Here’s something that might surprise you: after 15 years building websites for healthcare practices, I can tell you that most of them don’t actually need HIPAA compliance. Not the website itself, anyway.
Most healthcare practice websites are marketing tools, not patient data systems. The compliance requirements that keep practice owners up at night typically apply to where patient health information lives and moves—and that’s rarely your main website. By separating your marketing presence from your patient management systems, you can build a professional healthcare website without the $20,000+ compliance overhead. This architectural approach protects patients, satisfies regulations, and saves you significant money.
I’ve watched practice owners spend months and tens of thousands of dollars making their entire website “HIPAA compliant” when all they really needed was a clean separation between their marketing site and their patient systems. The main reason is that there’s a lot of confusion about what actually requires compliance—and plenty of vendors happy to sell you solutions to problems you don’t have.
In this guide, I’ll walk you through exactly when websites do and don’t need compliance, introduce you to the separation architecture that works for most practices, and give you a clear framework for making this decision yourself.
Disclaimer: This article provides website architecture guidance for healthcare practice owners. It is not legal advice, compliance advice, or a substitute for consultation with qualified HIPAA compliance professionals. For specific compliance requirements, consult qualified legal and compliance experts.
The Compliance Question Everyone Asks Wrong
“Do I need a HIPAA compliant website?” It’s the first question most healthcare practice owners ask when they start thinking about building or redesigning their site. And it’s the wrong question.
The right question is: “Will my website handle, store, or transmit protected health information?”
That single word—website—is where the confusion starts. When most people say “website,” they’re thinking about one unified thing. But in reality, what patients experience as “your online presence” is usually multiple systems working together. Your marketing pages. Your appointment scheduler. Your patient portal. Your telehealth platform. These can be—and often should be—completely separate systems.
It is worth remembering that HIPAA regulations aren’t specifically about websites. They’re about protecting patient health information wherever it exists. A paper filing cabinet needs protection. An email system needs protection. And yes, digital systems that handle health data need protection. The question isn’t whether your business needs to think about HIPAA—if you’re a covered entity or business associate, of course you do. The question is whether your marketing website specifically needs to be built to compliance standards.
In my experience working with medical practices, dental offices, therapy practices, and specialty clinics, the answer is usually no. Their websites are marketing tools. Patient information lives somewhere else entirely—in practice management software, in EHR systems, in dedicated patient portals built specifically for that purpose.
Understanding this distinction can save you $20,000 or more on your website project. More importantly, it can get you online faster with a site that actually serves its marketing purpose well.
When Websites Actually Need HIPAA Compliance
Let’s be clear about when your actual website does need to meet compliance requirements. If you’re building any of these directly into your website (not linking to external systems), you’re in compliance territory.
Patient Portals Built Into Your Website
If patients log in to your website to access their health records, you need compliance. This means the login system, the database storing that information, the server hosting it, and every piece of infrastructure in between needs to meet security requirements. I’ve seen practices try to build custom patient portals into their WordPress sites, and the complexity multiplies quickly. Encryption at rest, encryption in transit, access controls, audit logging, backup procedures—it adds up.
The main reason practices consider this: they want a seamless branded experience. Understandable, but the cost-benefit rarely works out. Dedicated patient portal systems do this better and cheaper.
Online Intake Forms Collecting Health Information
General contact forms asking for name, email, and “how can we help?” don’t trigger compliance requirements. But the moment you’re asking for symptoms, diagnoses, medications, or treatment history on a form built into your website, you’re collecting protected health information.
Keep in mind that the line isn’t always obvious. “What brings you in today?” could go either way depending on how patients answer. “Describe your current medications” is clearly collecting health data.
Secure Messaging and Chat Features
If patients can message their provider through your website—not through a linked external system, but through chat functionality built into your site—that’s a compliance concern. Those messages likely contain health information, which means the entire messaging system needs protection.
Embedded Telehealth Systems
This is less common now, but some practices explored building video consultation features directly into their websites. If the telehealth session happens within your website’s infrastructure, compliance requirements apply. Today, most practices wisely use dedicated telehealth platforms instead.
When Websites DON’T Need Compliance (Most Cases)
Here’s where most healthcare practice websites actually fall. If your website sticks to these functions, compliance requirements typically don’t apply to the site itself.
Marketing and Informational Content
Your service descriptions, provider bios, office photos, blog posts about health topics, insurance information, and office policies—none of this is protected health information. It’s the same content any business might publish. A page explaining what to expect during a first visit isn’t different from a restaurant explaining their reservation policy.
I’ve worked with practices whose websites have hundreds of pages of helpful content: condition explanations, treatment overviews, patient education resources. All valuable for patients and for search visibility. None of it requires compliance because none of it contains information about specific patients.
