Here’s what makes a website HIPAA compliant, step by step, so you can fix yours or make sure you build it right from the start.
What Counts as Protected Health Information (PHI) on a Website?
Under 45 CFR §160.103, PHI is any individually identifiable health information held or transmitted by a covered entity.
On a website, that extends way beyond what a patient’s blood pressure was when they came in last week.
It can include specific pages that indicate a visitor may be suffering from a specific condition.
In other words, jefflovesbaseball@gmail.com visits your website, looks at your ED page, and you send that information back to Google’s servers via Google Analytics or an embedded YouTube video.
That’s a HIPAA violation.
Tracking Pixels and Scheduled Actions
In December 2022, the HHS Office for Civil Rights issued a bulletin specifically addressing tracking technologies on healthcare websites.
The bulletin made it clear: if a tracking pixel connects a user’s IP address to a visit on a health-related page, that combination is PHI.
Say you’re a chiropractor and you have the Meta Pixel installed on your website.
Someone schedules an appointment and the pixel sends back an event that says “appointment scheduled.”
Meta now has that data without a Business Associate Agreement.
HIPAA violation.
Contact Form Submissions
It can include something as simple as someone going to your website and filling out a contact form that says, “I’ve been getting frequent migraines and I would like to schedule an appointment.”
That form submission gets sent to GoDaddy’s server.
GoDaddy didn’t sign a BAA with you.
HIPAA violation.
What This Means for Your Website
This means that information you share about the pages people visit on your website, the actions they take, and the information they enter into your forms all needs to be kept under lock and key.
Any third parties — Google, YouTube, Meta, your hosting company — need to have signed a Business Associate Agreement with you in order for you to maintain HIPAA compliance.
What Happens If You Get It Wrong
The HHS Office for Civil Rights (OCR) enforces HIPAA, and penalties follow a four-tier structure based on the level of negligence.
Tier 1 — lack of knowledge — starts at $100 per violation.
Tier 4 — willful neglect left uncorrected — can reach $50,000 per violation, up to $1.5 million per year for each violation category.
The HITECH Act of 2009 significantly expanded these penalties and gave state attorneys general the authority to bring HIPAA enforcement actions as well.
This isn’t theoretical.
Advocate Health Care paid $5.55 million for a breach involving unencrypted data.
Multiple hospital systems have faced OCR investigations specifically for tracking pixel violations since that 2022 bulletin — you can see the full list of HIPAA enforcement actions and settlement amounts on the HHS website.
7 Steps to Make Your Healthcare Website HIPAA Compliant
These are the seven things you need to address if you’re going to get serious about making sure your website is protecting PHI and remaining HIPAA compliant.
1. Sign Business Associate Agreements (BAAs) with Every Vendor
Every vendor that touches PHI needs to sign a BAA — including your marketing agency, your hosting company, and your form provider.
A BAA is a legal contract required under 45 CFR §164.502(e) that makes the vendor liable for protecting PHI and requires them to notify you if there’s ever any sort of data breach.
This isn’t optional, and it isn’t a checkbox you click on a settings page.
It’s a binding agreement that shifts liability.
You need BAAs from your hosting company, form provider, email marketing platform, CRM, analytics tools, appointment scheduling software, payment processor, and anyone else who could touch patient data — even indirectly.
2. Enable SSL/TLS Encryption on Your Website
We’re talking about that little lock icon in the browser when people visit your website.
You need TLS 1.2 at a minimum — TLS 1.3 is preferred.
The HIPAA Security Rule under 45 CFR §164.312(e)(1) requires encryption of ePHI in transit, and TLS is how you satisfy that requirement on the web.
You also need HSTS — HTTP Strict Transport Security — which forces every single connection to use HTTPS.
This ensures nobody accidentally loads an unencrypted version of your website when they’re visiting from a coffee shop or any other public network.
For data at rest, your hosting environment should use AES-256 encryption on the storage volumes where any PHI lives.
3. Switch to HIPAA-Compliant Web Hosting
Even if you don’t have a contact form on your website, your hosting provider may still be tracking the IP addresses of visitors through tools like cPanel.
If your host processes any information that someone enters into a form, logs the pages they visit, or stores any data that qualifies as PHI, they need to have a BAA with you.
Otherwise, it’s a HIPAA violation.
Shared hosting providers like Bluehost, GoDaddy, and HostGator do not provide BAAs.
AWS, Google Cloud, and Microsoft Azure will sign BAAs, and there are dedicated HIPAA-compliant hosting providers like Liquid Web, Atlantic.Net, and HIPAA Vault that specialize in this.
