How to Have a HIPAA-Compliant Website

Practical steps to keep PHI out of non-BAA website systems and reduce HIPAA Security Rule risk.

HHS/OCR has proposed the first major update to the HIPAA Security Rule since 2013. It reflects a clear regulatory direction: healthcare providers and their business associates are expected to take stronger, more specific steps to safeguard Protected Health Information (PHI). The good news is that you and Brazzell Marketing Agency are in this together. Brazzell Marketing Agency designs and hosts websites for healthcare providers, including home care agencies. When a healthcare website form can transmit PHI through our hosting environment, we are not just a vendor standing on the sidelines. We share responsibility for the parts of the website system we design, host, maintain, or route. That is why we are taking a leading role in our industry and updating our healthcare website standards. Our goal is simple: help our clients reduce unnecessary regulatory risk.

Maintain a Zero-PHI Server Architecture

For a quick summary, to have a website that protects against privacy-violation risks, follow these instructions.

1. The Zero-PHI Solution: Do not collect or transmit personally identifiable information on the website, except for applicant information.

   1. No contact forms

   2. No visitor tracking

   3. Job inquiry forms and applications may be acceptable, but merit special attention from providers offering consumer-directed personal care services.

   4. Emphasize using fonts that are self-hosted or from the user’s browser. Commonly used linked-to font libraries present HIPAA concerns by quietly transmitting the visitor’s IP address to third-party servers.

   5. If you build your website in WordPress, be aware of what every single plugin is doing with your data.

   6. To update a website designed by Brazzell Marketing Agency, the modifications suggested above can usually be accomplished with 1.5 hours of work ($127.50). Contact us.

2. Use a Contact-Form Vendor: Contact forms are optional on your website. To have high-converting, HIPAA-compliant contact forms, keep the underlying mechanics of the forms off your website. Instead, host your contact forms with a HIPAA-capable form source such as Hushmail. Your website can embed this encrypted Hushmail contact form without PHI being collected or transmitted by your main website.

   1. The Setup Investment: We can set up Hushmail for you and embed encrypted contact forms for you. If Brazzell Marketing Agency designed your website, these updates can be accomplished efficiently. For labor costs, we estimate one hour ($85) for the contact forms, 30 minutes for the job inquiry form if needed ($42.50), and one hour for the referral form if needed ($85). That’s $85 to $212.50 for the set-up of a done-for you solution.

      1. There is also a solution where you can set up and manage Hushmail yourself. You can use their drag and drop form-builder to create the forms you want to replace on your website. Then, send us the “embed form” script for each form. We can put the script(s) on the website for you with 45 minutes to 90 minutes of work, depending on the number of forms ($64.50 to $129).

   2. The Operational Cost: A secure, BAA-backed platform subscription through Hushmail starts at $165 annually. More complex or highly customized enterprise form systems are available for higher fees.

   3. Estimated Total Upfront Cost for Contact Form Updates on an Existing Website: With set-up costs and the subscription fee, your website can be using secure, encrypted forms built for the current regulations for upfront costs of $229.50 to $377.50, depending on the number of forms and level of service you choose.

3. Publish a Privacy Notice: Make sure your privacy notice meets all requirements. More on that later.

4. Establish Verified Legal Accountability: Never rely on generic verbal assurances of safety from a digital vendor.

   1. Demand Documentation: Obtain written documentation explaining whether and how the website may collect, transmit, store, log, or route personally identifiable information.

   2. Deploy a Dedicated Compliance Ally: Partner with a specialized healthcare digital agency like Brazzell Marketing Agency to build, monitor, and insulate your healthcare brand from ongoing regulatory exposure.

If your website needs any of the updates described above, now is the time to mitigate those regulatory risks. For our websites, we can perform all the technical work for you for $340. You have an ongoing cost or $165 yearly from Hushmail, which we can also set up for you.

