Designing a HIPAA-Compliant Website for Therapists

In recent years, more and more therapists and mental health providers have started offering their services online using digital platforms. This shift makes mental health care more accessible to more people. But it also means that it’s essential to figure out how to responsibly safeguard sensitive patient data online.

Creating a HIPAA-compliant website is an important step. Yet, it can be confusing to many therapists and mental health providers. 

As a brand & website designer who works with therapists, I often help my clients cover some aspects of HIPAA compliance, such as embedding HIPAA-compliant contact forms on their websites. In this article, I’m going to share some HIPAA compliance essentials for you to keep in mind as you’re creating your new website!

Disclaimer: Following the steps in this article does not constitute a guarantee of HIPAA compliance. This article is for informational purposes only. I am not an attorney, and I am not providing legal advice. Each therapy practice is different, and HIPAA compliance extends far beyond web design. Reach out to an attorney in your area to fully educate yourself on what you need to do to ensure that your therapy practice is fully HIPAA-compliant. 

What Is HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act, is a critical piece of legislation that safeguards the privacy and security of your patients’ sensitive information.

If you’re a therapist or a mental health service provider who works with clients online, HIPAA compliance helps you protect your clients’ personal health information (PHI) from unauthorized access, disclosure, and misuse. This includes information shared during therapy sessions, treatment plans, and other related communications.

What Is a HIPAA-Compliant Website? Understanding the Basics

One part of HIPAA compliance is designing a HIPAA-compliant website. Having a HIPAA-compliant website means that it is designed and maintained in a way that protects the sensitive information of your clients. Many aspects of HIPAA regulations apply to websites, such as ensuring secure hosting and using HIPAA-compliant contact forms.

In the sections below, I’m going to focus on five essential aspects of HIPAA regulations for therapists and healthcare providers. However, please keep in mind that there are other factors and HIPAA regulations that apply. Consult with a lawyer to ensure full HIPAA compliance for your private practice and website!

How to Make a Website HIPAA-Compliant: 5 Essential Considerations

1. Secure Hosting and Data Encryption

HIPAA-compliant websites should have secure hosting and data encryption. Choose a hosting provider that offers robust security measures, including encryption protocols such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). These protocols ensure that data transmitted between the website and users is encrypted, preventing unauthorized access or interception.

2. Secure Communication Channels

You should use secure communication channels, such as encrypted email and secure messaging platforms, for communicating with your clients and other healthcare professionals. Don’t use unsecured methods such as regular email or text messaging. These ways of communicating can potentially expose PHI (Protected Health Information) to unauthorized parties!

3. HIPAA-Compliant Contact Forms

As a brand & website designer, a lot of what I do for my therapist clients when it comes to following HIPAA compliance rules is making sure they have HIPAA-compliant web forms. You need to make sure that your potential therapy clients are contacting you via your website in a HIPAA-compliant way. To do that, you have three options:

1. Embed a HIPAA-compliant contact form created using Google Forms and then custom-coded to fit your website’s look.
2. Use SimplePractice or another HIPAA-compliant therapy appointment scheduling tool so your potential clients can book a consultation call with you directly.
3. Link to your Google Workspace email so your potential clients can email you directly. 

I’m going to explain each of these options in more detail below!

1. Use Google Forms to Create a HIPAA-Compliant Web Contact Form

You can customize and embed a contact form from Google Forms on your website, but only under the following conditions:

1. You must be using Google Workspace
   
2. You must sign Google’s HIPAA Business Associate Agreement, and
   
3. You must also define how the collected Protected Health Information (PHI) from this Google Form is handled, restrict access to the PHI, and report if there is any data breach

The first thing you need to do is go to Google Workspace and sign up for an account.

Then, you need to sign the HIPAA Business Associate Agreement (BAA) that Google Workspace provides. Here’s how to do that:

1. Sign in to your Google Admin console (use an account with super administrator privileges).
   
2. Go to Menu > Account > Account settings > Legal and Compliance in the Admin console.
   
3. Go to the Security and Privacy Additional Terms section.
   
4. Click Google Workspace/Cloud Identity HIPAA Business Associate Amendment. Click the pencil on the right to review and accept. 
   
