HIPAA-Compliant Websites for Therapists: What's Actually Required

If you've ever searched for "HIPAA compliant website," you've encountered a wall of fear-based marketing. Vendors selling website services to therapists love to imply that without their specific product, you're one data breach away from a $50,000 fine.

The reality is more nuanced — and far less scary.

HIPAA (the Health Insurance Portability and Accountability Act) does apply to therapists. You are a covered entity under HIPAA. But HIPAA's requirements for your website are significantly narrower than what most vendors claim. Understanding the difference between what's required, what's recommended, and what's unnecessary can save you thousands of dollars and a lot of anxiety.

Let's start with the basics.

HIPAA has two main rules that affect your website: the Privacy Rule and the Security Rule. Both focus on one thing: Protected Health Information (PHI).

PHI is any individually identifiable health information — a patient's name combined with their diagnosis, treatment details, appointment history, insurance information, or any other health data. The key word is individually identifiable. A blog post about anxiety is not PHI. A page describing your services is not PHI. A generic contact form that asks "What brings you to therapy?" without collecting a name is not PHI.

HIPAA requires you to protect PHI. Your website only falls under HIPAA requirements to the extent that it collects, stores, or transmits PHI.

This is the critical distinction most vendors gloss over. Let's break down what this means in practice:

Website Element	Collects PHI?	HIPAA Requirements
Marketing pages (Home, About, Services)	No	None — these are public information
Blog posts	No	None
Contact form asking "Name, email, phone, message"	Usually no*	Minimal (see below)
Contact form asking about symptoms, diagnosis, or treatment history	Yes	Encryption, access controls, BAA with form processor
Online intake forms with health history	Yes	Full HIPAA Security Rule compliance
Patient portal with records	Yes	Full HIPAA Security Rule compliance
Telehealth video integration	Yes	Full HIPAA Security Rule compliance + BAA
Online scheduling (name + appointment type)	Potentially	Depends on what's collected

*A basic contact form that collects name, email, phone, and a general message ("I'd like to schedule a consultation") is generally not considered PHI by HHS because it doesn't include health information. However, if someone writes "I need help with my depression" in the message field, that message now contains PHI. This is the gray area — and it's why smart contact form design matters.

Contact forms are where the HIPAA confusion is thickest. Let's sort through it clearly.

Scenario 1: Basic contact form (name, email, phone, general message)

If your contact form collects a name, email address, phone number, and a free-text message field — and you're not asking health-related questions — this is not automatically subject to HIPAA. It's the same information any business collects. Someone submitting "Hi, I'd like to learn about your services" has not shared PHI.

However, you should still use HTTPS encryption (SSL certificate) on your site as a general security best practice. This encrypts data in transit — which protects the form submission regardless of whether it contains PHI.

Scenario 2: Contact form with health-related fields

If your contact form asks "What symptoms are you experiencing?", "Have you been diagnosed with any mental health conditions?", or "What medications are you taking?" — you are collecting PHI. Full stop. This form requires:

• TLS/SSL encryption (HTTPS) for data in transit
• Encryption at rest for stored form submissions
• Access controls (who can read the submissions?)
• A Business Associate Agreement (BAA) with any third party that processes or stores the data (your form provider, email service, etc.)

Scenario 3: "Tell us about your concerns" with a free-text field

This is the gray area. You're not explicitly asking for health information, but clients might share it. The safest approach is to either:

1. Add a note: "Please do not include specific health information in this form. We'll discuss details during your consultation."
2. Treat the form as if it collects PHI and implement appropriate safeguards.

The practical recommendation: Keep your website contact form simple. Name, email, phone, preferred contact method, and a brief message with a note to avoid sharing health details. Save the health-related questions for your HIPAA-compliant EHR intake forms, which are purpose-built for PHI. Your website contact form's job is to start a conversation, not conduct an intake.

If you haven't heard about the HHS updates to the HIPAA Privacy Rule that took effect in February 2026, here's what you need to know.