A Warning About Warnings

Some readers may have developed a natural skepticism of regulatory compliance advice where the medicine is worse than the malady. As a marketing agency, we approach this as business consultants: risk-aware, not risk-averse. Even with that being the case, we recognize a mounting business risk. As your website designer and host, we share responsibility for reducing that risk in the parts of the website system we design, host, maintain, or route. Below, we explain the nature of that risk and the government’s seriousness about data security in 2026. We understand frustration, skepticism, and more, because we feel it, too. The rules are harder to understand than the fix is to implement. For an agency owner with Brazzell Marketing Agency as a partner in PHI protection, the action plan above is easily and cost-efficiently implemented. Taking action now will put a healthcare provider on an inexpensive risk-mitigation plan that is industry leading and worthwhile.

A Changing Regulatory Environment

In 2024 and 2025 combined, the United States saw more than 1,400 large-scale breaches of protected health information, affecting more than two million patients. Government is responding. Formerly, technical specifications such as audit logging, full encryption of data, and multi-factor authentication, were recommendations but not full requirements, exactly. Healthcare providers felt some freedom to assess their risk and provide suitable alternative security measures, as long as the technical assessment was well documented.

Things are changing. A proposed security rule, HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information, signals the current direction of regulators. Security recommendations that were “addressable” become “required.” While that rule has been working its way through the finalization process for the past five months, signals from the regulatory environment suggest that inspectors are already effectively enforcing it. Formerly, a healthcare provider may have felt free to justify consumer-grade website hosting of contact forms, explaining it collects a relatively low number of low-risk contact forms. Similarly, the healthcare provider may have addressed business-grade email systems, explaining patient information is only transmitted incidentally. Today, inspectors are likely to reply that the email they want you to have costs $4.50 per month, your contact form is unnecessary, and securing it the way they want only costs $15 per month (or free by the time you pay for five of those emails). Corrections will be required. If a healthcare provider is cited for willful neglect, fines start at $14,602 if you correct quickly or balloon into a minimum of $73,011 if you fail to correct in 30 days. The maximum fine for willful neglect of HIPAA technical requirements reaches almost $2.2 million dollars.

It seems that even practitioners operating in good faith may see hefty fines related to HIPAA compliance.

• Syracuse ASC (Ransomware & Missing Analysis): A small ambulatory surgery center was hit by a ransomware attack. (Shumaker) OCR found that Syracuse ASC had never conducted an accurate and thorough risk analysis. Syracuse ASC paid $250,000 and accepted a two-year corrective action plan requiring formal risk analysis, risk management measures, policy revisions, and annual training. The lesson is direct: small and single-facility providers are not exempt from HIPAA Security Rule expectations

• The "Risk Analysis Initiative" Crackdown: OCR has launched a Risk Analysis Initiative focused on a foundational HIPAA Security Rule requirement: regulated entities must conduct an accurate and thorough risk analysis. Recent examples include a $5,000 settlement with a small diagnostic imaging provider that had not conducted a HIPAA risk analysis, a $75,000 settlement with a billing business associate after a ransomware breach, and an $800,000 settlement with a large health system involving access-control failures. The amounts vary, but the pattern is consistent: OCR is treating risk analysis, risk management, access controls, breach response, and documentation as core obligations, not paperwork preferences. These settlements show that OCR is enforcing this requirement against both covered entities and business associates, with corrective action plans requiring comprehensive risk analysis, risk management measures, policy revisions, and workforce training. The practical lesson is that a software setup, IT vendor relationship, or informal security practice is not the same thing as a documented, enterprise-wide risk analysis that maps where PHI is created, received, maintained, or transmitted. (Nixon Peabody LLP) (Accountable)

• Periodic Security Risk Analysis is Thorough or Invalid: The law requires healthcare providers to conduct a periodic security risk analysis. But simply having the document is no insurance. It must be complete and cover every point where patient identifiable information is created, transmitted, or stored. Email and website should be considered. Leaving an entire system out of the scope of the evaluation—even if the clinician genuinely thought it didn’t handle patient data—means the risk analysis legally fails the statutory requirement to be "accurate and thorough" (45 C.F.R. § 164.308(a)(1)(ii)(A)).

