Many website builders are marketed as “HIPAA compliant,” but HIPAA applies to PHI flows, not entire websites. This guide compares healthcare-specific and general-purpose website builders, explains where PHI actually lives on medical websites, and outlines what it really means to build a HIPAA-aligned website.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Always consult a qualified attorney or compliance professional when interpreting HIPAA regulations.
Healthcare providers are busy. Patient care is the most visible part of the job, but it’s not all there is. There’s a lot of administrative work that happens behind the scenes. It takes time and effort. Any distractions can slow down the whole operation and directly affect the patient experience. Websites can be one of those distractions. It’s frustrating because an effective website isn’t just a bonus anymore. It’s a requirement for small practices to survive. In a 2023 survey, 75% of respondents claimed they search for new care providers online.
Unfortunately, there’s just not enough time to focus on developing a website and running a practice. Providers need solutions that streamline this process. This helps them stay visible and still have enough energy to provide quality care. That’s where content management systems (CMS) come in. These are more commonly known as website builders. Some of the more well-known options are WordPress and Squarespace.
CMS platforms take the complexity out of web design. Drag and drop editors help anyone build beautiful web pages without coding skills. They’re simple, easy to optimize, and perfect for busy practitioners. However, using these systems for healthcare websites means that HIPAA is always looming in the background.
This blog will explore popular options that are often marketed as HIPAA compliant, general purpose web builders that are used for many medical sites, and what it means to have a HIPAA compliant website.
Many providers choose purpose-built solutions. The following platforms are made specifically for healthcare, and HIPAA compliance is often much easier to obtain.
SimplePractice is an electronic health record (EHR) platform that can be used in a variety of healthcare settings. However, it is mainly marketed toward mental and behavioral health practitioners. A web builder is included in each of their three plans. Naturally, simplicity is key to their platform. The web builder allows providers to select from a set of themes and templates, then add personalization features specific to their practice. It’s a great way to get a website up and running quickly.
For providers who use SimplePractice as their EHR, their site can seamlessly integrate with the rest of the platform. It also includes strong encryption, multi-factor login protection, access controls, and more to aid with compliance requirements. However, for providers outside of mental health, or those who want more robust design controls, it could fall short.
Still, ease of use alone makes it worth checking out, and they offer a 30-day free trial with no credit card required!
PatientGain is different from SimplePractice because it is not part of an EHR. PatientGain is a healthcare marketing service that offers a variety of plans to help providers grow their online presence. Each of their packages includes a website. However, that’s a small part of the main goal which is aiding with patient acquisition.
Their Gold Plan starts at $799 a month. The website component works by offering a selection of WordPress designs to choose from. The PatientGain team will then customize their templates for your practice. In this plan, they’ll handle content and ensure your website is hosted on a HIPAA-aligned cloud environment.
It’s good for practices who want a hands-off approach to their website, especially because they also offer search engine optimization (SEO) services in their plans. PatientGain could fall short for providers who want more design control, or those who aren’t looking to pay a higher monthly fee for a full-service team.
Dr. Leonardo sits in the middle ground between SimplePractice and PatientGain. It offers more assistance than SimplePractice, but it’s cheaper than PatientGain without the ongoing marketing services.
Single providers can get custom websites with unlimited pages for $35.00 a month and a one-time activation fee of $95.00. Practices with multiple providers pay $75.00 a month with a $495 activation fee. Each includes HIPAA compliant hosting.
Both options allow providers to design their own sites after starting with a large collection of layouts and themes. Additionally, the Dr. Leonardo team will handle it all for you with an additional charge: Single provider sites are offered for $125, and practice sites start at $350.
This is a great choice for providers who want more support and guidance than the full self-service model provided by SimplePractice without having to pay the premium fee for a service like PatientGain.
Healthcare-specific web builders are a great choice because it can be easier to set up compliance. It’s simple and quick but can also suffer when it comes to flexibility. For providers who want more freedom, general purpose web builders may be a better choice. This also comes with more compliance responsibilities. There are many CMS options available, but the three most popular are WordPress, Squarespace, and Wix.
