HIPAA Compliant Website Design: What the Regulations Actually Require
Most "HIPAA compliant" websites aren't. They run Google Analytics on patient-facing pages. They use contact forms processed by vendors who won't sign a Business Associate Agreement. They're hosted on shared servers with no audit logging. And they display an SSL padlock that their owners genuinely believe makes them compliant.
For many practices, this works until it doesn't. When it doesn't, the numbers are serious. Montefiore Medical Center paid $4.75 million in 2024 after an employee sold patient data - and the penalty was compounded by underlying Security Rule failures that had nothing to do with the bad actor. Mass General Brigham settled for $18.4 million over tracking pixels. Aurora Health paid $12.25 million. Novant Health paid $6.6 million. These weren't because someone hacked a server. They were because healthcare organizations were running standard marketing tools on pages where patients exchanged health information.
This guide is not a generic checklist. It covers what HIPAA actually requires for healthcare websites, which vendors can actually be used, what the current legal landscape around tracking pixels looks like after the 2024 court ruling, and how to build a website that holds up to scrutiny without enterprise-level budgets.
Key Takeaways:
- Tracking pixel settlements have exceeded $18 million per case; Mass General Brigham, Aurora Health, and Novant Health all paid millions for running standard marketing tools on patient-facing pages.
- Google Analytics is not HIPAA compliant in any version; Google explicitly refuses to sign a BAA, and IP anonymization settings do not substitute for one.
- Every vendor that touches PHI requires a signed Business Associate Agreement before data flows to them, regardless of how secure their infrastructure is.
- The 2025 proposed Security Rule would eliminate "addressable" safeguards and mandate encryption, MFA, and annual penetration testing, but its political future is uncertain.
- ADA accessibility and HIPAA compliance are separate, parallel obligations; passing one does not satisfy the other.
- Accessibility overlays like accessiBe do not constitute compliance; courts and the DOJ consistently require source-code fixes.
What Actually Triggers HIPAA Obligations on a Website
HIPAA doesn't mention websites. The regulations cover Protected Health Information regardless of medium. Your website becomes subject to HIPAA when it collects, transmits, or stores PHI - that's the line. A pure marketing site that describes your services and provides a phone number has different obligations than a site with intake forms, appointment scheduling, or a patient portal.
Protected Health Information (PHI) is any individually identifiable health information. Under HIPAA, there are 18 specific identifiers that can turn health data into PHI: names, geographic data smaller than state, dates related to individuals, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, VINs, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photos, and any other unique identifying number or code.
The key phrase is "individually identifiable." The 18 identifiers matter because combining any of them with health information creates PHI. A person browsing your "STD testing" page is not PHI. That person's IP address logged alongside that visit is. This is why analytics is the most common compliance failure on healthcare websites - most practices have no idea they're creating PHI by running Google Analytics on health-related pages.
Electronic Protected Health Information (ePHI) is PHI stored or transmitted electronically. Everything on your website is electronic, so the Security Rule's technical safeguards apply to any PHI your site touches.
Covered entities are the healthcare providers, health plans, and clearinghouses HIPAA directly regulates. Business associates are vendors who handle PHI on their behalf - your hosting provider, your form processor, your analytics platform, your CMS, your email service. Every business associate needs a signed Business Associate Agreement (BAA) before PHI can flow to them. Without a signed BAA, sharing PHI with a vendor violates HIPAA regardless of how secure their infrastructure is.
The Security Rule Requirements for Websites
The HIPAA Security Rule requires administrative, physical, and technical safeguards for ePHI. For websites, the technical safeguards carry the most weight: Access controls mean role-based permissions and unique user identification. Every staff member who logs into your CMS or views patient form submissions needs their own credentials with appropriate access levels. No shared passwords.
Audit controls require tracking who accessed what data and when. Your hosting and CMS should maintain logs of all PHI interactions for a minimum of six years. These logs must be tamper-evident - users cannot modify or delete records of their own access.
Integrity controls ensure ePHI isn't altered or destroyed improperly. Backup systems, version control, and documented recovery procedures all apply here.
Transmission security requires encryption for data in transit. TLS 1.2 is the current minimum; TLS 1.3 is strongly preferred and will likely become mandatory when the proposed Security Rule updates finalize.
Authentication - multi-factor authentication for all systems accessing ePHI is already best practice and explicitly proposed in the 2025 Security Rule NPRM.
The Analytics Problem: Why Your Standard Setup Is Non-Compliant
This is where most healthcare websites fail without realizing it. Google Analytics, Meta Pixel, and similar tracking tools collect IP addresses and browsing behavior. When a visitor browses your "depression treatment" page or clicks through from a targeted ad about "anxiety counseling," their browsing history combined with their IP address becomes PHI.