  Case in point: In an OCR settlement with healthcare software company MMG Fusion, investigators handled a breach involving patient communication software and PHI that included names, phone numbers, mailing addresses, email addresses, dates of birth, and appointment information. OCR concluded that MMG had impermissibly disclosed PHI, and failed to conduct an accurate and thorough risk analysis. The case illustrates why a risk analysis must account for systems that create, receive, maintain, or transmit patient-identifiable communication data, not just traditional medical records. (Hunton Andrews Kurth) (Hunton Andrews Kurth [2])

  Case in point: The NewYork-Presbyterian Web Tracker Settlement. New York-Presbyterian (NYP) deployed standard tracking scripts—including the Meta Pixel, Google Analytics, and The Trade Desk—on its public-facing website to optimize digital marketing campaigns and track user engagement. When regular users visited the public site to research health conditions, look up specialists, or click through to schedule an appointment, the URLs generated by their searches often contained specific medical terms (e.g., conditions or specialties). The tracking pixels packaged these descriptive URLs along with the user's IP address and browser cookies, transmitting the data back to third-party tech firms. NYP even used Meta pixel data to create "lookalike audiences" to target advertising to users with similar health profiles. Following an investigative report by The Markup and the hospital's subsequent breach, New York Attorney General Letitia James launched an investigation. The state found that NYP had no Business Associate Agreements (BAAs) with these tech platforms and had impermissibly disclosed protected information. NYP agreed to pay a $300,000 fine to the State of New York. More importantly, they were mandated to implement strict tracking-tool governance, conduct mandatory pre-deployment audits of all third-party code, and formally instruct the tech companies to delete the improperly disclosed patient data. Treating a public-facing corporate website as "exempt" from data security protocols is a massive blind spot. (The HIPAA Journal [1]) (New York State Attorney General [1]) (The HIPAA Journal [2]) (American Health Law Association) (The HIPAA Journal [3]) (New York State Attorney General [2]) A later federal court decision, AHA v. Becerra, narrowed OCR’s ability to treat every public webpage visit plus an IP address as a HIPAA disclosure. More about that below. The New York-Presbyterian settlement still matters because it shows that public-facing healthcare websites, tracking scripts, search behavior, appointment pathways, and third-party marketing tools can create serious privacy and enforcement risk.

Are You a Covered Entity? Does HIPAA Apply to Your Business?

As a healthcare provider, you are a “covered entity” under federal HIPAA rules if you transmit health information electronically in connection with an HHS "standard transaction." The most common trigger is billing—electronically sending and receiving information with a third-party payor such as an insurance company, health plan, Medicare, or Medicaid. However, just because this qualification frequently revolves around how you bill, do not mistake the rules to only apply to information in your billing cycle.

If your business is a strict private-pay agency that only invoices patients, clients, or families directly, you might not be a federal covered entity based on your billing. But be careful: the moment you or your staff log into an electronic portal to check a client's insurance eligibility, digitally submit a prior authorization request, or coordinate benefits, you instantly cross the line into a covered entity. Furthermore, many state-level privacy laws completely eliminate the "cash-only" protection theory, holding private-pay providers to strict data security mandates regardless of how the money changes hands. If you handle patient health data, building a secure, compliant infrastructure may be the safer baseline, regardless of your HIPAA-covered entity status.

The Key to Information Partnerships – The Business Associate Agreement

The law requires certain vendors and subcontractors that handle your HIPAA-protected information on your behalf to sign a Business Associate Agreement (BAA). The BAA requirement is for a vendor or subcontractor that creates, receives, maintains, or transmits PHI on behalf of a covered entity or business associate. A BAA is not a general privacy promise or a checkbox on a vendor’s website; it is typically a signed contract between the healthcare provider and the vendor that governs how the vendor may use, disclose, safeguard, and return or destroy PHI. One feature of being a Business Associate is that the vendor takes on direct federal legal accountability for its own HIPAA obligations, including: Security Rule compliance, impermissible uses/disclosures, and cooperation with OCR investigations.