The updated rule strengthens individual rights over their health information and tightens requirements around Notice of Privacy Practices (NPP). Key changes relevant to therapists:

What changed:

• Shorter NPP response time: Patients now have the right to receive their records within 15 days (down from 30 days). This primarily affects your EHR and records management, not your website.
• Electronic access requirement: You must be able to provide records in electronic format if requested. Again, this is an EHR/practice management issue.
• Updated NPP language: Your Notice of Privacy Practices must be updated to reflect the new rule changes. If you have your NPP posted on your website (and you should), it needs to be updated.
• Strengthened enforcement: HHS increased penalties for non-compliance and expanded investigative authority.

What this means for your website:

1. If you publish your NPP on your website, update it to reflect the February 2026 changes. Most EHR vendors have provided updated NPP templates — use those.
2. Your website should link to (or display) your current NPP from your Privacy Policy page or footer.
3. If you don't have your NPP on your website, consider adding it. It's not strictly required to be on your website (HIPAA requires you to provide it to patients at their first visit and to make it "available" — which posting online satisfies).

What this does NOT mean: The February 2026 update did not add new website-specific requirements. You don't need to rebuild your site, add new encryption, or sign new BAAs with your website host solely because of this update. The changes primarily affect how you handle records requests and patient rights.

Let's address the myths that cost therapists the most money and stress.

Myth 1: "I need a BAA with my website hosting provider."

Not necessarily. A BAA (Business Associate Agreement) is required with any entity that creates, receives, maintains, or transmits PHI on your behalf. If your website host is simply serving public web pages (your marketing site, blog, service descriptions), it's not handling PHI. No BAA required.

If your hosting provider also processes contact form submissions that contain PHI, or stores patient data — then yes, you need a BAA. But that's a function of what your site does, not where it's hosted.

Myth 2: "My entire website must be HIPAA compliant."

No. Only the parts that handle PHI. Your homepage, About page, blog, and service pages are public marketing content. They don't need HIPAA-specific protections beyond standard web security (HTTPS, which you should have regardless).

Myth 3: "I need a special HIPAA-compliant website builder."

This is the most expensive myth. What you need is:

• HTTPS on your entire site (standard on any modern host)
• A contact form that doesn't collect PHI (or, if it does, proper safeguards)
• A HIPAA-compliant EHR/intake system for collecting health information (SimplePractice, TherapyNotes, Jane App — these are already HIPAA compliant and provide their own BAAs)
• Your NPP accessible to patients

Your website and your EHR are different things. The EHR is where PHI lives. The website is your marketing presence. They have different compliance requirements.

Myth 4: "Google Analytics violates HIPAA."

Standard Google Analytics (GA4) on a therapist marketing website does not violate HIPAA — as long as you're not tracking pages that contain PHI. GA4 collects page views, session duration, traffic sources, and similar aggregate data. It doesn't know what's in your contact form submissions or who your patients are.

However, avoid using remarketing pixels (Facebook Pixel, Google Ads remarketing) on pages specifically about mental health conditions — the FTC and HHS have both issued guidance that targeting ads based on health-related browsing behavior can violate patient privacy, even if it's not technically PHI under HIPAA.

Myth 5: "If I use WordPress, I'm not HIPAA compliant."

WordPress itself is neither HIPAA compliant nor non-compliant — it's a tool. What matters is how you configure it. The problem with WordPress for therapists isn't HIPAA — it's that most WordPress therapy sites use third-party plugins (contact forms, analytics, chat widgets) that process data in ways the therapist doesn't fully understand. Each plugin that touches potential PHI is a potential compliance gap.

The clearest way to think about HIPAA compliance for your practice is to separate your technology into two categories:

	Your Website	Your EHR / Practice Management
Purpose	Marketing, education, first contact	Patient records, scheduling, billing, telehealth
PHI exposure	Minimal (contact form at most)	Full PHI (records, notes, diagnoses, billing)
HIPAA scope	Limited (protect form data if PHI is collected)	Full HIPAA Security Rule compliance
BAA required?	Only if website processes PHI	Yes — with EHR vendor, cloud storage, billing
Encryption required?	HTTPS (standard)	At rest + in transit + access controls
Audit logging?	Not typically required	Required — who accessed what and when
Examples	Squarespace, WordPress, WebsiteTherapy, Wix	SimplePractice, TherapyNotes, Jane App, Alma

The key insight: Your website's job is to help potential clients find you and decide to reach out. Your EHR's job is to manage the clinical relationship. They have fundamentally different HIPAA obligations because they handle fundamentally different data.

