Healthcare

HIPAA-Compliant Website Checklist

by Rod Holmes Updated:

24 ways your website may be violating HIPAA

Your healthcare website is more than just a digital business card—it’s often the first point of contact between your practice and potential patients. But while you’re focused on providing helpful information and growing your practice online, you may be inadvertently creating HIPAA compliance issues. Many common website features and tools that seem harmless, from contact forms to Google Analytics 4 (GA4), can actually put your practice at risk of violations. 

To help you evaluate your website’s HIPAA compliance, we’ve compiled a comprehensive checklist of 24 critical website functions every healthcare provider should evaluate. Reviewing these points will help identify potential compliance gaps and guide you toward necessary improvements.

Click the links below to jump to specific sections you may be interested in:

Check out our HIPAA Compliance Glossary for help defining any acronyms in this post.

If your website collects, stores, or transmits Protected Health Information (PHI), it must follow HIPAA regulations to protect patient privacy and avoid violation.

Tracking & Analytics

Healthcare organizations face a unique challenge: they need to measure and optimize their digital marketing while maintaining HIPAA compliance. As marketing tools become increasingly sophisticated, the line between compliant and non-compliant practices isn’t always clear—especially when it comes to analytics and tracking tools that many websites take for granted.

Common marketing tools may inadvertently put your website in violation of HIPAA:

1. Analytics Platforms (like Google Analytics)

  • Standard Google Analytics 4 (GA4) implementation typically captures data that creates HIPAA compliance issues
  • Common risks include location tracking and URL captures that could contain protected health information (PHI)
  • GA4’s handling of IP addresses is not, by default, HIPAA-compliant
  • It’s important to note that collecting IP addresses alone is not a HIPAA violation—violation depends on whether the visit is related to an individual’s past, present, or future health care

2. Advertising Pixels (Google Ads, Facebook, LinkedIn, etc.)

  • Ad platforms collect user data for conversion tracking and remarketing, and require special configuration to avoid capturing PHI

3. Third-Party Tracking Tools

  • Heat mapping and session recording services often capture detailed user behavior
  • Many standard implementations can inadvertently record PHI

4. Remarketing/Retargeting Code

  • Remarketing tags create user profiles based on website behavior
  • This may lead to associating users with specific medical conditions

If you’re using any of these tools, you’ll need to implement HIPAA-compliant alternatives or specific configurations—specifically those made possible with server-side tagging—to ensure compliance.

Forms & Data Collection

Your website’s forms might be collecting PHI without adequate protection. Consider: 

5. Contact Forms

  • Contact forms on unauthenticated pages with open text fields can solicit PHI and violate HIPAA
  • Forms on unauthenticated pages that explicitly ask health-related questions contain PHI
  • The system that transmits and stores contact form submissions must meet HIPAA requirements and fall under a BAA
  • Note that if a form does not make it possible for PHI to be transmitted (no health questions, open-text fields or hidden fields that could pass health information), it does not violate HIPAA

6. BAAs

  • Websites must have signed BAAs with the form vendors, hosting providers, CRMs, and/or database services where the completed form answers are stored
  • Information that may include PHI must be stored in accordance with technological and administrative safeguards

7. Auto-Fill Forms

  • Forms that auto-fill from previous submissions may contain PHI
  • The system that powers the previous submission’s information may not be secure and subject to a BAA

8. Insurance Information Collection

  • Insurance information may identify a patient and their health conditions/treatments, which is considered PHI
  • Insurance information that contains PHI must be transmitted and stored in accordance with all HIPAA standards

Remember, any health information (even a URL that mentions a condition or treatment) combined with personal identifying information (PII) becomes PHI and requires HIPAA-compliant handling.

Register to get updates from our blog sent to your inbox!

  • This field is for validation purposes and should be left unchanged.