5. Review and Accept and answer the three questions to confirm that you are a HIPAA-covered entity.
   
6. Click OK to accept the HIPAA BAA

Once you’ve signed the BAA, you need to create your contact form using Google Forms in your Google Workspace account.

1. Go to Google Forms and make sure you’re logged into your Google Workspace account.
   
2. Click Blank Form and add your fields. I recommend adding First Name, Last Name, Email, Inquiring About, and Message. I also recommend making each of these fields required.
   
   
   
   
   
3. Next, go to the Settings tab and scroll down to Defaults > Form Defaults. Make sure “Collect email addresses by default” is toggled to “Do not collect”.
   
   
   
   
   
4. Go to the Responses tab, click View in Sheets, and make sure your spreadsheet is restricted only to people within your organization. Also, while you’re in the Responses tab, click on the three dots just to the right of View in Sheets and check Get email notifications for new responses. Or, you can keep that section unchecked, and use a Google Forms add-on to further customize your email notifications for inquiries. Here are some good add-ons to explore: one, two, three.
5. Then, go to the top right and click Send, then click Send Via and click the brackets. The subheading should say Embed HTML.
   
   
   
   
   
6. Click Copy, and head to your website design editor. I’m a Showit web designer, so I use Showit for this.
   
7. If you’re using Showit for this, click into the web design editing platform, click on the plus sign in the bottom center of the interface, and click Embed Code.
   
   
   
   
   
8. Then, you’ll want to paste your code into the code editor and click Save.
   
   
   
   
   
9. Adjust the sides of your contact form to be as wide and long as you want them to be, and be sure to adjust the dimensions of the contact form on the mobile version as well.
   
   
   
   
   
10. At this point, you can click Preview and Publish, and your contact form will be live! You can now test your contact form and start accepting inquiries.

Customizing Your HIPAA-Compliant Contact Form

To customize the look of your contact form, you can go back into Google Forms and change the fonts and colors of your form to better match the branding of your website. Some add-ons get you closer to the look of a custom contact form, but they require paid subscriptions. Nobody wants another subscription! 💀

If you’re looking for complete customization of your contact form so it perfectly matches your website’s branding, I use custom HTML/CSS coding to fully customize the look of these contact forms for my clients, and here’s an example form that I created for my own website:

All you’ll need to do is:

1. Create your HIPAA-compliant Google Form using the steps above
   
2. Reach out to me so I can add custom coding to adjust your Google Form. I’ll add it to your website’s Contact page, and also create a Thank You page that your contact form will redirect to when the form is submitted. Through trial and error, I’ve found that the Thank You page is required for this method to work!

Using this custom coding method, I can transform a Google Form that looks like a Google Form to a HIPAA-compliant therapist contact form that looks seamlessly integrated into your existing website. 😊

2. Avoid Contact Forms and Have Them Book a Call Instead

Another way to design a HIPAA-compliant website is to ask potential clients to reach out to you by scheduling a call through SimplePractice. Here’s how to do that:

1. Get an active subscription with SimplePractice.
   
2. Go to Settings > Widget and find your Appointment-request Widget.
   
   
   
   
3. Scroll down to the code section, and select Copy Code.
   
4. Add your Appointment-request Widget to your Showit website, and hit Preview > Publish! 

For additional information, see SimplePractice’s detailed directions.

This option is a simple way to make sure that your clients’ PHI is contained within the SimplePractice system and not stored elsewhere. If you don’t want to mess with contact forms, this is an easier option!

3. Use Your Google Workspace Email

You can skip the contact form and have your potential clients email you directly in a HIPAA-compliant way. To do this, you must be using Google Workspace, you must sign Google’s HIPAA Business Associate Agreement, and you must define how the collected Protected Health Information (PHI) in your Google Workspace account is handled, restrict access to the PHI, and report if there is any data breach.

1. Go to Google Workspace and sign up for an account. You’ll need to make sure you have an email set up with Google Workspace with this structure: name@domain.com. For example, mine is rose@rosebenedictdesign.com. 