In December 2022, HHS/OCR issued guidance stating that tracking technologies collecting individual health information require HIPAA compliance. A wave of class action litigation followed. But in June 2024, a federal judge in the Northern District of Texas ruled that OCR's guidance had partially overstepped its regulatory authority - specifically around the "proscribed combination" theory that IP address plus health page visit automatically equals PHI. OCR withdrew its appeal in August 2024.
Here's what that ruling actually means for your website: the formal OCR guidance was partially vacated, but the underlying HIPAA Privacy and Security Rules were not. The class action litigation against health systems that used Meta Pixel and Google Analytics has not abated. The prudent position remains: don't run unauthenticated third-party tracking scripts on pages where patients exchange health information, because the private litigation risk hasn't diminished even if OCR's formal guidance did.
For authenticated patient portals - logged-in users - the rules are clear regardless of the court ruling. Any tracking on authenticated pages without a BAA is a direct violation.
Analytics Options That Actually Work
Google Analytics (any version): Not HIPAA compliant. Google explicitly states it does not satisfy HIPAA requirements and will not sign a BAA. No version of GA - including GA4 with IP anonymization enabled - is compliant for healthcare use cases. "Anonymized IP" in GA settings does not substitute for a BAA. This is the most common pushback from marketing agencies: it doesn't hold up.
Plausible or Fathom: Privacy-first analytics with no cookies, no IP collection, no personal data. No BAA needed because they don't create PHI. Best option for marketing pages where no health information is exchanged. Neither platform signs a BAA, which means they're not suitable as a compliance solution for pages where PHI could be created.
Piwik PRO: Signs a BAA on the Enterprise plan (from €366/month, new pricing effective August 2025). Self-hosting eliminates the need for a BAA entirely. Includes integrated tag manager, consent management, and CDP. The most feature-complete HIPAA-compliant analytics platform - the closest thing to a full GA4 replacement with actual compliance documentation behind it. Business plan starts at €35/month but doesn't include BAA.
Freshpaint: A healthcare-specific privacy proxy that sits between your website and downstream tools, stripping PHI before passing data through to Google Analytics, Google Ads, and Meta Pixel. Signs a BAA. Free under 1,000 monthly tracked users; paid plans require a custom quote. WebMD uses Freshpaint for exactly this purpose. This is the practical answer for practices that need marketing attribution data and can't abandon their ad platforms - it lets you keep using non-compliant tools downstream while remaining HIPAA-safe upstream.
Matomo (self-hosted): Open source, full data ownership, no BAA needed when self-hosted. Strong option for organizations with the technical capacity to manage their own server infrastructure.
PostHog: Signs a single BAA covering analytics, session replay, feature flags, and experiments. Best all-in-one option if you need product analytics depth.
The conservative approach: No third-party analytics on form pages or any page where a patient might enter health information. Track marketing content only. Use Plausible or Fathom for engagement data on blog and service pages, exclude anything with a form.
Business Associate Agreements: The Complete Vendor Picture
A signed BAA is not optional decoration. It's the legal foundation that makes vendor relationships HIPAA-compliant. Without one, PHI flowing to that vendor is a violation.
Hosting
| Provider | BAA Available | Notes |
|---|---|---|
| AWS | Yes | 120+ HIPAA-eligible services; BAA via console |
| Microsoft Azure | Yes | Enterprise agreements; FHIR-based API available |
| Google Cloud Platform | Yes | Enterprise BAA required |
| Vercel | Yes | Pro or Enterprise plans; accessible from billing dashboard |
| Netlify | Yes | Enterprise only; launched August 2024 - this is new |
| Cloudflare | Yes | Signs BAA; widely cited as HIPAA compliant |
| HIPAA Vault | Yes | Fully managed WordPress hosting with BAA |
| Healthcare Blocks | Yes | Purpose-built for healthcare |
| Railway | No | Good for custom solutions when no PHI is stored |
Standard shared hosting - Bluehost, SiteGround, WP Engine's lower tiers, most cPanel providers - does not offer BAAs and cannot be used for any workload where PHI is stored or transmitted.
