Mostly? No. And that answer should save you money.
A therapy website built right never needs to be HIPAA compliant, because it never holds protected health information in the first place. If you’ve been searching for a HIPAA compliant website for therapists, what you need is smaller than the phrase suggests: four connection points secured, everything else left alone. Here’s the longer version, because the details decide whether it works.
Do therapist websites need to be HIPAA compliant?
Most of a therapist’s website doesn’t need to be HIPAA compliant. Your pages, bios, and blog are public marketing, not protected health information. HIPAA applies the moment identifiable client details flow through the site: contact forms, online booking, tracking tools, and email. Secure those four checkpoints and the rest is just a website.
Here’s why. HIPAA protects PHI, and PHI needs two ingredients together: an identifiable person and something about their health. Your services page has neither. Your bio has neither. A blog post about EMDR describes therapy in general; it doesn’t know who’s reading it. All of that sits outside HIPAA entirely, no matter how many “compliance package” pitches imply otherwise.
The rule enters the picture when a real person attaches their identity to a mental-health context through your site. A name plus “I’d like help with postpartum anxiety” is PHI the instant it’s submitted.
Which brings up something we should say plainly, since building websites for therapists is our whole job: be skeptical of anyone selling a “fully HIPAA compliant website” as a product. The phrase usually signals they haven’t read the rule. A website isn’t a covered entity; you are. What a good builder can honestly deliver is HIPAA-aware design — a site where every path client data can travel runs through tools that will sign a Business Associate Agreement. That’s the claim we’ll put on a proposal. The other one, we won’t.
The four checkpoints where HIPAA meets your website
| Touchpoint | HIPAA territory? | What makes it fine |
| Service pages, bios, blog | No | Nothing. It’s marketing. |
| Contact and intake forms | Yes, once submitted | A form tool that signs a BAA |
| Online booking | Yes | A scheduler or EHR with a BAA |
| Analytics and ad pixels | Yes, on therapy pages | Remove them, or keep them off sensitive pages |
| Email replies and newsletters | Yes, for client conversations | BAA-covered email |
1. Contact and intake forms
A prospective client finds you at 11 p.m., opens your contact form, and types “I’ve been having panic attacks since my divorce.” The moment she hits send, that message is PHI. Name, phone number, mental-health disclosure, one packet.
Default form setups (the free plugin, the builder’s built-in form) usually fire that packet to your inbox as a plain email with no BAA behind any of it. The fix isn’t exotic: use a form tool that signs a BAA and encrypts submissions. Hushmail’s forms, IntakeQ, and SimplePractice’s intake tools all do this; budget roughly $10 to $50 a month depending on how much you need. That’s the entire cost of turning your riskiest touchpoint into a boring one.
One design note we push on every build: keep the first-contact form short. Name, contact method, a free-text box. You need enough to respond, not a clinical history. Less collected means less to protect.
2. Online booking
That “Book a consultation” button is a handoff, and the handoff matters. If your scheduler asks why someone’s coming in, or links a name to a therapy appointment, it’s handling PHI.
Practice-management platforms built for clinicians — SimplePractice, TherapyNotes, Jane — sign BAAs and keep scheduling, intake, and reminders inside one covered system. Embed their booking flow and your website’s job shrinks to pointing people at it. Generic schedulers are the trap: Calendly’s free and standard plans aren’t HIPAA-eligible, and BAA territory there starts at enterprise pricing.
The principle: your website makes the introduction. Your EHR keeps the records. Don’t let the website try to do the EHR’s job.
3. Analytics and ad pixels (the quiet one)
The Meta Pixel you added for one boosted post in 2024 has been watching visitors read your trauma therapy page ever since.
That’s not a metaphor. Ad pixels and analytics scripts send page paths, timestamps, and device identifiers back to the platform. On a bakery site, harmless. On a page called /emdr-for-ptsd/, that data starts to look like health information about identifiable people, and regulators have treated it that way. BetterHelp paid $7.8 million to settle FTC charges that it shared users’ health data with advertising platforms.
Google, for its part, won’t sign a BAA covering Google Analytics, which tells you where it stands.
Our take: pull the ad pixels off the site entirely. Retargeting someone who just read about trauma therapy is a bad trade before you even reach the legal exposure. It’s exactly the kind of surveillance your future clients fear. If you want traffic numbers, privacy-first tools like Plausible or Fathom count visits without profiling visitors. You’ll survive without demographic dashboards; honestly, most solo practices never opened them anyway.
4. Email replies and the newsletter
The form did its job. Now watch the reply. A Friday-afternoon inquiry lands in your inbox and you answer from a free Gmail account with two appointment options. That thread now holds PHI in a consumer inbox with no BAA attached.
Free Gmail doesn’t come with a BAA. Google Workspace can, once you accept it in the admin settings. Hushmail was built for exactly this. Pick one, and keep every client-identifying conversation inside it or inside your EHR’s portal.
Newsletters are easier than people fear. A general mailing list is marketing. Segmenting that list by condition (“send this to my anxiety clients”) is where it stops being marketing, so don’t.
What a BAA actually is, in 60 seconds
A Business Associate Agreement is a contract in which a vendor that touches PHI on your behalf accepts HIPAA’s obligations for it: safeguards, breach duties, limits on use. You need one with any vendor that can see identifiable client information — your form tool, your scheduler or EHR, your email provider for client replies. The federal rules on business associates live at HHS.gov if you want the source text.