General Contact Forms
A contact form that collects name, email, phone number, and a general message field doesn’t typically require compliance. This is standard business contact information. Yes, someone might voluntarily include health details in their message, but the form isn’t designed to collect health information.
That said, I recommend keeping contact form prompts generic. “How can we help you?” rather than “Describe your symptoms.” The former is clearly a general inquiry; the latter is actively soliciting health information.
As a result, you can use standard form handling, standard email delivery, and standard website hosting. The overhead drops dramatically.
Links to External Patient Systems
This is the key insight that saves most practices from expensive over-engineering.
Your website can link to compliant systems without itself needing compliance. A button that says “Access Patient Portal” and links to SimplePractice, Kareo, or your EHR’s portal isn’t handling patient data. It’s just a link. The linked system handles compliance. Your website is just pointing the way.
Thanks to this approach, you have the opportunity to give patients a seamless experience—they click from your site and land in a secure, compliant environment—without your marketing site carrying that burden.
The Separation Architecture Explained
Now let’s get practical. This is the architectural approach I recommend for most healthcare practices, and it’s the approach we use for the majority of our healthcare website design projects.
Layer 1: Your Marketing Website
This is your standard, professionally-built website. It runs on normal hosting. It uses a standard content management system like WordPress. It’s optimized for search engines, loads fast, looks great on mobile, and showcases your practice effectively.
What lives here:
- Homepage with your value proposition
- Service and treatment pages
- Provider bios and credentials
- Office information (location, hours, contact details)
- Blog or educational content
- Testimonials and reviews (with proper consent)
- Insurance and payment information
- General contact forms
- Calls to action with links to patient systems
This layer can be built by any competent web agency. It doesn’t require specialized compliance expertise (though healthcare experience helps with other aspects). Development costs are standard. Hosting costs are standard. Maintenance is straightforward.
Layer 2: Third-Party Patient Management Tools
This is where patient health information actually lives, and it’s not on your website.
What lives here:
- Patient intake forms (through the portal system)
- Health records and visit notes
- Appointment scheduling with clinical details
- Secure messaging
- Telehealth video sessions
- Prescription management
- Billing and claims with health information
These systems are purpose-built for healthcare. The vendors have invested millions in security infrastructure, compliance certifications, and ongoing monitoring. They sign Business Associate Agreements. They handle the complexity so you don’t have to.
SimplePractice, Jane App, Kareo, DrChrono, Doxy.me, Klara—these companies exist specifically to solve this problem. Your job is to choose the right one for your practice, not to recreate what they’ve built.
Layer 3: The Bridge (Simple Links)
The magic happens in the simplest possible way: links.
Your marketing website includes strategically placed calls to action that link out to your patient systems. “New Patient? Complete Your Intake Forms” links to your practice management system’s intake workflow. “Schedule an Appointment” links to your scheduling system. “Existing Patients: Access Your Portal” links to your patient portal.
It is worth remembering that these links don’t transfer data. They don’t process information. They’re just navigation. A patient clicks the link, lands in the compliant system, and everything that happens from there is handled by that system’s infrastructure.
Why This Approach Wins
Cost savings: Building a custom compliant website infrastructure can cost $20,000-$50,000 or more, plus ongoing security maintenance. The separation approach costs whatever your marketing website costs (typically $5,000-$15,000 for a professional medical practice website design) plus your monthly fee for patient management software (often $50-$300/month).
Speed to launch: A marketing website can be built in 4-8 weeks. A compliant website with custom patient portals? Double or triple that timeline.
Better patient experience: Dedicated patient management systems have refined their user experience over years. They’re better at what they do than any custom solution you’d build.
Reduced risk: You’re not in the security infrastructure business. Let specialists handle it.
Easier maintenance: Update your marketing site without worrying about breaking patient data systems. Update your practice management software independently.
Third-Party Patient Management Options
Let me walk you through the categories of tools that handle the compliant layer, so you can make informed decisions.
Practice Management Systems
These all-in-one platforms handle scheduling, intake, documentation, billing, and patient communication. Most include patient portals where patients can access their records, complete forms, and message providers.
Popular options include:
- SimplePractice – particularly strong for mental health and therapy practices
- Jane App – popular with physical therapy, chiropractic, and allied health
- Kareo – widely used across medical specialties
- DrChrono – full EHR with strong iPad support
- athenahealth – enterprise-level for larger practices
- AdvancedMD – comprehensive for multi-location practices
These vendors sign Business Associate Agreements, maintain compliance certifications, and handle the infrastructure burden.
Telehealth Platforms
If your practice management system doesn’t include telehealth, or you need a more robust video solution, dedicated telehealth platforms fill this gap.
