Skip to Main Content
Ready to talk?
Give us a call at: 770-534-2515
Beginner's Guide to HIPAA Compliant Websites

A Beginner’s Guide to HIPAA Compliant Websites

If you’re involved in the healthcare industry, you should be thinking about how HIPAA affects your website. This guide serves as a great starting point for learning about HIPAA guidelines in the online world.

In part 1, we will identify if your website is at risk for violating HIPAA. In part 2, we will discuss how to ensure your website is compliant. And in part 3, we include some further reading on HIPAA.

HIPAA Compliant Analytics / Server Side Tag Manager

Part 1: Are you at risk of violating HIPAA?

Does your website need to be HIPAA compliant?

To answer that question, you must answer this one: does your website store or transmit protected health information? If so, your website needs to comply with HIPAA regulations. More details below.


What is protected health information?

Protected health information (PHI) is personally identifiable medical or payment information related to health services. That includes:

  • Identifiable demographic or genetic information related to health
  • Information relating to the physical or mental condition of an individual
  • Payment or financial information related to healthcare

In December of 2022, the Department of Health & Human Services released new guidance indicating that they considered IP addresses and user or device ID a form of protected health information as well. While this new guidance is still being negotiated, conservative healthcare organizations are making shifts to also protect patients’ and potential patients’ IP addresses and user IDs


Is your website collecting protected health information?

If your website collects any individually identifiable medical information, such as symptoms, conditions, or requested healthcare services, you are collecting PHI.

You might be receiving PHI through:

  • Contact forms that ask about symptoms, medical services, medications or other health-related information
  • Online patient forms
  • Live chat
  • Patient Portals
  • Patient reviews or testimonials
  • Any other information-collecting tools on your website, including analytics or advertising platforms


How do you know if you’re storing protected health information?

Once you understand what PHI is and whether you collect it through your website, you should consider how and if you are storing that information. The Privacy Rule of HIPAA requires that entities that store PHI take reasonable measures to protect it. If you keep individually identifiable medical information on a server, that server must be encrypted and secure to the unique standards of the HIPAA regulations.


How do you know if you’re transmitting protected health information?

Transmitting PHI includes sending information via email, web forms or other types of digital messaging. To stay HIPAA compliant when transmitting PHI, all emails, email servers and web forms involved should be encrypted and secured.


Do you need to sign a business associate contract?

If vendors or service providers you work with store, transmit or have access to PHI, then you should sign a business associate contract with them to meet HIPAA guidelines (with some exceptions).

Depending on the data that is shared with third parties, you may need to a sign a BAA with any of the following:

  • Hosting providers
  • Consultants
  • Digital marketing firms
  • Accountants
  • Analytics platforms
  • Advertising platforms
  • Other partners that have access to data you collect

What is a business associate contract?

A business associate contract is an agreement between an organization and its “business associate” that has access to PHI collected by the organization. The contract requires that business partners follow HIPAA guidelines to keep PHI secure. Learn more about the provisions of the business associate agreement here.


What if your website is not HIPAA compliant?

If your website collects, stores, or transmits PHI, and does not take reasonable measures to secure that data, you may be in violation of HIPAA. If you are, you run the risk of HIPAA penalty fines, which are not cheap. Depending on the scale of the violation, the number of patients affected, and the level of negligence, a fine can range from $100 to $50,000. Larger class action lawsuits have been filed, which is important to consider given that many websites and online tools transmit and store large amounts of data.

Part 2: How to Make Your Website HIPAA Compliant

How do you make your website HIPAA compliant?

If your site is not compliant, you should establish new processes, starting with these essential steps:

  • Purchase and implement an SSL certificate for your website
  • Ensure all web forms on your site are encrypted and secure
  • Only send emails containing PHI through encrypted email servers
  • Partner with web hosting companies that are HIPAA compliant and have processes for protecting PHI
  • Sign a business associate contract with third-parties that have access to your patients’ PHI
  • Ensure that PHI is only accessible to authorized individuals
  • Consider a HIPAA-compliant analytics platform or implementing server-side Google Tag Manager (Learn More)
  • Establish processes to delete, backup and restore PHI as needed


Still not sure if your website is HIPAA compliant?

Because the internet is such a vast, ever-changing landscape, the language around HIPAA regulations for websites are intentionally vague at times. This leads to a lot of uncertainty. However, if you take reasonable steps to secure PHI, control who accesses it and partner with HIPAA compliant organizations, you can protect your patient’s privacy and avoid violations and fines. Speaking with experienced attorneys, healthcare-focused digital vendors and assessing your organization’s own risk tolerance is important – this will ensure that you’ve done your homework and shown your steps to keep your patients’ data secure.

Partner with a healthcare-focused Digital Marketing agency

Full Media works with healthcare organizations of all sizes to grow their patients online through digital marketing, website development and analytics. We are a HIPAA-compliant agency that will sign a BAA with our clients, and we offer specialized consulting and solutions for clients looking to build a compliant website or make their digital analytics HIPAA-compliant.


This article is for general information only and is not formal legal advice.

Lauren Pickens
Lauren Pickens
Chief Privacy Officer / Director of Operations

Celebrating more than a decade with Full Media, Lauren has served in a wide variety of roles that have helped her gain a well-rounded understanding of digital marketing and website development.

Lauren began as an Internet Marketing Analyst with a specialty in paid search advertising, providing both SEO and PPC management to a diverse group of clients. After spending time as the department Director for Internet Marketing and subsequently Production (website development team), she was promoted to be the Director of Operations. In this role, Lauren is responsible for providing the infrastructure to Full Media team members that facilitate client success through a mix of leadership, process improvements, and growth in team capabilities. She also serves as the project manager for custom website projects, using her combined expertise in marketing and development to ensure the successful launch of complex website redesign projects.

Read Full Bio