Key Takeaways
- Not every healthcare website requires HIPAA-compliant hosting. It depends on whether your site has any feature that collects information from patients or prospective patients.
- A basic contact form is not a gray area for healthcare providers. A name and phone number submitted to a therapy practice or medical office is Protected Health Information because of the relationship context, not because of what the form asks.
- A HIPAA-compliant host must be willing to sign a Business Associate Agreement (BAA). Many popular hosting platforms, including Cloudways, do not offer BAAs and are not appropriate for healthcare sites that handle patient data.
- Standard Calendly does not offer a BAA on most plans. Using it for patient scheduling without confirming HIPAA compliance on your specific plan tier creates real compliance exposure.
- A properly configured WordPress site on HIPAA-compliant hosting, with the right forms and scheduling tools in place, can meet compliance requirements without a full rebuild.
HIPAA Website Compliance: A Plain-English Guide for Healthcare Providers
Before I became a web designer, I spent years working in healthcare — earning a Doctor of Pharmacy degree and contributing to clinical content, pharmacogenomics publishing, and healthcare provider education. HIPAA was never an abstract concept in that world. It shaped how patient information was handled, stored, and shared at every level of a practice.
So when healthcare providers ask whether their website needs to be HIPAA compliant, I understand the anxiety behind the question. You’ve heard the term, you know the stakes, and you’re not sure whether the website your office manager set up a couple of years ago is quietly creating a liability.
The answer, like most things in healthcare compliance, depends on the specifics — but the threshold is lower than many providers realize. This guide walks through what HIPAA actually requires of your website, what compliant hosting means in practical terms, and what a properly configured healthcare site looks like in practice.
Disclaimer: This post is intended for educational purposes only and does not constitute legal or compliance advice. Consult a qualified healthcare attorney or compliance officer for guidance specific to your practice.
Does Your Healthcare Website Actually Need to Be HIPAA Compliant?
The short answer is: it depends on what your website does — but the trigger is probably closer than you think.
HIPAA applies when a covered entity — a healthcare provider, health plan, or healthcare clearinghouse — creates, receives, maintains, or transmits protected health information (PHI). The critical thing to understand is that PHI is not limited to diagnoses or clinical records. Under the HHS Privacy Rule, a name and phone number become PHI as soon as they are linked to someone’s status as a patient or tied to the delivery of healthcare services — regardless of whether any health condition is mentioned.
This means that a basic contact form on a therapy practice website is not a gray area. When a prospective patient submits their name and phone number to a therapist’s website, that submission creates PHI the moment it is associated with the healthcare provider relationship. The same applies to appointment request forms, new patient intake forms, and any scheduling tool that books visits for patients.
A purely informational website — one that displays your services, hours, and a phone number visitors can dial themselves, with no data collection features of any kind — does not inherently trigger HIPAA requirements for your hosting environment. Once your site has a form or data collection feature of any kind, the analysis changes.
Decision guide
Does your healthcare website have any forms or features that collect information from patients or prospective patients?
Fully static — display only
- ·Services, hours, and location as text
- ·Staff bios and credentials
- ·Blog or educational content
- ·A phone number or email address displayed for visitors to use
Standard hosting is sufficient
No patient data passes through your site, so hosting-level HIPAA requirements do not apply.
Your site includes any of:
- ·A contact or inquiry form (name + phone = PHI in a healthcare context)
- ·New patient or intake forms of any kind
- ·Appointment request or scheduling tools
- ·Patient portal or login area
Why a basic contact form counts: a name and phone number linked to a healthcare provider relationship is Protected Health Information regardless of whether any diagnosis or condition is mentioned.
HIPAA-compliant hosting required
A BAA with your hosting provider is mandatory. Technical safeguards apply to the full environment.
Note on cash-pay practices: Providers who do not bill insurance electronically may not qualify as HIPAA covered entities under federal law — but state privacy regulations and professional ethical codes still apply. When in doubt, treat all patient contact information as protected.
Note on HIPAA applicability: HIPAA regulations apply when a provider is a “covered entity” — generally meaning they electronically bill insurance or engage in electronic healthcare transactions. Providers in cash-pay private practice who do not bill insurance electronically may fall outside federal HIPAA jurisdiction, but state privacy laws and professional ethical codes regarding client data still apply. Most compliance advisors recommend treating all patient contact information as protected regardless of billing structure.
What HIPAA-Compliant Website Hosting Actually Means
HIPAA-compliant hosting is not a certification or a product category with a clear definition. It is a set of technical and administrative safeguards that a hosting provider must have in place — and, critically, must be willing to contractually commit to.
The Business Associate Agreement
The single most important factor when evaluating a hosting provider for a healthcare website is whether they will sign a Business Associate Agreement (BAA). A BAA is a contract in which the hosting provider acknowledges that they may come into contact with PHI on your behalf and agrees to handle it in accordance with HIPAA requirements.
Without a signed BAA, the hosting relationship does not meet HIPAA standards — regardless of what security features the provider offers. This is worth stating clearly: some of the most widely used and technically capable hosting platforms, including Cloudways, do not offer BAAs and are therefore not appropriate for healthcare websites that handle patient data. A great host for a standard business website is not automatically the right host for a healthcare practice.