Then, you need to sign the HIPAA Business Associate Agreement (BAA). Here’s how to do that:

1. Sign in to your Google Admin console (use an account with super administrator privileges)
   
2. Go to Menu > Account > Account settings > Legal and Compliance in the Admin console.
   
3. Go to the Security and Privacy Additional Terms section.
   
4. Click Google Workspace/Cloud Identity HIPAA Business Associate Amendment. Click the pencil on the right to review and accept. 
   
5. Review and Accept and answer the three questions to confirm that you are a HIPAA-covered entity.
   
6. Click OK to accept the HIPAA BAA.

Once you sign the BAA, you need to link to your Google Workspace email on your Showit website:

1. Create a button on your contact form that says something like “Get in Touch”. To create a button, you’ll need to add text to a canvas on your Contact page and create a rectangle that fits behind the button.
   
   
   
   
   
   
2. Drag your cursor over the text box and rectangle behind it, and click on Click Actions in the menu on the right. Click Configure Link and choose Email from the dropdown list. Add your email and hit Save.
   
   
   
   
   
3. At this point, you can click Preview and Publish, and your button will be live! You can now test your button and start accepting inquiries straight to your email. 

4. Access Control and Authentication

If you have team members, limit access to PHI only to authorized individuals. Use strong authentication methods such as multi-factor authentication (MFA) to verify the identity of users accessing your website and client portals. This helps prevent unauthorized access to sensitive patient information.

5. Data Backups and Disaster Recovery

Regularly back up your website data. Plus, you need to have a plan for what you need to do if you need to restore website functionality and recover lost data in case of an emergency.

FAQs

Do therapists need a HIPAA-compliant website?

Yes, therapists, healthcare organizations, and healthcare providers need to have a HIPAA-compliant website. HIPAA guidelines for websites are nuanced, but some of the essentials to be aware of are having secure hosting and data encryption, using secure communication channels, creating HIPAA-compliant contact forms (other options include using your Google Workspace email or HIPAA-compliant appointment software), making sure only authorized people have access to client PHI, and backing up your website data. This is not a comprehensive HIPAA-compliant website checklist. For full compliance, get in touch with a lawyer in your area.

What website builder is HIPAA-compliant?

Some examples that I’ve found are SimplePractice and TherapySites, but they do lack a lot of creative freedom which is why I don’t design in those platforms for my clients. HIPAA compliance depends on how you create, receive, maintain, and transmit your clients’ private health information.  When building your website, make sure to follow HIPAA-compliant web practices, such as creating HIPAA-compliant contact forms and getting HIPAA-compliant hosting to protect PHI.

Is Wix HIPAA-compliant?

Wix is not inherently HIPAA-compliant. There are steps that you need to take to protect your clients’ private health information and medical records, such as using HIPAA-compliant contact forms and complying with other HIPAA website basics. Wix doesn’t guarantee any HIPAA compliance – it’s your responsibility! 

Is Showit HIPAA-compliant?

Showit is my platform of choice for therapist websites, but it’s not inherently HIPAA-compliant. That said, it’s possible to use Showit to create a HIPAA-compliant website if you adhere to all of the necessary regulations and use a HIPAA-compliant contact form. Here is an example of a Showit website for a therapist for Queer young adults that I’ve designed!

Is Squarespace HIPAA-compliant?

Squarespace is not inherently HIPAA-compliant. You will need to use certain HIPAA-compliant scheduling plugins if you want your clients to schedule appointments directly on your website. Contact forms on Squarespace are also not HIPAA-compliant. That said, it’s possible to build a HIPAA-compliant website on Squarespace if you follow HIPAA compliance regulations. Learn more about the best website builders for therapists!

How do I make a web form HIPAA-compliant?

It depends on the type of the form. If you want to create a HIPAA-compliant contact form, you can use Google Forms (as long as you are a Google Workspace user who has accepted Google’s HIPAA BAA), embed the Google Form on your website, and then custom-code it to fit your website’s look. Alternatively, your potential clients can contact you by scheduling a call through SimplePractice or directly contacting your Google Workspace email (as long as you have accepted Google’s BAA).

Brand & Website Design for Therapists

I often work with therapists on brand & website design to help them deeply connect with their ideal clients and start feeling comfortable, cozy, and confident in their new online home. Here’s an example of a therapist website I recently created!

In addition to your web design, I can also help you create HIPAA-compliant contact forms. Learn more about my design services or get in touch!