Interactive Website Elements

Common website features can create unexpected compliance issues: 

9. Google Maps

  • Google Maps can collect user IP addresses and other data that, when combined with health information, is considered PHI. If no health information is present on the site, it does not violate HIPAA
  • Giving patients directions to healthcare facilities may inadvertently share PHI with Google, a company that typically will not sign a BAA

10. Chat Features

  • You need to have a BAA in place with the chat system vendor because PHI can be shared in the system.
  • The chat system has to meet rigorous requirements around transmission and storage of the chats.

11. Portal or Login Systems

  • HIPAA-compliance requires technical systems for portal/login systems, including: automatic log-off, data encryption, audit trails, and backend access control
  • BAAs are required with vendors of these systems

12. Appointment Scheduling

  • Appointment systems will undoubtedly contain PII (name, email address, phone number, etc) and, when combined with the medical context of the website, will create PHI; this must be transmitted and stored according to HIPAA requirements
  • BAAs must be signed with the vendors of these scheduling systems

13. Embedded Videos

  • Videos embedded from services like YouTube and Vimeo can collect user data, including potential PII, that could inadvertently expose the viewer’s PHI
  •  The video itself doesn’t necessarily directly disclose PHI—the issue is the data collection by the service streaming the video

Each of these features may collect and transmit user data in ways that require HIPAA compliance measures, including BAA agreements with the vendors.

Technical Security

Basic website security is crucial for HIPAA compliance: 

14. HTTPS & SSL

  • All information being passed to and from the website must be encrypted
  • SSL encrypts and authenticates internet communications
  • HTTPS uses SSL to encrypt requests and responses

15. Secure Form Submissions

  • Data being sent via any forms must be secure
  • Use of HTTPS and SSL ensure the data in the forms cannot be intercepted while being transmitted 

16. Third-Party Plugins/Widgets

  • Any software used on your website, particularly plugins and/or widgets that extend the functionality of the content management system (CMS) you are using, must securely collect and store any data that may include PHI
  • If the plugin or widget might collect PHI, you need a BAA in place with the vendor of the software

17. Backend Security

  • Any backend system of your website, such as the CMS and databases that store form information, must meet HIPAA physical and access standards, as well as have strict access controls
  • All vendors that provide or create the backend systems that may contain PHI must be bound by a BAA. This includes hosting companies and software vendors whose systems may collect and/or store PHI

Each of these four technical elements must be in place and properly configured to form the foundation of a secure, compliant website.

Email & Communication

Email use needs special attention: 

18. Emails Triggered by Forms

  • Many form systems automatically send emails with the submitted information, which may contain PHI
  • Emails that contain PHI must encrypt the body of the email

19. Email Storage

  • Emails that contain PHI must be stored according to HIPAA regulations, including administrative, physical, and technical safeguards

20. Email Marketing

  • Email marketing services that send or receive patient data must meet the administrative, physical, and technical safeguards required by HIPAA
  • If you are using email in ways that may contain PHI, you must ensure that all HIPAA requirements are being met.

Documentation & Policies

Proper documentation is essential for HIPAA compliance: 

21. Privacy Policy

  • Your website’s privacy policy must specifically address HIPAA
  • Two examples of what should be included in the policy are: an explicit statement that you follow HIPAA regulations and a clear description of what PHI you collect

22. Documented Procedures

  • Document all procedures you’ve put in place handling website-collected PHI
  • Review this document and the procedures annually

23. Third-Party Services Inventory

  • An inventory of all third-party services that might access your website’s data should be maintained
  • The inventory should list all software and manually provided services that could access PHI

24. Compliance Audits

  • The HIPAA standards do not require audits, but performing them at least annually is considered best practice
  • Unauthenticated pages’ and any patient portals’ technical safeguards and access controls should be tested using both automated tools and manually
  • Audits should also be performed after any major changes are made to the website

As you might suspect, answering “no” to any of these questions should trigger some work on your team to get these documents updated or created to insure compliance.

What Are Your Next Steps?

The good news is that these issues can be addressed. You can stop using non-compliant services, or you can replace them with compliant options, or you can find software solutions that eliminate many of the basic problems. 

We’d be happy to help get you started! And yes, Pilot signs BAA agreements!

Let’s talk!

Posted in Healthcare