HIPAA-Compliant Websites for Therapists: Is Your Website Actually Compliant?

Written By Cassandra Cannon Smith

One of the most common technology questions therapists ask is whether their website is HIPAA compliant. Sometimes the concern is a contact form. Sometimes it's online scheduling, a telehealth platform, a chat widget, or Google Analytics. In many cases, therapists are trying to determine whether they have overlooked something that could create a privacy problem for clients.

What makes this question difficult to answer is that websites rarely operate in isolation. A practice website may connect to scheduling software, an electronic health record, telehealth platforms, payment processors, intake forms, secure messaging systems, and various marketing tools. Each of those systems handles information differently, which means each one deserves its own review.

When I teach telehealth and digital ethics, one of the themes that comes up repeatedly is that clinicians often focus on a single technology while missing the larger system around it. Website compliance works much the same way. Looking only at a contact form may cause you to overlook how information is collected, transmitted, stored, or shared across the rest of your practice.

Identifying Privacy Risk Areas

Many therapists start by looking at a single feature on their website, such as a contact form or scheduling page. A more useful approach is to identify where information enters your systems and what happens to that information afterward. Once you understand the different ways visitors interact with your website, it becomes much easier to identify which areas deserve a closer privacy and compliance review.

The next step often depends on how information is being collected and whether that information could reveal that someone is seeking mental health services.

• If visitors only read educational content and blog posts, review your analytics tools, cookies, and tracking technologies.

• If visitors submit contact forms, review what information is being requested and how those submissions are transmitted.

• If visitors schedule consultations online, review the scheduling platform, privacy settings, and vendor agreements.

• If clients access portals, telehealth systems, or payment platforms, review how protected health information is stored and secured.

• If you are unsure where information enters your systems, begin by creating an inventory of every website, app, platform, and vendor that touches client information.

Understanding Where Client Information Lives

One of the first exercises in a privacy review is identifying every place client information may appear. Many clinicians are surprised by how many systems are involved. A typical practice might use a website, an EHR, a telehealth platform, a scheduling system, secure messaging, online forms, and a payment processor. Each system may collect, transmit, store, or display information that deserves its own compliance review.

This is often where confusion begins. A therapist may spend a great deal of time researching whether their website host is HIPAA compliant while paying much less attention to the scheduling platform connected to the site or the forms collecting information from prospective clients. In practice, privacy risks frequently arise from the connections between systems rather than from a single platform.

Before making changes to your website, it can be helpful to create a simple inventory. List every tool that touches client information and ask a few basic questions. Does the vendor sign a Business Associate Agreement? Is information encrypted? Where is the information stored? How is it transmitted? These questions provide a much clearer picture of compliance than focusing on any single feature.

Contact Forms and Consultation Requests

Many therapists first start thinking about HIPAA because of a website contact form. This is understandable. A contact form is often the first point of interaction between a therapist and a prospective client.

One important consideration is the type of information being collected. A form requesting a name, phone number, and email address creates different privacy considerations than a form asking someone to describe their symptoms, trauma history, or reasons for seeking treatment. Even before a person becomes a client, information submitted through a website may reveal that they are seeking mental health services.

For that reason, many therapists choose to keep public contact forms relatively simple. Detailed clinical information can often wait until the person is using a secure intake process or protected client portal. Collecting only the information necessary to make contact reduces privacy risks while still allowing you to determine whether the individual may be a good fit for your practice.

This is also a good time to review how your website handles form submissions. Therapists sometimes assume that because a form appears on a professional-looking website, the information is automatically protected. The transmission method, storage process, and vendor agreements matter just as much as the form itself.

Tracking Pixels, Analytics, and Marketing Tools

Another area that has received increased attention in recent years involves tracking technologies. Many websites use tools such as Google Analytics, Meta Pixel, session replay software, chat widgets, and other marketing platforms to understand visitor behavior. These tools can be useful for understanding website traffic and improving user experience.

At the same time, therapists should think carefully about where those technologies are placed. A blog article about coping skills creates different privacy considerations than a page titled "Schedule a Consultation" or "Start Therapy." Federal guidance has highlighted concerns about tracking technologies on pages that may reveal a person's interest in seeking healthcare services.

When reviewing website compliance, it can be helpful to identify every tracker running on the site and determine whether those tools belong on pages where visitors submit information, request appointments, or access client resources. Many therapists discover trackers they did not even realize were active because they were installed automatically through themes, plugins, or marketing integrations.

Scheduling Systems, Payment Platforms, and Vendor Agreements

Website compliance extends beyond contact forms and tracking tools. Many practice websites connect directly to scheduling systems, payment platforms, telehealth software, or electronic health records. Each of these tools introduces additional privacy and security considerations.