The Security Rule also requires physical safeguards under 45 CFR §164.310 — meaning the data center itself needs access controls, surveillance, and environmental protections.
That’s one reason compliant hosting costs what it does.
Expect to spend $100 to $300 a month for compliant hosting, depending on traffic and storage needs.
Also keep in mind: platforms like Wix and Squarespace do not currently sign BAAs, which means they cannot be used for a HIPAA-compliant healthcare website, regardless of what plugins you install.
4. Secure Your Web Forms and Contact Pages
This is where most healthcare websites fail.
A compliant contact form needs a few things.
First, encryption in transit — meaning when somebody fills out that form, everything is encrypted before it’s sent.
Second, a BAA from whomever the form provider actually is, which will often be your hosting company, but could also be a third-party tool like Jotform, Formstack, or Gravity Forms with a HIPAA-compliant add-on.
Third, the form has to have access controls governing who can actually view what was submitted — this is the access control requirement under 45 CFR §164.312(a)(1).
The last thing you need is your web developer overseas being able to see who is scheduling appointments at your clinic.
If you’re going to be serious about this, go with one of the solutions that advertises itself as being HIPAA compliant rather than trying to duct-tape together a makeshift setup.
5. Fix Your Analytics and Tracking Setup
Google Analytics, out of the box, is a HIPAA violation.
Your Meta Pixel configured improperly is another HIPAA violation.
Any web analytics on your hosting where the hosting company hasn’t signed a BAA is a HIPAA violation.
Embedded YouTube videos also send analytics from your website back to YouTube.
Hospital systems have received massive fines just for having YouTube embeds on their sites.
The same applies to chatbot widgets, appointment scheduling embeds, and any third-party JavaScript that phones home to a server without a BAA.
Don’t do it if you care about maintaining airtight HIPAA compliance.
Can You Still Use Google Analytics and Meta Ads?
Yes — but it requires a specific setup.
For Google Analytics, using server-side Google Tag Manager in a way that strips anything that would be deemed PHI or PII allows you to send conversion data back to Google without telling Alphabet who is actually scheduling appointments with you.
The same goes for Meta.
But if you’re going to do this, make sure you know what you’re doing or you’re working with someone who does.
Why You Should Avoid Retargeting
Even if you’re running remarketing in a HIPAA-compliant fashion, you’re still painting a bullseye on your back.
Remarketing is going to creep some of your patients out.
They might contact an attorney looking for a big payday from an attractive lawsuit.
It very well may be that you did everything the way you’re supposed to, but when they start digging around, they find other things they can get you for.
I would suggest that you abstain from anything resembling remarketing, even if you’re doing so in a way that doesn’t technically violate any standards.
6. Enable Audit Logging and Access Controls
Under 45 CFR §164.312(b), HIPAA requires that you keep a log of anyone who accessed anything, for any system handling electronic PHI.
You need to enable access logs on your hosting.
If you’re using WordPress, install an audit trail plugin like WP Activity Log that records who logged in, what they changed, and when.
This also means you can’t have one shared login for everyone who accesses the website.
Every user needs their own unique credentials with role-based access controls — your content editor shouldn’t have the same access level as the site administrator.
You need to keep these records for a minimum of six years per the HIPAA retention requirement, and they need to be stored somewhere accessible for OCR audits.
7. Maintain Encrypted Backups in a BAA-Covered Environment
You need to define a retention policy.
How long do you keep form submissions?
How long do you keep backups of the website?
Backups must be encrypted — AES-256 at rest — and stored with a hosting provider or cloud service that has signed a BAA with you.
And when you actually get rid of data, it needs to be truly destroyed — not just moved to the trash folder where it sits for 30 days.
What to Do If You Have a Breach
If a breach of unsecured PHI occurs, HIPAA’s Breach Notification Rule under 45 CFR §§164.400-414 requires that you notify affected individuals within 60 days.
If the breach affects 500 or more people, you must also notify HHS and the media.
HHS publishes all breaches affecting 500+ individuals on its public Breach Portal — sometimes called the “wall of shame.”
A properly configured, HIPAA-compliant website significantly reduces the likelihood you’ll ever end up there, but having an incident response plan is part of compliance.
A Note on State Privacy Laws
HIPAA is a federal floor, not a ceiling.
States like California (CCPA/CPRA), Texas, and New York have additional privacy requirements that may apply to your website if you’re collecting data from residents of those states.
If you’re a multi-location practice or you serve patients across state lines through telehealth, you may need to comply with these laws in addition to HIPAA.
