Frequently Asked Questions

A HIPAA compliant website must implement technical, administrative, and physical safeguards to protect Protected Health Information (PHI). Key requirements include:

• Encryption: SSL/TLS encryption (HTTPS) for all data transmission and AES-256 encryption for stored data
• Access Controls: Unique user IDs, strong passwords, multi-factor authentication, and role-based access
• Audit Logging: Comprehensive logging of all access to PHI with secure log retention
• Secure Forms: Encrypted form submissions that don't send PHI via unencrypted email
• Backup Procedures: Regular, encrypted backups with documented recovery procedures
• Business Associate Agreement: Signed BAA with your hosting provider and all vendors accessing PHI
• Policies & Training: Documented security policies and staff training programs

If your website collects, stores, transmits, or processes any Protected Health Information (PHI), then yes, it must be HIPAA compliant. This includes:

• Contact forms that ask about health conditions or symptoms
• Patient portals with access to health records
• Appointment scheduling systems that include health information
• Online patient intake or registration forms
• Secure messaging between providers and patients
• Prescription refill request functionality
• Online bill pay linked to patient accounts
• Telehealth or video consultation features

Even a simple contact form asking "What brings you in today?" or requesting health history requires HIPAA compliance measures.

A Business Associate Agreement (BAA) is a legally binding contract required by HIPAA between a covered entity (like a healthcare provider) and any vendor (business associate) that may access Protected Health Information.

For websites, you need BAAs with:

• Web hosting providers
• Cloud service providers (AWS, Azure, Google Cloud)
• Email service providers (if sending PHI)
• Form processing services
• Analytics providers (if they access PHI)
• Payment processors linked to patient data
• Backup service providers

The BAA establishes permitted uses of PHI, requires the vendor to implement appropriate safeguards, mandates breach reporting, and ensures HIPAA compliance throughout your vendor chain.

HIPAA (Health Insurance Portability and Accountability Act) was enacted in 1996 and established the foundation for protecting health information, including the Privacy Rule and Security Rule.

HITECH (Health Information Technology for Economic and Clinical Health Act) was passed in 2009 and strengthened HIPAA by:

• Significantly increasing penalties for violations
• Extending HIPAA requirements directly to business associates
• Requiring breach notifications to affected individuals and HHS
• Promoting the adoption of electronic health records
• Giving state attorneys general authority to enforce HIPAA

Together, HIPAA and HITECH form the regulatory framework for healthcare data protection that governs website compliance.

Yes, healthcare websites need a privacy policy. This is separate from (but related to) the HIPAA Notice of Privacy Practices (NPP) that covered entities must provide to patients.

Your website privacy policy should explain:

• What information you collect through the website
• How that information is used and protected
• Who has access to the information
• How cookies and tracking technologies are used
• Third parties who may receive data
• How users can request access to or deletion of their data
• How to contact you with privacy concerns

The policy should be easily accessible from every page, typically in the footer.

Yes, HIPAA requires covered entities to conduct regular risk assessments, including for your website if it handles PHI. A risk assessment:

• Identifies potential threats and vulnerabilities to electronic PHI
• Evaluates current security measures
• Determines the likelihood and potential impact of threats
• Guides implementation of appropriate safeguards
• Documents your compliance efforts

Risk assessments should be conducted:

• When first implementing HIPAA compliance
• Annually as part of ongoing compliance
• When significant changes are made to your website or systems
• After any security incident

Yes, electronic signatures on consent forms can be HIPAA compliant when implemented correctly. The E-SIGN Act and UETA (Uniform Electronic Transactions Act) provide the legal framework.

For HIPAA compliance, your e-signature system must:

• Use secure, encrypted connections (HTTPS)
• Verify the signer's identity appropriately
• Create tamper-evident records
• Maintain comprehensive audit trails
• Store signed documents securely with encryption
• Be provided by a vendor who will sign a BAA
• Allow patients to receive copies of signed documents

HIPAA compliant websites require ongoing maintenance on various schedules:

• Security patches: Apply immediately when released, within 30 days maximum
• CMS/plugin updates: Review and apply at least monthly
• Security scans: Weekly or continuously with automated tools
• Vulnerability assessments: Quarterly
• Penetration testing: Annually or after major changes
• Risk assessments: Annually or when significant changes occur
• BAA reviews: Annually
• Policy reviews: Annually
• Staff training: Annually with regular security reminders
• Backup testing: Quarterly

Major cloud providers and specialized healthcare hosts offer HIPAA-eligible services:

Major Cloud Providers:

• Amazon Web Services (AWS) - with BAA
• Microsoft Azure - with BAA
• Google Cloud Platform - with BAA

When evaluating any hosting provider, ensure they offer:

• Willingness to sign a Business Associate Agreement
• Encrypted data storage (at rest and in transit)
• Strong access controls
• Comprehensive audit logging
• Physical security certifications (SOC 2, HITRUST)
• 24/7 security monitoring
• Incident response capabilities
• Geographic data residency options

Important: Standard shared hosting providers typically do not offer HIPAA compliance and won't sign BAAs.