One question I encourage therapists to ask vendors is whether they sign a Business Associate Agreement. A BAA helps clarify responsibilities for protecting information and is an important part of evaluating vendors that handle protected health information. The answer can help you determine whether a platform is appropriate for your practice and whether additional safeguards are needed.

It is also worth reviewing payment systems. Convenience does not necessarily equal compliance. Many consumer payment platforms were not designed for healthcare settings and may create privacy concerns. Understanding how payment information is handled is another important piece of evaluating the overall privacy practices of your website and connected systems.

Website Compliance as an Ongoing Process

One of the reasons technology can feel overwhelming is that compliance is rarely a one-time task. Websites evolve. New plugins get installed. Scheduling systems change. Marketing companies add tracking tools. Software updates introduce new features. The systems connected to your website today may look different six months from now.

This is why many privacy reviews focus on ongoing monitoring rather than a single compliance check. Annual reviews, vendor audits, privacy policy updates, and periodic evaluations of tracking technologies can help identify issues before they become larger problems. Maintaining a current inventory of your systems also makes it easier to evaluate new tools before they are added to your practice.

At this point, many therapists realize the real question is bigger than whether a contact form is HIPAA compliant. The concern is whether client information is being collected, transmitted, stored, or tracked somewhere on the website or in a connected system without the therapist fully realizing it.

If you're unsure whether your website, forms, scheduling systems, or connected technologies create privacy or compliance risks, having a structured way to review those systems can help you identify potential gaps before they become problems. The HIPAA & Privacy Compliance Checklist for Practice Websites and Apps provides a step-by-step framework for evaluating the areas most commonly overlooked by therapists, including forms, tracking technologies, vendor agreements, privacy policies, payment systems, telehealth tools, and ongoing review practices.

HIPAA & Privacy Compliance Checklist for Practice Websites and Apps

Looking Beyond Website Compliance

Many therapists start by reviewing a website and quickly discover that the website is only one piece of the puzzle. Questions about online forms often lead to questions about informed consent. Questions about website privacy can lead to questions about telehealth, email communication, documentation, AI tools, interstate practice, and digital record keeping.

What begins as a website compliance review often turns into a broader review of how technology is being used throughout the practice. As new platforms, apps, and communication tools continue to emerge, many clinicians find themselves trying to balance convenience, accessibility, confidentiality, and ethical responsibilities at the same time.

If you're finding that your questions extend beyond website compliance, the Law & Ethics Hub brings together resources on telehealth, privacy, documentation, informed consent, AI, and other legal and ethical issues that therapists commonly encounter in modern practice.

Explore the Law & Ethics Hub

Understanding the Bigger Legal and Ethical Framework

Technology continues to create new opportunities for therapists and clients, and new questions often emerge alongside those opportunities. Whether you're evaluating a website, scheduling platform, telehealth system, AI application, or electronic health record, many of the same principles apply. Clinicians benefit from understanding how privacy, security, informed consent, documentation, and professional responsibility fit together when making decisions about technology.

Many therapists find that technology feels less overwhelming once they develop a framework for evaluating new tools. Rather than trying to memorize rules for every platform, they learn how to ask the right questions before implementing something new.

The Telehealth: Efficacy, Laws & Ethics CE course was developed for clinicians who want a more comprehensive understanding of how these issues intersect in practice. The course examines telehealth regulations, informed consent, documentation requirements, privacy considerations, jurisdictional practice issues, and ethical decision-making. It is self-paced and eligible for continuing education credit, allowing you to complete the training on your own schedule.

Telehealth: Efficacy, Laws & Ethics CE Course

Conclusion

Questions about HIPAA-compliant websites often begin with a single feature such as a contact form, scheduling platform, or privacy policy. As therapists start reviewing their systems, they frequently discover that website compliance involves understanding how information moves through multiple technologies that work together behind the scenes.

Taking time to review those systems can help identify areas that deserve closer attention and support stronger privacy practices from the very first interaction a prospective client has with your practice. Technology will continue to change, which means website compliance is best approached as an ongoing process of review, adjustment, and informed decision-making rather than a task that is completed once and never revisited.

Research References

  1. American Psychological Association. (2013). Guidelines for the Practice of Telepsychology.

    American Psychological Association. https://www.apa.org/practice/guidelines/telepsychology

  2. U.S. Department of Health and Human Services, Office for Civil Rights. (2024). Guidance on the

    Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

    https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-onlinetracking/

    index.html

  3. U.S. Department of Health and Human Services. (2013). HIPAA Security Rule: 45 C.F.R. § 164.312

    Technical Safeguards.

  4. National Institute of Standards and Technology. (2014). NIST Special Publication 800-88 Rev. 1:

    Guidelines for Media Sanitization. U.S. Department of Commerce.

Cassandra Cannon Smith https://cannonpsychology.com
Next

Medicare Opt-Out for Therapists: A Step-by-Step Guide