WordPress is the industry standard for most digital marketing teams. It offers a lot of design flexibility, while still having easy-to-use drag and drop features. For digital marketers with a lot of clients, it’s the perfect blend of form and function. Clients receive quality websites that can look like they were built from scratch, while the marketing team never has to write a line of code.
Compared to other popular options, WordPress has a bigger learning curve. It’s still easy enough that anyone can use it to design great sites, but for those who want something that’s more guided, it’s not the best option.
Squarespace is geared toward users who want a beautiful website without needing to dive too deeply into the specifics. It’s beginner friendly and template driven. You start by choosing from a collection of prebuilt designs. Then you can customize them to fit your branding and needs.
It’s great for providers who aren’t working with a marketing team and don’t have time to spend on web design. The quality of the sites is still fantastic. There’s just less flexibility in the long term.
Wix is a nice middle-ground option between WordPress and Squarespace. Generally, it’s not quite as robust as WordPress, but less template oriented than Squarespace. It also does a better job than WordPress of guiding users through the process of building a website.
It’s best suited for practices that are building their own sites and can afford to have a staff member dedicate time to it. They’ll be able to pick it up quickly while retaining a solid amount of design freedom.
Whether you choose to go with a service that is geared toward compliance or a general-purpose platform, there’s plenty of viable options for building medical websites. With that in mind, it’s important to understand what goes into building a “HIPAA compliant website.”
The term itself is a misnomer. There’s no such thing as a HIPAA compliant website because websites themselves do not inherently collect protected health information (PHI). That’s the key point. HIPAA defines safeguards for PHI that is maintained or transmitted in electronic form, but that does not mean an entire website has to be compliant. Only the systems that handle PHI are affected.
One of the most visible mechanisms that a website can use to collect PHI is forms. Many practices offer digital intake forms. They are fantastic for speeding up workflows and improving patient experience. They’re also packed with PHI and must be safeguarded properly.
There’s another type of form that requires safeguards, but most don’t realize it: contact forms. It’s easy to overlook simple contact forms, but they can quietly create compliance gaps. The reason comes down to how PHI is defined in the official documentation.
Information only needs to meet two conditions to be considered PHI:
The first reason is self-explanatory. It’s any information that can be tied to an individual. The second point creates confusion because it is heavily influenced by context. When a site visitor uses a contact form in relation to some element of care, it can trigger the condition. Even if a contact form is specifically labeled to not be for medical use, it could still potentially collect PHI.
HHS clarifies this relationship in their article on tracking technologies:
Individually Identifiable Health Information (IIHI) “collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as in some circumstances IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.”
That’s why it’s important to ensure that web builders fully understand the flow of PHI through healthcare websites. This ensures that all cases of PHI interaction are handled properly. Forms are an obvious example, but they’re not the only way that websites can create, transmit, maintain, or receive PHI. Hint: There’s more than you might realize... (link to tracking tech blog)
Understanding that HIPAA regulates PHI flows, not entire websites, makes it easier to see how solutions can be implemented. Web forms are a major source of PHI. Form Vessel can help isolate these flows from other parts of a website that are harder to secure. It’s easy to use, purpose-built for healthcare and can quickly drop into any existing site.
The platform is built with safety as a top priority. However, that doesn’t mean that functionality is sacrificed. It also empowers users with a robust suite of design features that allow any form to be fully digitized.
Form Vessel can’t ensure that every PHI flow is secure, but it can help developers and providers free up more time to focus on more complex gaps.
Compliance is tricky, especially when it comes to websites. However, it’s important to remember that HIPAA doesn’t apply simply because a website belongs to a health provider. If there are no possible flows of PHI, a website can freely exist without any HIPAA safeguards. It’s just usually not that easy.
If you suspect there are unprotected flows on your practice’s website, it’s important to identify and secure them quickly. Some flows may require more time, energy, and technical skills. That’s why it’s important to simplify the elements that are easier to protect. If your site needs a powerful and compliant form solution, Form Vessel was built for you.