plausible or Fathom. They don't collect personal data, so no BAA is required
2. Pages with forms: Either exclude from analytics entirely, or use PostHog with BAA
3. Patient portals / authenticated areas: No third-party analytics, or enterprise-tier tools with BAA and proper configuration

• Encryption of data at rest and in transit
• Signed BAA with the form builder vendor
• Access controls with role-based permissions
• Audit trails tracking form submissions and access
• Secure data storage in HIPAA-compliant data centers
• Automatic session timeouts
• Multi-factor authentication for admin access
• Disabled autocomplete on sensitive fields to prevent browsers from caching health information locally

For custom-built healthcare websites using SvelteKit, you can integrate HIPAA-compliant form solutions through: 1. HIPAAtizer embeds which can be embedded into any website regardless of CMS

1. Server-side form handling that processes form data through your own HIPAA-compliant server, encrypting before storage
2. API integrations connecting to HIPAA-compliant backends like Directus or Payload CMS for form data storage

• End-to-end encryption (AES-256) for video, audio, and messaging
• Signed BAA with the platform vendor
• Secure waiting rooms and meeting access controls
• Audit logging of all sessions
• Integration with EHR systems
• No recording or data retention without consent and proper safeguards

Standard versions of Zoom, Skype, Google Meet, and FaceTime do not meet HIPAA requirements. Only healthcare-specific versions or enterprise plans with BAAs are acceptable.

• In 2024, over 4,100 ADA website accessibility lawsuits were filed in federal courts
• Healthcare is among the top targeted industries
• Plaintiff attorneys use automated scanning tools to identify non-compliant sites
• Penalties for Section 504 violations can include suspension or termination of federal funding, including Medicare and Medicaid reimbursements

The Web Content Accessibility Guidelines are organized around four principles (POUR): Perceivable

• Alt text for all images and graphics
• Captions for videos and audio content
• Sufficient color contrast (4.5:1 for normal text, 3:1 for large text)
• Content adaptable to different screen sizes and orientations
• No information conveyed through color alone

Operable

• Full keyboard navigation (no mouse-only interactions)
• No content that flashes more than 3 times per second
• Skip navigation links
• Descriptive page titles and link text
• Sufficient time to read and interact with content
• Touch target minimum size (44x44 CSS pixels per WCAG 2.2)

Understandable

• Clear, readable language
• Consistent navigation across pages
• Form labels, instructions, and error messages
• Predictable page behavior

Robust

• Semantic HTML structure
• Compatible with screen readers and assistive technologies
• ARIA attributes used correctly when needed

Tools like accessiBe and similar overlay widgets do not make a website WCAG 2.1 AA compliant. Courts and accessibility experts consistently confirm that true accessibility requires addressing issues in the source code.

• Identify all points where PHI will be collected, stored, or transmitted
• Determine which compliance frameworks apply (HIPAA, ADA, Section 504, state laws)
• Inventory all third-party vendors/tools that will be used
• Obtain signed BAAs from all vendors that will touch PHI
• Conduct or review a HIPAA risk assessment
• Define data flow architecture showing how PHI moves through the system

• HIPAA-eligible hosting with signed BAA
• Data encryption at rest (AES-256) and in transit (TLS 1.2+)
• Firewall, intrusion detection, and DDoS protection
• Automated encrypted backups with tested recovery procedures
• Access controls with multi-factor authentication
• Audit logging enabled and retained per policy

• WCAG 2.1 AA compliance integrated from design phase
• Semantic HTML structure throughout
• Keyboard navigation fully functional
• Color contrast meets minimum ratios
• All images have meaningful alt text
• All videos have captions and transcripts
• Forms have proper labels, instructions, and error handling
• Skip navigation links implemented
• No auto-playing media
• Touch targets meet minimum size requirements
• Responsive design tested across devices

• No Google Analytics on pages that collect PHI
• HIPAA-compliant analytics tool implemented with BAA
• No third-party pixels/cookies on PHI-adjacent pages
• IP address collection disabled or anonymized where required
• Cookie consent mechanism in place

• Professional accessibility audit completed
• Penetration testing and vulnerability scan completed
• Incident response plan documented and tested
• Staff trained on HIPAA policies and procedures
• Ongoing monitoring and compliance review schedule established
• Accessibility statement published on the website

I build healthcare websites on SvelteKit because performance and compliance requirements align with this architecture: Smaller bundles. A typical SvelteKit site ships around 42KB of JavaScript compared to 120KB+ for React-based frameworks. Faster sites perform better for seniors and patients on slower mobile connections.

Server-side rendering without hydration delays. No "frozen" page states while JavaScript initializes. Critical for accessibility and user experience.

No plugin vulnerabilities. Unlike WordPress, there's no stack of third-party plugins creating security exposure.

HIPAA-compliant hosting options. SvelteKit deploys to AWS, GCP, Azure, or specialized healthcare hosting with proper BAA coverage.