Plenty of therapists pay extra for “HIPAA hosting” they don’t need. If your website is a marketing site — your story, your specialties, a way to book a first call — it shouldn’t store client data at all, and good standard hosting covers you. HIPAA hosting for therapy websites only matters when the host actually stores protected health information. Here’s how to tell which side of that line you’re on.
What Your Web Host Actually Touches
Your web host stores your site’s files and its database. If that database holds only pages, images, and blog posts, HIPAA doesn’t apply to it. The moment it stores client names, intake answers, or session requests, it’s holding protected health information (PHI), and your host becomes part of your compliance picture.
That one distinction does most of the work in this whole decision.
We made the bigger argument — whether therapy websites need to be “HIPAA compliant” at all — in our guide to the real rules of HIPAA and therapist websites. Short version: a well-built therapy website shouldn’t store PHI in the first place. This post asks the narrower question that guide points to: what does that mean for the server your site lives on?
Three things usually sit on a hosting account: your site files, your database, and sometimes your email. The marketing copy is harmless. Form submissions and email are where PHI sneaks onto a server without anyone deciding it should.
When a Host Has to Sign a BAA
A Business Associate Agreement (BAA) is the contract HIPAA requires between you and any vendor that creates, stores, or transmits PHI on your behalf. The Department of Health and Human Services publishes sample BAA provisions if you want to see what one actually covers.
Your web host needs to sign one in two situations, and only two:
- Your site stores form data on the server. Many WordPress form plugins save every submission to your site’s database by default. If those submissions include anything a client shares about seeking therapy, your host is now storing PHI whether it knows it or not.
- You run a client portal or booking system on your own hosting instead of through an EHR or a dedicated scheduling vendor.
There’s a cleaner route than making your host sign paperwork: keep PHI off the server entirely. Use a form service that signs its own BAA and holds submissions on its infrastructure, not yours. Let your EHR handle the portal — it already signed a BAA, and patient records are its whole job. If you’re wiring the two together, our post on connecting EHR systems to your therapist website walks through how that handoff works.
The honest trade-off: this approach means monthly vendor fees and pieces of your setup living outside your hosting dashboard. You’re trading a little control and cost for a much smaller compliance surface. We think that trade wins every time for a solo or small group practice.
And here’s an opinion hosting companies won’t love: if a host is selling you “HIPAA compliant hosting” for a standard marketing site, they’re selling insurance against a risk you can design away for less.
The Security Basics Every Therapy Site Needs Anyway
No PHI on the server doesn’t mean no security. A therapy site that gets hacked and starts redirecting visitors to spam does trust damage no compliance badge repairs.
SSL. Non-negotiable, and free — most decent hosts include certificates through Let’s Encrypt and renew them automatically. Without SSL, browsers flag your site “Not Secure” next to your practice name. That warning alone loses you consult calls.
Backups. Daily, automatic, stored somewhere other than the same server, and tested. A backup you’ve never restored is a hope, not a plan.
The unglamorous rest. Malware scanning, a firewall, unique passwords, and two-factor authentication on your hosting account. Twenty minutes of setup, once.
None of this is HIPAA. It’s hygiene. Do it even if your site never touches a single piece of client data.
WordPress Hosting Hygiene for a Practice Site
WordPress runs most therapy websites, including the 500+ we’ve built, and it’s fine for a practice — when it’s maintained. Neglect is what makes WordPress risky, not WordPress.
The habits that matter: apply core and plugin updates within days, not months. Delete plugins and themes you’re not using instead of just deactivating them. Give every human their own login, and nobody gets admin who doesn’t need it.
Where you host matters too. Bargain-tier shared hosting is a false economy for a practice site — oversold servers, slow load times that cost you rankings, and support that shrugs when something breaks on a Friday night. Managed WordPress hosting costs more per month and is worth it: automatic updates, server-level firewalls, and a support team that has actually seen your problem before.
Every build we ship through our private practice website design service comes configured this way — SSL, hardened logins, BAA-compliant forms, and hosting set up so nothing sensitive lands in the site database. It’s the least glamorous part of what we do and probably the most protective. 
How to Choose Hosting for Your Therapy Practice
Work through these in order:
- Map where client information enters your site — every form, booking link, and email address.
- Move anything sensitive to vendors that sign BAAs (forms, scheduling, your EHR portal) so PHI never reaches your server.
- Confirm SSL is included and renews automatically.
- Verify daily automated backups with a restore option you’ve actually tested.
- Ask about malware scanning and a web application firewall — both should be included, not upsells.
- Require a BAA from the host only if PHI will genuinely live on the server. Most therapy sites shouldn’t need this step.
- Pick support you can reach. When your site goes down the week a directory feature spikes your traffic, response time is the feature you’ll care about.
If you get through step 2 properly, steps 3 through 7 are just choosing a good host — the same criteria any small business would use.
Questions Therapists Ask About HIPAA Hosting
Do I need HIPAA-compliant hosting for my therapy website?
Does my contact form make my host a business associate?
Is Wix or Squarespace hosting safe for a therapy practice?
Can I use the email that comes with my hosting plan?
Where This Leaves You
Sort your website into two buckets: the marketing site, which needs good ordinary hosting, and the client-data layer, which belongs with BAA-covered vendors. Get that split right and “HIPAA hosting for therapy websites” mostly stops being your problem. This is business guidance, not legal advice — run your final setup past your compliance counsel. And if you’d rather someone configure the whole thing correctly the first time, start with the website inquiry form and we’ll map it with you on a free consultation.