A BAA does not erase your risk, but being a Business Associate legally puts the vendor on its own regulatory chopping block. That’s why some vendors are averse to signing them, but refusal to sign is no protection. The BAA does not create the legal liability. It only clarifies it. Under the law, creating, receiving, maintaining, or transmitting PHI on behalf of a healthcare provider can make a vendor a Business Associate, with or without the signed contract.

What Information is Protected by HIPAA?

HHS defines protected health information broadly, and that broad definition matters on websites. If anyone can discern who your patient is, that’s protected health information. The conversation has shifted from medical charts and billing records to “personally identifiable information” (PII). Without a Business Associate Agreement from the third-party platform, sharing any unique identifying number, characteristic, or code (intentionally or unintentionally) can be a violation. Top examples include:

1. Names

2. Phone numbers

3. Fax numbers

4. Email

5. Social Security numbers

6. Medical record numbers

7. Health plan beneficiary numbers

8. Account numbers

9. Certificate/license numbers

10. Any geography more specific than a state

11. Any date more specific than a year (birth, admission, death, etc.)

12. Vehicle identifiers such as license plate numbers

13. Device identifiers and serial numbers

14. URLs

15. IP Addresses

16. Biometrics, including fingerprints, voiceprints, and similar identifiers

17. Full-face photographs and comparable images

Real-World Violations Commonly Found on Healthcare Websites

These are common website features that can quietly create privacy exposure when placed on healthcare websites without review, consent, BAAs, or technical controls.

• Ad-tracking pixels (Meta, Google, etc.)

• Visitor tracking scripts such as Google Analytics

  • Note: Brazzell Marketing Agency is developing a new website activity tracker called SecureCounter ™. It will be self-hosted on your website. It will count and organize website referral sources, conversions, page loads, and other activity useful in marketing analysis. It does so without collecting IP addresses, cookies, device IDs, user agents, persistent IDs, or anything linkable to a person.

• Email newsletter subscription forms

• Contact forms

• Referral forms

• Missing or incomplete privacy notices

• Testimonials and patient photos

  • Providers often say they have permission, but informal permission or a standard release form is not the same thing as a HIPAA authorization. A valid HIPAA authorization for testimonials or patient photos must include specific required elements, including the person’s right to revoke the authorization.

Employment and Applicant Records Are Usually Not HIPAA Records

If you go to purge your website of submit forms, here’s one you may be able to keep: the job inquiry form and employment application. Applicants deserve reasonable privacy and security precautions, but ordinary job-application records are usually employment records, not PHI, when the provider holds them in its role as an employer. (45 C.F.R. § 164.501)

One exception to this may be providers who participate in consumer-directed healthcare programs (aka paid family caregiver programs). Does your website’s job inquiry form exclusively fit professional aide situations, or does it also attract submissions from family members and future clients interested in a consumer-directed program? In the latter case, the job inquiry form may need to be modified or removed to keep client/care-related information out of the ordinary website workflow.

Does Your Website Privacy Notice Protect You or Put You at Risk?

HIPAA requires covered entities to provide a Notice of Privacy Practices, and a covered entity that maintains a website about its services must prominently post the notice there. Under 45 CFR § 164.520(b)(1)(vii), a HIPAA Notice of Privacy Practices (NPP) must contain the specific name or title, and telephone number, of a designated person or office to contact for further information or to file a complaint. Recent HHS updates also show why unmanaged notices are dangerous: as of February 16, 2026, covered entities that create or maintain certain Substance Use Disorder/Part 2 records must include specific information about those records in their NPP. Providers should not assume this is irrelevant simply because they are not a dedicated substance use disorder treatment program; the issue is whether the organization creates, receives, or maintains Part 2-protected records. This is of critical relevance for Medicare-certified home health, hospice, medical practices, and more. If an agency administrator drops a boilerplate notice onto their site without customizing the Privacy Officer details, that notice is facially non-compliant. It can also create FTC risk: Section 5 of the FTC Act prohibits unfair or deceptive practices, and privacy policies can become evidence against an organization if they promise practices the organization does not actually follow. HHS actively maintains official Model Notices of Privacy Practices templates in plain-text formats. While Brazzell Marketing Agency, as a website designer and host, can help clients address website technical security issues, it is usually in the provider’s best interest to compose and approve the privacy notice internally through a deliberate policy-setting and review process and/or with the help of a compliance consultant.