Website Builders and CMS Platforms
| Platform | BAA Available | Notes |
|---|---|---|
| WordPress.com | No | Not compliant by default |
| WordPress (self-hosted) | Depends on host | The platform has no BAA; compliance depends entirely on your host and configuration |
| Squarespace | Partial | Signs BAA only for Squarespace Scheduling; main platform does not |
| Wix | Yes | Premium/Studio plans with PHI protection enabled; launched 2025 |
| Contentful, Sanity (standard) | No | Explicitly prohibit PHI in terms of service |
| Contentful, Sanity (enterprise) | Yes | Enterprise plans with BAA cost $60,000-80,000/year |
Forms
| Provider | BAA | Starting Price for HIPAA |
|---|---|---|
| JotForm Healthcare | Yes | $39/month (Gold minimum) |
| HIPAAtizer | Yes (always in place) | Purpose-built for healthcare forms |
| Formstack | Yes | $360/month (Enterprise) |
| Hushmail | Yes | Healthcare-specific plans |
Standard personal Gmail, Outlook, or Apple Mail is not HIPAA-compliant. Google Workspace with a signed BAA, Microsoft 365 with BAA and proper configuration, or Paubox (purpose-built encrypted healthcare email) are the appropriate alternatives.
Chat and Chatbots
Every chatbot or live chat widget that could receive a patient message containing health information needs a signed BAA with the vendor. Verify before deploying. Most popular chatbot platforms have not addressed this clearly. If a vendor won't discuss HIPAA compliance, they don't have a BAA program.
The 2025 Security Rule Overhaul: What's Proposed and What's Uncertain
The most important regulatory development since 2013 is also the most uncertain. HHS/OCR published a Notice of Proposed Rulemaking to significantly modify the HIPAA Security Rule on January 6, 2025. The proposal would make sweeping changes - but its path to becoming law is unclear.
What the NPRM proposes:
- Eliminating the distinction between "required" and "addressable" safeguards - everything becomes mandatory with limited exceptions. Under the current rule, encryption is "addressable," meaning organizations can document a rationale for not using it. Under the proposed rule, encryption of ePHI at rest and in transit becomes a mandatory requirement.
- TLS 1.3 or higher for all ePHI transmission
- Multi-factor authentication mandatory for all interactive workforce access to ePHI
- Biannual vulnerability scanning and annual penetration testing
- A written technology asset inventory documenting every system touching ePHI, updated at minimum annually
- A network map illustrating how ePHI moves through electronic information systems
- 72-hour system restoration capability after an incident
- Anti-malware protection on all systems touching ePHI
The political situation: The Trump administration has signaled skepticism. OCR Director Paula Stannard declined to confirm whether the rule will proceed as proposed, noting that "the Trump administration may have a different view on the burdens and benefits of some of the proposed changes." A coalition of more than 100 hospital systems and provider associations petitioned HHS to withdraw the rule, calling it counter to the deregulatory agenda. A final rule is still listed as anticipated on HHS's regulatory agenda, but its scope may be narrowed or it may not finalize at all in its current form.
What this means for your website today: Build to the proposed standard anyway. TLS 1.3, MFA, documented technology inventory, vulnerability scanning - these are security best practices regardless of whether the rule finalizes. The organizations that get penalized are the ones who treat compliance as a legal minimum rather than a security floor.
Already in effect: The requirement to update Notices of Privacy Practices took effect February 16, 2026. Healthcare websites must display current NPP content reflecting this.
ADA, WCAG, and Section 1557: The Parallel Compliance Layer
HIPAA compliance and accessibility compliance are separate, parallel obligations. A site that passes every HIPAA requirement can still expose a healthcare provider to significant liability if patients with disabilities can't use it. Meeting one does not satisfy the other.
The April 2026 Deadline for Government Healthcare
The DOJ finalized a rule requiring WCAG 2.1 Level AA compliance under ADA Title II. The deadline for public entities serving 50,000+ population is April 24-26, 2026. This applies to government-funded and operated healthcare: public health departments, state Medicaid portals, government hospital systems.
Private Healthcare: Title III and Section 1557
For private practices - the majority of healthcare websites - the obligations come from two sources: ADA Title III mandates equal access to services for people with disabilities, including digital properties. Courts and the DOJ have consistently interpreted this to cover healthcare provider websites and telehealth platforms. There's no single compliance deadline for private entities, but litigation risk is ongoing and active.
Section 1557 of the ACA (2024 Final Rule, effective July 5, 2024) applies to any healthcare provider receiving Medicare, Medicaid, CHIP, or ACA Marketplace reimbursement. By July 5, 2025, covered entities must display a Notice of Availability - in English and the 15 most commonly spoken languages in their state - for free language assistance services. This notice must appear prominently both physically and on your website. If your practice accepts any federal healthcare reimbursement and your website doesn't include this notice in multiple languages, you're currently non-compliant.
WCAG 2.1 Level AA is the technical standard that covers both Title III and Section 1557 accessibility requirements. The 50 success criteria include: descriptive alt text for all images including medical diagrams, captions and audio descriptions for videos, keyboard-navigable forms, color contrast ratios of 4.5:1 for normal text and 3:1 for large text, properly labeled form fields, and accessible modals.
