HIPAA-Compliant Website Checklist

Why Your Website Needs to Be HIPAA Compliant

If your healthcare practice collects any patient information through your website (appointment requests, contact forms, patient portals), your website must comply with HIPAA regulations. Violations can result in fines ranging from $100 to $50,000 per violation, with annual maximums up to $1.5 million.

Many healthcare practices don’t realize their website is a HIPAA liability. That free contact form? If it collects health information without proper encryption, it’s a compliance risk.

The Complete Website HIPAA Checklist

SSL/TLS Encryption

• Your entire website uses HTTPS (not just login pages)
• TLS 1.2 or higher is enforced
• HSTS (HTTP Strict Transport Security) headers are configured
• Mixed content warnings are resolved (no HTTP resources on HTTPS pages)

Forms and Data Collection

• All forms transmit data over HTTPS
• Contact forms that collect health information are encrypted end-to-end
• Form data is stored in a HIPAA-compliant system
• No PHI (Protected Health Information) is sent via standard email
• Auto-complete is disabled on sensitive form fields

Privacy and Policies

• A HIPAA-specific privacy policy is published on your website
• Notice of Privacy Practices (NPP) is accessible
• Cookie consent banner is implemented
• Data retention policies are documented
• Patient rights regarding their data are clearly stated

Hosting and Infrastructure

• Your hosting provider offers a Business Associate Agreement (BAA)
• Server logs containing PHI are properly secured
• Regular security patches are applied
• Backups are encrypted and stored securely
• Access to hosting is restricted and audited

Third-Party Services

• Google Analytics is configured to not collect PHI
• Facebook Pixel and other tracking pixels are reviewed for PHI exposure
• Live chat widgets don’t store PHI without BAAs
• All third-party services handling PHI have signed BAAs
• Marketing automation tools comply with HIPAA

Access Controls

• Admin access uses strong passwords and MFA
• Role-based access controls limit who can view patient data
• User sessions timeout after inactivity
• Login attempts are monitored and rate-limited

Common HIPAA Website Mistakes

1. Using standard contact forms for appointment requests that ask about symptoms or conditions
2. Not having a BAA with your hosting provider: most shared hosting doesn’t offer this
3. Embedding Google Maps with patient reviews that reveal health conditions
4. Storing form submissions in plain text email or spreadsheets
5. Using tracking pixels that capture page visits to condition-specific pages

How to Fix Compliance Gaps

Start by running your website through our free HIPAA Compliance Checker tool. It will identify the most critical issues and provide step-by-step remediation guidance.

For a comprehensive compliance review, consider working with a healthcare marketing agency that understands both HIPAA requirements and digital marketing best practices.