You don’t need one with your theme developer, your font library, or the designer who made your logo, because none of them ever see client data.
The working rule of thumb: if a vendor could read a client’s name next to a health detail, get a BAA or don’t route that data through them. No BAA, no PHI. There’s no charm exception for software you really like. We’ve broken down what the contract itself should contain in our guide to the key elements of a BAA for therapist websites.
Are Wix and Squarespace HIPAA compliant?
No. Neither signs a BAA on standard plans, and their built-in forms aren’t built for PHI.
That doesn’t make them useless. You can run a marketing site on either, if — and it’s a firm if — every client-data touchpoint runs through the BAA-covered embeds above. Plenty of therapists do. But notice what happened to the price: the $16-a-month site now carries a $10–$50 form tool, a practice-management subscription, and secure email, and you’re the systems administrator keeping three vendors on speaking terms. DIY builders run $12 to $40 a month on paper. The compliance-shaped gaps are where the real cost hides.
WordPress isn’t magically compliant either; no platform is. What it gives you is the freedom to choose every piece, including the BAA-signing ones, and to own the result. That’s also where a conversion-ready therapist template earns its keep: it solves design and structure. The data layer still comes from the tools above, and no template — including ours — makes anyone compliant on its own.
The 2026 rule change that isn’t final yet
The old version of this article claimed nothing new was coming. That aged badly, so here’s the current picture.
In January 2025, HHS proposed the largest update to the HIPAA Security Rule in over two decades: encryption and multi-factor authentication would become mandatory rather than “addressable,” with tighter vendor oversight throughout. The finalization target was spring 2026. That date has passed with no final rule published, OCR is still working through more than 4,700 comments, and nothing in the proposal is binding yet — the current Security Rule remains the law in force. The proposal itself is posted on HHS.gov.
What should a solo practice do with that? Not panic, mostly. The heavy lifting would land on the vendors holding your data. Which is one more argument for choosing form, booking, and EHR tools that already run encryption and MFA by default — if the rule lands, it becomes their engineering problem, not your weekend.
How we keep HIPAA at arm’s length from your website
We’ve built 500+ websites for therapists and coaches, and the calm practices share one habit: they keep PHI off the website entirely and let covered tools do the covered work.
So that’s what we build. HIPAA-aware design with BAA-compliant forms wired in from day one, SSL everywhere, guidance on connecting your EHR and booking system, and WCAG 2.1 accessibility so the site works for neurodiverse visitors too. Starting from zero, our private practice website design process runs about three to six weeks from strategy to launch. Website in a Week is the middle path when you need custom quality without the long timeline or the $6k-plus agency invoice; it’s quote-based, so ask.
The honest downside: done properly, this costs more than a builder subscription. Custom therapist websites generally run $3,000 to $15,000, and even the seven-day build needs you present for the strategy call and quick daily check-ins. What you get back is a site you own, with all four checkpoints handled and documented.
If you’d rather not become your own compliance department, get a custom quote through the Website Inquiry Form. The consultation is free, and we’ll tell you which of the four checkpoints your current site fails. It’s usually fewer than you fear.
A 10-minute audit for the site you have now
- Submit your own contact form, then check where it landed. A plain email in a free inbox is your first fix.
- Ask your form vendor for a BAA. No BAA on offer means the tool is disqualified for client data, full stop.
- Book a fake appointment through your own site. Note every question asked before a BAA-covered system takes over.
- View your page source and search for “fbq(” and “googletagmanager.” Tracking scripts on therapy pages need a decision today.
- Check for the padlock. No HTTPS in 2026 means your host has been asleep for a decade.
- Trace your reply habit. If inquiry answers go out through consumer email, move that conversation into BAA-covered email or your portal.
- Read your own privacy policy. If it doesn’t honestly describe your forms and tracking, it’s decoration, not protection.
Seven passes and you can stop worrying. A couple of fails? Most fixes here take an afternoon, not a project plan.
Questions therapists keep asking
Is Google Analytics HIPAA compliant?
No. Google won’t sign a BAA for Analytics, so it can’t be allowed near PHI. On a therapy site, where page visits themselves can be sensitive, the safer moves are privacy-first analytics (Plausible, Fathom) or none at all.
Do I need a BAA with my web hosting company?
Only if PHI actually lives on your server. Keep forms, booking, and client email in external BAA-covered tools and a standard host is fine — which spares you specialty HIPAA hosting that starts around $150 a month.
Can clients email me through a link on my website?
A mailto link invites PHI straight into unprotected email, and you can’t control what someone writes in that first message. Route inquiries through your secure form instead, and keep replies inside BAA-covered email or your client portal.
Will a therapy website template make me HIPAA compliant?
No template can, including ours. A template is the design layer. Compliance lives in the tools that handle client data and the agreements behind them.
Where this leaves your website
You don’t really need a “HIPAA compliant website for therapists.” You need a website that never earns the question: PHI stays inside BAA-covered tools, and the site sticks to marketing, which it’s better at anyway. Run the 10-minute audit this week. And if you’d rather hand the checklist to people who do this daily, start your website inquiry and we’ll map exactly what needs fixing.