Website Hosting with a Business Associate Agreement

As stated before, our top recommendation for small-business website HIPAA-compliance is to remove all website elements that would create, transmit, or store PII, and to optionally offload contact form functions to a HIPAA-capable form provider such as Hushmail. Of course, if the entire website were hosted by a provider offering a Business Associate Agreement, outsourcing the form function could be avoided. Unfortunately, under the current regulatory environment, we have found traditional website hosting that offers a Business Associate Agreement very hard to find. Such providers may be rumored to have traditional website hosting for $99-per-month with a BAA, but in practice, the actual packages start closer to $250 per month. What’s more, even though these providers sign Business Associate Agreements, the providers of traditional hosting offload not only the website responsibility on you but also the host management software choice, ensuring multifactor authentication, ensuring the software management meets audit logging needs, ensuring encryption, and everything else. For the small healthcare providers we serve, premium healthcare website hosting under a BAA often appears to be more infrastructure than they need and more administration than they are prepared to manage.

The Danger of WordPress

Healthcare providers should seriously reconsider using WordPress or any similar, plugin-heavy content management system. Offloading the contact form to a HIPAA-capable host is only part of the work when WordPress is involved. WordPress relies on a sprawling ecosystem of core functionality and third-party plugins. In ordinary use, it can become a telemetry engine running without the full awareness of the healthcare provider or the typical WordPress designer. Common plugins and features quietly transmit IP addresses, device user-agents, and other data often protected under HIPAA. The data is transmitted to corporate vendors without a Business Associate Agreement.

How to Have A HIPAA-Safe WordPress Website

Most healthcare providers should have their websites directly coded, rather than using content management systems full of HIPAA traps. However, if there is a need for WordPress, a designer who is knowledgeable of HIPAA can strip your WordPress of all functions and plugins that can leak PII or store it inappropriately.

Examples of WordPress Plugins and Features that Can Create Regulatory Risk

Jetpack (Automattic)

Jetpack is not a local plugin; it functions by linking the local WordPress site to WordPress.com cloud servers. Jetpack actively logs visitor data to optimize features. Its official privacy documentation confirms that for general tracking and site stats, it syncs the visitor’s IP address, WordPress.com user ID (if logged in), User Agent, Referring URL, and Timestamp.

Gravatar

WordPress natively queries Automattic's Gravatar servers to look up profile pictures for users based on an MD5 hash of their email address. If a patient logs into a portal or leaves a comment, an external query is made that exposes their hashed email to a third party. Some themes have Gravatar’s image fetching function baked into page templates even if comments are disabled.

Emojis (wp-emoji)

By default, older or unoptimized WordPress installations load emoji scripts from a third-party Content Delivery Network (CDN) like s.w.org rather than hosting them locally. A visitor's IP address is exposed to an outside CDN just to render a smile icon on a healthcare page. The larger point is that in WordPress, even simple decorations can cause PII to get transmitted to others.

WP-Cron

WordPress handles scheduled tasks (like checking for updates) by triggering a background script every time a visitor loads a page. This permits active cloud-hybrid plugins to capture live visitor telemetry (including IP addresses and requested URLs) from the active server thread and inadvertently pass it to third-party vendors without a BAA. Even if a feature is kept strictly internal, background operations like WP-Cron can silently store patient data in unencrypted error logs. If an attacker gains entry through an unrelated security flaw, these logs become an easy, unprotected target for data theft. The solution is to disable WP-Cron and replace it with a full, server-side cron job that’s not attached to visitor activity to run, but it’s rare that a WordPress designer would do this without being prompted.

Non-Compliant Websites May Jeopardize Your Insurance Coverage

When assessing the risk of knowingly skipping technical HIPAA security measures for your website, another point to add to the balance sheet is that of post-breach emergency costs. Even small home care agencies can accumulate 500 or more contact form inquiries over a year or two. The people submitting those forms reveal medical history, care needs, and diagnoses. If that website experiences a security exploit, you may be required to hire an independent digital forensics firm to audit the server, map the hacker's path, and identify exactly whose records were exposed. Even small, regional cybersecurity firms command $250 to $450 per hour. Basic localized investigations may start at $5,000 to $15,000.