Common choices:
- Doxy.me – free tier available, very simple to use, no downloads required for patients
- Zoom for Healthcare – familiar interface, BAA available, more features than consumer Zoom
- VSee – designed for healthcare from the ground up
- Teladoc/Livongo – enterprise solutions for larger organizations
What to Look For in Vendors
When evaluating these tools, look for:
- Business Associate Agreement (BAA) availability – non-negotiable
- Clear security documentation – encryption standards, access controls, audit logs
- Compliance certifications – SOC 2, HITRUST, or similar third-party validation
- Patient-friendly interface – your patients need to actually use this
- Integration capabilities – can it connect with your other systems?
- Pricing transparency – understand the full cost including per-provider fees
- Support quality – when things go wrong, can you get help?
Keep in mind that the cheapest option isn’t always the best value. A frustrating patient experience costs you in other ways—no-shows, complaints, and patients who simply don’t complete intake forms.
Decision Framework: Does YOUR Website Need Compliance?
Here’s a practical framework for making this decision for your specific situation.
The Three-Question Test
Question 1: Will patient health information be entered directly into your website?
Not linked systems. Your actual website. If someone is typing their symptoms, medications, diagnoses, or treatment history into a form that’s part of your website infrastructure, that’s a yes.
Question 2: Will patient health information be stored on your website’s servers?
Are medical records, intake forms with health data, or clinical notes sitting in your website’s database? If the data lives on your hosting account, that’s a yes.
Question 3: Will patient health information be transmitted through your website’s systems?
This includes messaging, file uploads containing health data, or any other transmission where your website’s infrastructure carries the data from point A to point B.
If you answered NO to all three questions, your website likely doesn’t need to be built to compliance standards. Your practice still has compliance obligations, but your marketing website isn’t where that happens.
If you answered YES to any question, you either need a compliant website infrastructure OR you need to redesign to move those functions to appropriate third-party systems.
Common Scenarios Answered
| Scenario | Compliance Needed? | Recommendation |
|---|---|---|
| Informational site with provider bios and service pages | No | Standard website |
| Contact form asking for name, email, message | No | Standard website |
| “Schedule appointment” button linking to external scheduler | No | Standard website with links |
| Intake forms built into website collecting health history | Yes | Move to practice management system |
| Chat feature where patients discuss symptoms | Yes | Use compliant messaging platform |
| Patient login to view records stored on your server | Yes | Use dedicated patient portal |
| Blog with health education content | No | Standard website |
| Embedded telehealth video on your domain | Yes | Use dedicated telehealth platform |
When You’re Unsure
Some situations aren’t clear-cut. Maybe you’re collecting information that might be considered health data. Maybe you’re building something novel.
In my experience, when you’re genuinely unsure, the safest path is to move the questionable function to a compliant third-party system. The cost difference is usually minimal, and you eliminate the ambiguity.
For truly complex situations—large healthcare organizations, novel applications, unusual data flows—bring in qualified compliance professionals. The architectural decisions matter less than getting the compliance assessment right.
When You DO Need a Compliant Website
I’ve spent most of this article explaining why you probably don’t need compliance for your website. But let me be clear about when you do.
Use Cases That Require Compliance
Large health systems with resources to build and maintain custom infrastructure sometimes choose to build proprietary patient portals. The scale justifies the investment.
Specialized applications where no third-party solution fits your workflow might require custom development. Rare, but it happens.
Tight integration requirements where business needs genuinely require patient data to flow through your website systems. Again, unusual, but some practices have legitimate needs here.
When your compliance team determines it’s necessary. If qualified compliance professionals assess your situation and conclude your website must meet compliance standards, listen to them.
What Compliance Involves
Building a truly compliant website infrastructure includes:
- Encrypted data storage and transmission
- Robust access controls and authentication
- Comprehensive audit logging
- Documented security policies and procedures
- Regular security assessments and updates
- Backup and disaster recovery systems
- Staff training and access management
- Business Associate Agreements with all vendors in the chain
- Physical security for hosting infrastructure
This isn’t a one-time cost. It’s ongoing operational overhead. For WordPress specifically, you’ll need hosting providers that sign BAAs and specific security configurations—our HIPAA compliant WordPress hosting guide covers provider options and technical requirements in detail.
When to Bring in Specialists
If your situation genuinely requires a compliant website—not just a marketing site with links to compliant systems, but actual compliance—work with specialists. This means both a healthcare website design company experienced in compliant development AND qualified compliance professionals to guide requirements and validate implementation.
As a result, you’ll have a system that actually meets requirements rather than one that looks compliant but has gaps.
Working With Your Web Agency
Whether you’re building a marketing site or something more complex, the conversation with your web agency matters.
Questions to Ask
“How do you typically approach healthcare practice websites?”
