Is Your Website HIPAA Compliant?

We all know that HIPAA compliance is an important consideration for any medical practice, but do you actually know if the forms on your website are HIPAA compliant? This is an issue that all medical practices face with advancements in technology and the use of website design to capture patient information online.

Usually the most vulnerable sections of any medical website are the “contact” or “request an appointment” pages since these often contain an online form to collect patient information. Practices that offer online patient registration forms are at risk as well (note: the pdf versions that patients download and print are perfectly safe since no PHI is transmitted online).

In order for a website to be HIPAA compliant, there are several different items that can safely be asked on the contact form of the site. These items include:

  • Name
  • Address
  • Phone Number
  • Email

If the contact form only asks for this information, then it does not need to be HIPAA secured because it is only asking for basic contact information and no medical information about the patient. The following is an example of a website’s scheduling request form that does not need to be HIPAA secured because of its content.


As you can see, this contact form does not ask for specific medical information.

Once a website asks for medical information, such as symptoms or health issues, the practice must make sure that the site is HIPAA compliant. The following is an example of a website that does need to be HIPAA compliant since it asks for medical information, or in this case, “reason for appointment.”


So how can you ensure that your website is HIPAA safe? The following should be considered when making your medical website HIPAA compliant:

  • Any health related information of a person should be encrypted when being transmitted online.
  • The data collected should then be stored on a HIPAA compliant hosting server (that means you must be careful not to store a copy of the data on your actual website if you are just securing your forms).
  • In order for the practice to receive the data via email, the email address being used needs to be HIPAA compliant. The other option, besides email, is to have a staff member login to a portal to view the form submissions.
  • The medical practice and the website vendor should have a Business Associate Agreement in place when HIPAA is involved.

While technically the main HIPAA concern is transmitting identifiable patient details in conjunction with medical information, there is a gray area that exists. The argument can be made that if a patient fills out a request an appointment form on an ophthalmologist’s website then it’s apparent they have a concern regarding their eye health. Practices that wish to be conservative may elect to secure all forms on their website regardless of the fact that they don’t technically capture health related information.

While HIPAA compliance is an important issue with medical websites, practices should not be overwhelmed by all of this. There are several agencies that specialize in medical websites and can assist practices in the process of HIPAA safety. WhiteCoat Designs has not only made it possible to offer HIPAA compliant forms, but we are able to offer them at an affordable price.

Basic Pricing: $150 setup for each form, and $10 per month for each form. 

Contact WhiteCoat Designs today if you would like us to evaluate your current website for HIPAA compliance or if you are interested in designing a new website for your practice.

Nick Nydegger is the President of WhiteCoat Designs – a medical marketing agency whose mission is to help physicians stand out in today’s competitive healthcare market. Services include medical website design, internet marketing, online reputation management, social media, branding and physician liaison programs (increase referrals). Learn more at

Newsletter Signup
Free Marketing Consult