Yes, WordPress can be used for a HIPAA compliant website, but it requires significant security hardening and careful configuration. Out of the box, WordPress is not HIPAA compliant.

Requirements for HIPAA-compliant WordPress:

• HIPAA-compliant hosting provider with signed BAA
• Security-hardened WordPress configuration
• Properly vetted and secure plugins only
• HIPAA-compliant form handling (not standard contact forms)
• Encrypted database and file storage
• Strong access controls and user authentication
• Comprehensive audit logging
• Regular security updates and monitoring
• Removal of unnecessary plugins and themes

Many standard WordPress plugins (especially form plugins) are not HIPAA compliant. Working with a HIPAA-specialized WordPress developer is strongly recommended.

Standard Google Analytics is not HIPAA compliant, and Google explicitly states they will not sign a BAA for Google Analytics.

However, you may be able to use Google Analytics if:

• You exclude all pages that contain or collect PHI from tracking
• You don't use User ID features with patient identifiers
• URLs don't contain any PHI
• Custom dimensions/events don't include PHI
• IP anonymization is enabled

Alternatives to consider:

• HIPAA-compliant analytics platforms
• Self-hosted analytics solutions (Matomo/Piwik)
• Server-side analytics that don't share data with third parties

HIPAA compliant contact forms require multiple security measures:

• Encryption in Transit: All form submissions must use HTTPS with TLS 1.2 or higher
• Server-side Processing: Forms must be processed on HIPAA-compliant infrastructure
• Encrypted Storage: Submitted data must be encrypted at rest
• Access Controls: Limit who can view form submissions
• Audit Logging: Log all access to form data
• BAA Coverage: Any third-party form service must sign a BAA
• No Unencrypted Email: Never send PHI via standard email

Best Practices:

• Use secure patient portals for health-related communications
• Limit the PHI collected through web forms
• Provide clear disclaimers about form security
• Offer alternative contact methods for sensitive information

If you discover a breach affecting PHI, follow these steps:

1. Contain the Incident: Immediately isolate affected systems to prevent further unauthorized access
2. Document Everything: Record all details about the breach, including timeline, affected systems, and actions taken
3. Conduct Risk Assessment: Determine if PHI was actually acquired or viewed, and identify affected individuals
4. Notify HHS:
   • Breaches affecting 500+ individuals: Notify within 60 days
   • Smaller breaches: Log and report annually
5. Notify Affected Individuals: Send written notification without unreasonable delay (within 60 days)
6. Media Notification: For breaches affecting 500+ in a state, notify prominent media outlets
7. Implement Corrective Measures: Fix vulnerabilities and prevent future incidents

Important: Having an incident response plan documented before a breach occurs is essential for effective response.

HIPAA compliant website costs vary significantly based on complexity and features:

Initial Development:

• Basic compliant website: $5,000 - $15,000
• Custom healthcare website: $15,000 - $50,000
• Patient portal with EHR integration: $50,000 - $150,000+

Ongoing Costs:

• HIPAA compliant hosting: $200 - $500+/month
• Maintenance & security monitoring: $200 - $1,000+/month
• Annual security assessments: $2,000 - $10,000
• Compliance consulting: $150 - $300/hour

While HIPAA compliant solutions cost more than non-compliant alternatives, they protect against penalties of up to $1.5 million per violation category and the significant costs of breach response and reputational damage.

Civil Penalties (per violation):

Annual Maximum: $1,500,000 per violation category

Criminal Penalties:

• Knowingly obtaining/disclosing PHI: Up to $50,000 and 1 year imprisonment
• False pretenses: Up to $100,000 and 5 years imprisonment
• Intent for personal gain: Up to $250,000 and 10 years imprisonment

Additional Costs: Breach notification, credit monitoring, legal fees, corrective action plans, and reputational damage.