This separation is by design. Keep your website focused on marketing and first contact. Keep PHI in your EHR. When vendors try to sell you a single platform that handles both, make sure each component meets its respective compliance requirements — because mixing marketing and PHI in one system creates the most risk.

Here's the practical checklist for a therapist website that meets HIPAA requirements without over-engineering:

Required (non-negotiable):

• HTTPS (SSL certificate) on every page. Free through Let's Encrypt on most hosting platforms. If your URL starts with http:// instead of https://, fix this today.
• Contact form that minimizes PHI exposure. Ask for: name, email, phone, preferred contact method, and a brief message. Add a note: "Please do not include specific health or diagnostic information in this form."
• Privacy Policy page that discloses what data your website collects (form submissions, analytics) and how it's used.
• Notice of Privacy Practices accessible from your website (linked from footer or Privacy Policy page). Updated to reflect the February 2026 rule changes.

Recommended (best practice):

• Form submissions encrypted at rest — even if your form rarely collects PHI, this protects you in case someone shares health details in the message field.
• Automatic form data deletion — don't store form submissions indefinitely. Once you've responded, delete the data or move it to your EHR.
• No remarketing pixels on health-related pages — avoid Facebook Pixel and Google Ads remarketing on pages about specific conditions (anxiety, depression, trauma).
• PHI scrubbing for AI-powered features — if your website has a chatbot or AI assistant, it should detect and redact potential PHI before processing.

Not required for most therapist websites:

• A BAA with your website hosting provider (unless the host processes PHI)
• HIPAA-specific hosting (marketing websites don't need it)
• "HIPAA compliant" website builders (standard HTTPS + smart form design is sufficient)
• Enterprise-grade encryption for your blog and marketing pages
• A dedicated security officer for your website (your practice's HIPAA security officer covers your whole practice)

How WebsiteTherapy handles this: Every site ships with HTTPS, PHI-minimizing contact forms with a privacy note, automated PHI scrubbing on the AI chat assistant (crisis detection + PHI redaction), updated NPP template, privacy policy page, and no remarketing pixels. We don't need a BAA with you for the website itself because your site doesn't store PHI — it connects clients to you, and your EHR handles the rest.

If you're a therapist worried about HIPAA compliance on your website, here are the concrete steps — in priority order:

1. Check for HTTPS. Load your website. Does the URL bar show a padlock icon and https://? If not, contact your host to enable SSL. This is free on most platforms and takes minutes.
2. Review your contact form. What fields does it include? If it asks about symptoms, diagnoses, or treatment history, either remove those fields or ensure the form processor has a BAA with you and encrypts submissions.
3. Add a note to your contact form. Something like: "To protect your privacy, please do not include specific health information in this message. We'll discuss details during your consultation."
4. Post your NPP. If your Notice of Privacy Practices isn't on your website, add it. Link to it from your footer. Make sure it reflects the February 2026 updates.
5. Check your remarketing pixels. If you're running Facebook Pixel or Google Ads remarketing, review whether it fires on pages about specific mental health conditions. If so, remove it from those pages.
6. Separate website from EHR. Your contact form should start a conversation. Your EHR should collect health information. Don't blur the line.

That's it. If you do these 6 things, your website meets HIPAA requirements. You don't need to buy a special platform, sign expensive BAAs, or rebuild your site from scratch.

HIPAA exists to protect your clients' health information. That's a good thing. But protecting PHI doesn't mean locking down your entire marketing presence. It means being thoughtful about where PHI lives — and keeping it out of places where it doesn't need to be.

Sources: HHS.gov HIPAA Privacy Rule (45 CFR Parts 160, 164), HHS February 2026 HIPAA Privacy Rule Update, FTC Health Breach Notification Rule enforcement actions (2024-2025), APA Practice Organization HIPAA guidance, HHS Office for Civil Rights enforcement database.