Why Accessibility Overlays Don't Work
Overlay widgets - accessiBe, UserWay, and similar products - are actively counterproductive. Courts consistently rule that real accessibility requires fixing source code. These overlays frequently create new accessibility problems while failing to remediate existing ones. The DOJ has been clear that overlays do not constitute compliance. For healthcare websites operating under any federal funding, do not use them.
Common Compliance Mistakes
Mistake 1: SSL Certificate Equals HIPAA Compliance
Having HTTPS is necessary but not sufficient. A site can have perfect SSL configuration while failing audit controls, access management, and BAA requirements on six separate points. The padlock means transmission is encrypted. It says nothing about where data is stored, who can access it, or whether your vendors have signed BAAs.
Mistake 2: "We Don't Store Data" Means No Obligations
Transmission of PHI without storage still requires safeguards. If a contact form sends patient health information to your email, that transmission needs encryption and the email provider needs a BAA - even if nothing touches a database.
Mistake 3: A Privacy Policy Creates Compliance
A privacy policy, even one that mentions HIPAA extensively, describes practices. It does not create them. Compliance requires technical and administrative safeguards actually implemented. OCR doesn't read your policy during an audit; they look at your documented risk assessments, your signed BAAs, your access logs, and your staff training records.
Mistake 4: "Our IT Team Handles Security"
IT handles technical implementation. HIPAA compliance also requires documented policies, risk assessments, staff training records, incident response procedures, and business associate management - organizational functions that span legal, administrative, and clinical roles. IT cannot own all of this.
Mistake 5: Marketing Tags Are the Marketing Team's Problem
Every third-party script that executes in a patient's browser is a potential PHI transmission vector, regardless of who added it. Marketing teams commonly add analytics tags, chatbots, scheduling widgets, and ad pixels without security review. Every new script should go through a formal approval workflow requiring BAA verification before deployment. Content Security Policy headers should restrict which script sources can load. This is governance work, not IT work - it requires organizational policy.
Technical Implementation Checklist
Hosting Requirements
| Requirement | Standard Hosting | HIPAA Compliant Hosting |
|---|---|---|
| BAA available | No | Yes |
| Encryption at rest | Sometimes | Required (AES-256) |
| Encryption in transit | Usually | Required (TLS 1.2+ minimum) |
| Audit logging | Basic server logs | Comprehensive, tamper-evident |
| Access controls | Basic | Role-based with MFA |
| Backup and DR | Varies | Documented, 72-hour restoration |
| Physical security | Shared facility | Dedicated or compliant cloud |
| Vulnerability scanning | Not standard | Required |
Form Security Requirements
Forms collecting any health information need: - TLS for form submission - standard HTTPS, but verify it's enforced with HSTS headers
- Encryption at rest - form data stored encrypted, not plain text in a database
- Access controls - only authorized staff can view submissions
- Audit logging - track who views what submissions and when
- Data retention policies - document how long PHI is kept and how it's destroyed
- Disabled autocomplete - add `autocomplete="off"` to sensitive form inputs to prevent browser caching
- BAA with your form processor - this is non-negotiable
CMS Considerations
WordPress (self-hosted): The platform can be configured for compliance, but the plugin ecosystem introduces ongoing risk. Every plugin is a potential security gap. Managed HIPAA-compliant WordPress hosting like HIPAA Vault helps, but you're managing a complex stack that requires ongoing security maintenance, plugin auditing, and access control management.
Headless CMS (Contentful, Sanity on standard plans): These platforms explicitly prohibit PHI in their terms of service. Enterprise plans with BAA are available but cost $60,000-80,000 annually - not appropriate for most practices.
Custom CMS: Building content management into your application eliminates external CMS vendor dependencies entirely. No separate admin domain, no third-party API calls for content, no plugin surface area. I build custom content management into SvelteKit applications for clients who need this level of control. More on this in my WordPress alternatives guide.Cost Expectations by Practice Size
Development and operational costs are two separate categories. Most conversations about "how much does HIPAA compliance cost" conflate them.
