What HIPAA Actually Requires for Your Website
If your business touches health information in any way — counseling intake forms, therapy scheduling, medical billing, or even a contact form for a healthcare-adjacent service — HIPAA applies to your website.
Most small businesses either ignore this entirely or overcomplicate it. Here's what the law actually requires, in plain language.
Who Needs to Pay Attention
HIPAA applies to covered entities (healthcare providers, insurers, clearinghouses) and their business associates — any vendor or contractor who handles Protected Health Information (PHI) on their behalf.
If you build websites, manage IT, or run software for healthcare clients, you are likely a business associate. That means HIPAA applies to you too.
What Your Website Actually Needs
1. A Business Associate Agreement (BAA)
Any third-party tool that touches PHI — your form builder, your CRM, your email platform — must sign a BAA with you. No BAA means no compliance, regardless of how secure the tool claims to be.
2. Encrypted Forms and Data Transmission
Standard contact forms are not HIPAA compliant. Patient intake forms, appointment requests, and any form collecting health-related information must use end-to-end encryption (TLS 1.2 or higher) and be hosted on HIPAA-compliant infrastructure.
3. Access Controls
Who can see submitted form data? Role-based access controls (RBAC) ensure only authorized staff can view PHI. Shared logins and open admin panels are a compliance violation waiting to happen.
4. Audit Logs
HIPAA's Security Rule requires you to track who accessed PHI and when. Your systems need logging and monitoring in place — not just for compliance, but for breach detection.
5. A Privacy Policy That Reflects Reality
Your privacy policy must accurately describe how you collect, store, and use health information. A generic template won't cut it.
What the Penalties Look Like
HIPAA fines range from $100 to $50,000 per violation, with annual caps up to $1.5 million per violation category. In 2024 alone, HHS resolved multiple enforcement actions against small and mid-sized organizations — not just hospitals.
Willful neglect that goes uncorrected sits at the top of the penalty tier. "I didn't know" is not a defense.
The Bottom Line
HIPAA compliance isn't about having a perfect system on day one. It's about having the right architecture, the right agreements, and the right controls in place before something goes wrong.
If you're a Maryland business in or adjacent to healthcare and you're not sure where your website stands, we'll tell you exactly what needs to change — no jargon, no upsell. Start the conversation.
