Here’s a solid HIPAA Compliance Website Checklist tailored for hospitals, clinics, and private practices, tailored to orthopedics, neurosurgery, ENT, dermatology, family medicine, medical weight loss, and integrative medicine healthcare organizations.
🧠 Core Concepts
HIPAA (Health Insurance Portability and Accountability Act) applies whenever a website collects, stores, transmits, or processes Protected Health Information (PHI). Anything that can identify a patient and relates to health, treatment, or payment.
So even if your site isn’t running a full EHR (Electronic Health Record), things like contact forms, chat tools, appointment requests, and analytics tracking can trigger HIPAA obligations.
✅ HIPAA Website Compliance Checklist
1. Data Collection & Transmission
-
Use HTTPS with a valid SSL certificate (TLS 1.2+) on your medical website.
-
Encrypt all form submissions that include PHI (SSL in transit + encryption at rest).
-
Ensure email notifications with PHI are either encrypted or replaced by secure portal alerts.
-
Avoid standard contact forms (use HIPAA-compliant forms like High Level HIPAA Forms, PulseMD, Agency Atlas, or FormDr).
-
Disable form auto-fill or caching of PHI in browsers
2. Hosting & Infrastructure
-
Host on a HIPAA-compliant server (e.g., AWS with BAA, Atlantic.Net, or Google Cloud Healthcare).
-
Maintain a Business Associate Agreement (BAA) with the host.
-
Ensure daily encrypted backups of the database.
-
Use secure SFTP or equivalent protocols for file transfers.
3. Third-Party Services
-
Only integrate with vendors who sign a BAA — this includes:
-
Email services (e.g., Paubox, Google Workspace with BAA)
-
CRMs or marketing platforms (e.g., Salesforce Health Cloud, HubSpot Enterprise with BAA)
-
Telehealth tools or chatbots.
-
Avoid using tracking scripts (Google Analytics, Meta Pixel, Hotjar, etc.) on pages where PHI is collected.
-
Use a HIPAA-compliant analytics platform (e.g., Matomo on a private server, or Google Analytics 4 configured to avoid PHI collection).
4. Access Control & Security
-
Restrict access to PHI with role-based permissions.
-
Implement 2FA (two-factor authentication) for admin logins.
-
Enforce password complexity & expiration policies.
-
Maintain an audit trail of all access and changes.
5. Content, Cookies & Tracking
-
Include a HIPAA-compliant Privacy Policy detailing PHI handling.
-
Include a Notice of Privacy Practices (NPP) accessible on the site.
-
Use a cookie consent manager configured to block trackers until consent is given.
-
Do not store IP addresses, referrers, or session data linked to PHI.
6. Patient Communication
-
Use secure messaging portals instead of email for patient inquiries.
-
Do not publish testimonials containing PHI without written patient consent.
-
Do not use live chat tools unless they’re HIPAA-compliant (e.g., Compliancy Group, MedChat, or LiveChat with BAA).
-
For appointment scheduling, use tools with BAAs (e.g., SimplePractice, NexHealth, or IntakeQ).
7. Maintenance & Training
-
Conduct annual HIPAA risk assessments.
-
Document all BAAs and security policies.
-
Provide staff HIPAA training for handling website inquiries.
-
Maintain a breach response plan.
8. Marketing & Remarketing
-
No retargeting ads based on health service page visits.
-
Only use anonymized data for campaign performance.
-
Do not share PHI with ad platforms (Google, Facebook, etc.).
-
Avoid embedding social media widgets that track user behavior on pages handling PHI.
⚙️ Optional: HIPAA-Safe Stack Agency Tools
Hosting: DNN4Less.com or AWS (BAA)
Forms: High Level HIPAA Compliant Forms
Email: Google Workspace BAA
Analytics: Matomo on private server
AI: Custom Trained, Closed Source Large Language Model on Private Intranet
Chat: MedChat or Compliancy Group’s solution
CMS: DNN, Sanity, WordPress hardened with HIPAA plug-ins and managed BAA host
Agency: HIPAA Compliance trained