Ongoing monthly operational costs:
| Practice Size | Monthly Range | What Drives Cost |
|---|---|---|
| Solo therapist / small practice | $170–$400 | HIPAA hosting, BAA form tool, privacy-first analytics |
| Mid-size clinic (5-25 providers) | $600–$2,000 | Enhanced hosting, Piwik PRO analytics, form management, monitoring |
| Large clinic / enterprise | $8,000–$25,000+ | Full infrastructure, dedicated security monitoring, custom tooling |
| Tool | Product | Monthly Cost |
|---|---|---|
| Hosting | HIPAA Vault managed | $150-200 |
| Hosting | Vercel Pro (self-managed HIPAA setup) | $20+ |
| Forms | JotForm Healthcare (Gold) | $39 |
| Forms | HIPAAtizer | $9-30 |
| Forms | Formstack Enterprise | $360+ |
| Analytics | Plausible (non-PHI pages only) | $9-23 |
| Analytics | Piwik PRO Business (no BAA) | ~€35 |
| Analytics | Piwik PRO Enterprise (BAA) | ~€366 |
| Analytics | Freshpaint (privacy proxy) | Custom |
| Paubox | $10-15 | |
| Google Workspace (with BAA) | $6-18/user |
Development costs (one-time):
Small practice website with HIPAA-compliant forms and compliance infrastructure: $5,000–$15,000. Growing practice with online scheduling and more complex requirements: $15,000–$30,000. Mid-size clinic with patient portal integration: $30,000–$60,000. These are ranges based on real project scope - not minimum viable packages that create compliance theater.
My Approach to HIPAA-Compliant Healthcare Websites
I build healthcare websites on SvelteKit rather than WordPress or template-based site builders. The technical characteristics of the framework align directly with compliance requirements: Smaller attack surface. No plugin ecosystem creating security vulnerabilities. A typical SvelteKit site ships around 42KB of JavaScript compared to 120KB+ for other frameworks. Fewer third-party dependencies means fewer BAA obligations and fewer vectors for data exposure.
Server-side security. Sensitive operations happen on the server, not in client-side JavaScript where they can be inspected or manipulated. Form processing, access validation, and any PHI handling stay off the client entirely.
Custom CMS integration. Content management built into the same codebase eliminates external CMS vendor dependencies. No headless CMS with its own terms of service, no separate admin domain to secure, no API calls to third-party infrastructure.
Performance that supports accessibility. Faster sites work better for elderly patients, patients with cognitive disabilities, and visitors on slower connections. Performance and accessibility aren't independent of compliance - they're part of it.
For projects requiring patient data handling, I architect solutions that minimize PHI touchpoints. Marketing content stays separate from patient data flows. Forms route to compliant processors - Jotform Healthcare or HIPAAtizer depending on the complexity - with signed BAAs in place. Analytics use Plausible on non-PHI pages, with Piwik PRO or Freshpaint for any pages where health information may be exchanged.
The Korawells wellness clinic project is a good example: the site runs on Railway, which doesn't offer a HIPAA BAA. It doesn't need to, because the site itself stores no PHI. Form submissions route directly to Jotform's compliant infrastructure. The architectural decision to keep PHI off the primary server entirely eliminates the hosting BAA requirement.
I work with clinics, therapists, telehealth platforms, wellness coaches, hormone optimization experts, and longevity practitioners across the US, Canada, UK, and Australia. My work has been recognized internationally for design and UX - because compliance and great design aren't mutually exclusive. Schedule a consultation to review your compliance requirements and technical options.
Transform your website into a revenue-generating asset
Partner with an award-winning web designer and web developer from the Philippines, delivering world-class websites to global brands. 15+ years of experience creating sites that convert visitors into customers.
Frequently Asked Questions
-
If your website collects no patient data whatsoever, HIPAA may not apply to the website itself. But be careful: contact forms asking about health concerns, symptom checkers, or appointment requests mentioning conditions all create PHI. Most healthcare websites have at least some compliance obligations.
-
Yes, but it's harder than alternatives. You need HIPAA-compliant hosting with BAA, careful plugin selection (every plugin is a potential vulnerability), proper user access controls, and ongoing security maintenance. Many practices find this complexity isn't worth the perceived familiarity of WordPress.
-
HIPAA eligible means the vendor's infrastructure supports compliance if properly configured. HIPAA compliant means you've actually done the configuration, signed the BAA, and implemented required safeguards. AWS is HIPAA eligible; your properly configured website on AWS with signed BAA becomes HIPAA compliant.
-
Yes. Beyond standard HIPAA requirements, telehealth involves real-time video transmission of PHI, potential recording storage, and often integration with EHR systems. Video infrastructure must be HIPAA compliant with signed BAAs.
-
Get a security assessment. Check: Does your hosting provider have a signed BAA? Are forms encrypted and processed by compliant services? What analytics run on patient-facing pages? Is your CMS handling any PHI? Most practices discover gaps they didn't know existed.
-
HHS OCR audits examine your documented policies, technical implementations, risk assessments, staff training records, and incident response procedures. Having a compliant website is necessary but not sufficient. You need the documentation to prove compliance.