Additionally, if that audit reveals that 500 or more records were exposed, you must notify every affected individual via first-class mail, provide mandatory credit monitoring, and report the incident to prominent local media outlets. You likely have insurance to pay for these costs, including specialized privacy legal counsel and postage. Unfortunately, if insurance investigators discover that PHI was being stored or transmitted through a website workflow that lacked required vendor agreements or basic security controls, the claim may become harder to defend. Some policies contain exclusions, warranties, minimum-security conditions, or application representations that can reduce or eliminate coverage when the insured ignores known compliance obligations. By offloading your contact forms to a properly configured, quality, BAA-backed form provider like Hushmail, your risk profile declines dramatically.

A Nuanced Discussion of Ad-Tracking Pixels

If you are satisfied with the statement that ad-tracking pixels represent more risk than benefit, you can skip this section. However, if you would like to dig into the nuances of how these pixels on your website create risk, read on.

AHA v. Becerra narrowed OCR’s ability to treat every visit to a public healthcare webpage as a HIPAA disclosure merely because a tracking tool received an IP address and page information. That ruling may reduce HIPAA exposure for general public-page browsing, but it does not make tracking tools safe on appointment pathways, form submissions, thank-you pages, patient portals, or pages where the interaction itself reveals a care relationship or health-related request. For a small provider, using tracking pixels on a healthcare website still requires trust in a narrow legal ruling, trust in future regulatory stability, and trust that staff or vendors will keep the scripts away from sensitive pages and conversion events.

AHA v. Becerra is not a shield against every privacy regulator. The FTC has used the Health Breach Notification Rule and the FTC Act against digital health companies that shared sensitive consumer health data with advertising platforms through pixels and similar tracking tools without proper notice, authorization, or consent. GoodRx paid a $1.5 million civil penalty, and BetterHelp agreed to return $7.8 million to consumers after FTC allegations involving sensitive health data shared for advertising purposes.

State privacy laws add another layer. In recent years, plaintiffs’ firms have filed waves of lawsuits and demand letters arguing that pixels, cookies, session-replay tools, chat widgets, and analytics scripts violate state wiretap or pen-register laws such as the California Invasion of Privacy Act. Some courts have rejected these theories, and the law is unsettled, but the litigation risk is real. AHA v. Becerra narrows one OCR/HIPAA theory; it does not automatically dispose of FTC, state attorney general, or private state-law claims.

Does My Website Need a Contact Form?

After you update your website to remove elements that collect, transmit, or store PHI, including ordinary contact forms, your website is designed to keep PHI out of the non-BAA website hosting. Then, do you want to incur the $165 yearly expense of having contact forms with a HIPAA-capable form host? Probably yes. Without a contact form option, the percentage of visitors who contact you will likely decline meaningfully. To maximize your website conversion rates without a contact form, publish the phone number and use click-to-call buttons, publish click-to-text links, and publish your BAA-backed email. Our website metrics show that, even with all these options available, 25% to 33% of website leads come over the contact form.

Conclusion: The Website Is Part of the Healthcare Privacy System

For many years, healthcare providers used various approaches where security standards were described in HIPAA regulations as addressable. The gap between addressable and required is closing. The practical and easy fix is to remove PHI from non-BAA website systems wherever possible. That means moving contact forms to HIPAA-capable providers, removing visitor tracking scripts, avoiding non-BAA newsletter subscription forms, self-hosting assets such as fonts when practical, and documenting how website information is handled. For small healthcare providers, this is not usually a complex technical project. The rules are harder to understand than the fix is to implement. Brazzell Marketing Agency is updating our healthcare website standards now because this protects our clients. The risks imposed by Security Rule enforcement are real, but so is our partnership. You are not alone. Now is the time to update your website so it reflects the seriousness of today’s HIPAA Security Rule environment.