Listen for whether they understand the separation architecture. If they immediately jump to “we’ll make everything compliant,” that’s a yellow flag—they might not understand when it’s necessary versus when it’s overkill.
“Can you show me examples of healthcare sites you’ve built?”
Experience with healthcare practices—even just marketing sites—means they understand the nuances. Provider credential presentation. Before/after photo considerations. Insurance and payment communication.
“How would you handle patient intake forms?”
The right answer involves third-party practice management integration, not building forms into the website that collect health information.
“What’s your recommended approach for appointment scheduling?”
Again, look for integration with established scheduling systems rather than custom builds.
Red Flags to Watch For
- Promising to “make your whole site HIPAA compliant” without understanding your needs – this suggests they don’t understand the nuances
- No healthcare portfolio at all – general web agencies can build healthcare marketing sites, but some experience helps
- Unable to articulate the separation between marketing sites and patient systems – this is basic healthcare web knowledge
- Pushing proprietary patient portal solutions – unless you have a very specific need, established third-party systems are almost always better
How We Approach Healthcare Projects
In my work with healthcare practices, the conversation always starts with understanding what functions the website actually needs to serve. Most of the time, we’re building marketing sites that excel at attracting and converting patients, with strategic links to whatever practice management systems the practice uses.
We’ve built sites for solo practitioners and multi-location specialty practices. The marketing site approach works across the spectrum. The practice management layer differs based on practice size and specialty, but the website layer stays clean.
When practices do need more complex integrations—and occasionally they do—we have those conversations honestly. Sometimes the right answer is “you need a different kind of agency for that” or “you need compliance professionals involved in this decision.”
Making the Right Choice for Your Practice
The vast majority of healthcare practices don’t need to invest in making their websites HIPAA compliant. They need well-designed marketing websites that attract patients, clearly communicate services, and link smoothly to compliant third-party systems for the actual patient data handling.
Three things to remember:
- Separate your marketing presence from your patient data systems. This is the architectural decision that simplifies everything else.
- Use established practice management and telehealth platforms. They’ve invested millions in building compliant infrastructure so you don’t have to.
- When genuinely unsure, consult qualified professionals. Not every situation fits neatly into frameworks. Complex needs deserve expert assessment.
Thanks to this approach, you have the opportunity to get online faster, at lower cost, with a website that actually serves its marketing purpose—while your patients’ information stays protected in systems built specifically for that purpose.
If you’re planning a website project for your practice and want to think through the right architecture, that’s the conversation we love having with healthcare practice owners.
Frequently Asked Questions
01 Does my therapy practice website need HIPAA compliance?
Your therapy practice marketing website typically doesn’t need HIPAA compliance if it sticks to marketing functions. Showcase your services, share your approach, and provide contact information on your standard website. For intake forms, scheduling, secure messaging, and telehealth, use a practice management system like SimplePractice or TherapyNotes. Link to these systems from your website. The linked systems handle compliance; your marketing site doesn’t need to.
02 Can I use a regular contact form on a healthcare website?
Yes, a general contact form collecting name, email, phone, and a general message is typically fine on a healthcare marketing site. Keep the prompts generic—”How can we help?” rather than “Describe your symptoms.” If someone voluntarily includes health details, that’s different from you actively soliciting health information. For forms that deliberately collect health data, use your compliant practice management system.
03 What makes a website HIPAA compliant?
HIPAA compliance for websites involves encrypted data storage and transmission, access controls, audit logging, security policies, and Business Associate Agreements with vendors. It requires ongoing security maintenance, not just one-time setup. This is why the separation architecture is so powerful—dedicated patient management systems handle this complexity, and your marketing website doesn’t need to.
04 Is WordPress secure enough for a healthcare website?
WordPress is appropriate for healthcare marketing websites that follow the separation architecture. Keep WordPress and plugins updated, use quality hosting, implement standard security practices. For patient health information, use dedicated compliant systems—don’t store health data in your WordPress database. WordPress isn’t designed to be a healthcare data platform, but it’s excellent for marketing websites. If you do need to handle PHI through WordPress, see our guide to HIPAA compliant WordPress hosting for provider comparison and configuration requirements.
05 How much does a HIPAA compliant website cost?
A marketing website with links to compliant systems costs $5,000-$15,000 for professional development. A custom website with built-in compliant patient portal infrastructure can cost $20,000-$50,000+ for initial development, plus significant ongoing security maintenance. The separation approach costs far less while actually providing better patient experiences through specialized systems.
06 Do telehealth links on my website require compliance?
Links to telehealth platforms don’t require your website to be compliant. The link is just navigation. When patients click through to Doxy.me, Zoom for Healthcare, or another compliant telehealth platform, that system handles compliance. Your website’s job is just to provide the link—the same as linking to any external service.
