Does my website need to be HIPAA compliant?

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect the privacy and security of individuals' health information. Congress was explicit about the law's purpose, the statute states that it was designed "...to improve the Medicare program...the Medicaid program...and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of uniform standards and requirements for the electronic transmission of certain health information and to reduce the clerical burden on patients, health care providers, and health plans."

HIPAA applies to two main categories of organizations, that is, covered entities and business associates. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Business associates are third parties that handle protected health information (PHI) on behalf of a covered entity.

If your organization falls into either of these categories and your website collects, stores, transmits, or processes PHI, then yes, your website needs to be HIPAA compliant.

What counts as protected health information?

Under HIPAA, PHI is defined in the regulations at 45 C.F.R. § 160.103 as, “individually identifiable health information” that is transmitted or maintained in any form or medium by a covered entity or business associate, excluding certain educational records and employment records.

But not all health information automatically triggers HIPAA's full protections, the legal threshold is whether the information is "individually identifiable." The statute defines this as, "any information, including demographic information collected from an individual, that— (A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual...and— (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual."

For websites this means that even a contact form on a medical practice's website, where a patient might type their name, phone number, and a question about a health condition could constitute the collection of PHI, triggering HIPAA obligations. This includes identifiers like names, Social Security numbers, and medical record numbers, but also data points like dates of birth, phone numbers, email addresses, and even IP addresses when linked to health information.

Common website features that trigger HIPAA requirements

Several common website features can create compliance obligations:

• Online appointment scheduling - When patients book appointments online and provide their name, date of birth, insurance details, or reason for the visit, that data is PHI and must be protected.
• Contact and inquiry forms - If these forms invite patients to describe symptoms, ask medical questions, or provide any identifying health-related information then they are collecting PHI.
• Patient portals - If the website includes a login area where patients can view test results, request prescriptions, message their provider, or review billing history, it would need to comply with HIPAA.
• Live chat - Live chat can become a compliance liability if patients use them to discuss health concerns.
• Telehealth integrations - When they allow patients to begin or access virtual appointments through the website then it must meet HIPAA's technical safeguard requirements.

What does HIPAA compliance actually mean for a website?

Under 45 C.F.R. § 164.306(a), every covered person who maintains or transmits health information must, "(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce."

For a website specifically, the most relevant considerations include:

Encryption

All PHI transmitted through your website must be encrypted in transit and ideally at rest.

Business associate agreements (BAAs)

BAAs must be in place with every third-party vendor that touches PHI through your website. This includes your web hosting provider, your form tool, your email marketing platform, your analytics service, and your live chat software.

Third-party tracking pixels

A 2024 JAMA Network study examining 100 non-government acute care U.S. hospital websites found that 96 out of 100 transmitted visitor data to third parties, including companies like Google, Meta, Snapchat, and LinkedIn. Despite this, only 40 of the 100 hospitals named the specific third parties receiving that data, and hospital websites sent information to an average of 9 external domains. The researchers noted that a significant number of hospital websites fail to give users adequate information about how their data is being collected and processed.

This follows earlier University of Pennsylvania research finding that 99% of U.S. hospital websites were transmitting personal information to third parties. In December 2022, the Department of Health and Human Services issued guidance making clear that tracking technologies may not be used in ways that disclose PHI to third parties unless a signed, HIPAA compliant business associate agreement is in place or the patient has explicitly authorized the disclosure.

Furthermore, the FTC and OCR issued a joint warning to approximately 130 hospital systems and telehealth providers about their use of tools like the Meta/Facebook pixel and Google Analytics. Former OCR Director Melanie Fontes Rainer stated, "patients and others should not have to sacrifice the privacy of their health information when using a hospital's website." The agencies noted that these tracking technologies gather identifiable information about users and that unauthorized disclosure may violate both HIPAA and the FTC's Health Breach Notification Rule.

Access controls

Ensure that only authorized individuals can access PHI collected through your site. This means secure login systems, role-based permissions, and audit logs tracking who accessed what and when.

Privacy policies and consent mechanisms

Policies must disclose how data is collected and health information used. According to JAMA research, of the 100 hospitals studied, only 71 had accessible privacy policies, only 66 identified the categories of third parties receiving user data, and just 40 disclosed the specific names of those organizations.

What if you're not a covered entity?

If your business is not a covered entity or business associate, HIPAA may not technically apply to you. However, the Federal Trade Commission (FTC) has stepped in to regulate health data privacy through its Health Breach Notification Rule and broader consumer protection authority. Several states have also enacted their own health data privacy laws, including Washington's My Health MY Data Act, which has a much broader reach than HIPAA.

FAQs

Does HIPAA compliance apply to mobile apps, not just websites?

Yes, if your mobile app collects or transmits PHI, it is subject to the same HIPAA safeguards as a website.

Can patients waive their HIPAA rights by agreeing to a website's terms of service?

No, HIPAA protections cannot be signed away through a terms of service agreement, as they are statutory rights, not contractual ones.

What happens if a business associate causes a breach?

Business associates are directly liable under HIPAA for breaches resulting from their own failure to comply with the Security Rule.