Technical safeguards to look for
Beyond the BAA, a hosting environment appropriate for healthcare websites should include:
- Data encryption in transit and at rest — SSL/TLS for data moving between browser and server, plus encryption for stored data
- Access controls — Role-based permissions limiting who can access server resources and data
- Audit logging — The ability to track who accessed what data and when
- Regular backups — Secure, recoverable backups in the event of data loss or breach
- Vulnerability management — Active patching and security monitoring
Many reputable managed hosting providers offer these features. The key is confirming that a BAA is available and that the provider understands the obligations that come with it.
HIPAA Compliance Is About Contracts, Not Just Features
Every vendor that may handle patient information requires a signed Business Associate Agreement
Covered entity
Your Healthcare Practice
Responsible for PHI wherever it flows
HIPAA-compliant host
Stores your WordPress environment and all data submitted through your site.
Providers like HIPAA Vault include a BAA as standard — not an add-on or premium tier.
Intake & contact forms
Any tool collecting patient names, phone numbers, or health-related information.
If a BAA is not available, limit forms to non-patient inquiries only.
Appointment scheduling
Any tool that books patient visits, including general tools used in a healthcare context.
Standard Calendly does not offer a BAA. Confirm availability before use for patient scheduling.
Is your business reaching its local potential? Get a free 5-minute technical audit from our team.
What to Look for When Choosing a HIPAA-Compliant Host
Not every host markets itself as healthcare-specific, and that is acceptable. What matters is the combination of technical capability and contractual willingness. Here is what to evaluate:
BAA availability
Ask directly. Some enterprise-tier providers offer BAAs as part of a higher service tier. Others include them as standard. If a provider cannot clearly confirm BAA availability, that is your answer.
Managed vs. unmanaged hosting
For most healthcare practices, managed hosting is the appropriate choice. With managed hosting, the provider handles server updates, security patches, and monitoring on your behalf. Unmanaged hosting puts that responsibility on you — which is rarely realistic for a clinical practice without dedicated IT staff.
Data center location and redundancy
Your provider should be able to confirm where your data is stored and that it remains within the United States. Geographic redundancy — meaning your data is backed up across multiple locations — is a reasonable expectation at this level.
Support and incident response
In the event of a security incident, your host needs to be reachable and responsive. Look for providers with documented incident response procedures and clear communication commitments.
Purpose-built healthcare hosting providers
A number of hosting providers build specifically for healthcare use cases and include BAAs as a standard part of their offering rather than an enterprise add-on. HIPAA Vault is one example that is sized appropriately for small and independent practices — it offers managed WordPress hosting with BAA included, encrypted storage, audit logging, and support designed around healthcare compliance requirements. It is worth evaluating alongside any other providers you are considering.
Working with a web partner who understands the healthcare hosting landscape means you do not have to navigate provider selection alone. At Minnesota Web Studio, we help healthcare clients evaluate hosting options, configure the right environment, and get everything in place before a site goes live.
Scheduling Tools, Contact Forms, and the Tools Your Website Uses
Hosting is the foundation, but it is not the only piece. The tools embedded in your website — scheduling software, contact forms, intake tools — create their own compliance considerations.
Contact forms
For healthcare providers, a contact form is not a gray area. When a prospective patient submits their name and phone number through a form on a therapy or medical practice website, that information becomes Protected Health Information because of the relationship context — not because of what the form asks. The safest approaches are to use a HIPAA-compliant form solution with a BAA in place, or to limit your contact form to non-patient inquiries (general business questions, vendor contact, and similar) and direct patients to call the practice directly for anything related to appointments or care.
Online scheduling
Appointment scheduling tools vary widely in their HIPAA posture. Some platforms offer HIPAA-compliant tiers with BAAs available. Others are designed for general business use and do not offer BAAs at any level. The key question to ask of any scheduling tool: will you sign a BAA? If the answer is no, or if the provider does not clearly address this, that tool is not appropriate for patient scheduling on a healthcare website.
Is Calendly HIPAA compliant?
Calendly is one of the most widely used scheduling tools, and the question comes up often in healthcare contexts. Standard Calendly does not offer a BAA and is not designed for healthcare use. Calendly has offered HIPAA-compliant options at enterprise pricing tiers, but availability is not consistent and should be confirmed directly with Calendly before use for patient scheduling. For most independent practices, purpose-built healthcare scheduling tools are the more reliable path.
What a Compliant Healthcare Website Setup Looks Like in Practice
A HIPAA-conscious healthcare website is not a special category of site that requires a complete rebuild. It is a standard professional website built on a hosting environment and with tools that meet the requirements outlined above.
What a Compliant Healthcare Website Setup Looks Like
Each component plays a distinct role — compliance requires the full stack, not just one piece
HIPAA-compliant hosting
Managed hosting built for healthcare — encrypted storage, audit logging, regular backups, and documented incident response. Purpose-built providers such as HIPAA Vault offer BAAs as a standard part of the service, not an add-on.
↓
WordPress CMS
Custom theme with ACF-based content management. All data stored within the compliant hosting environment — not transmitted to third-party services by default.
↓
Compliant forms
Form solutions with a signed BAA, or contact forms limited to non-patient inquiries only.
Compliant scheduling
Healthcare-specific scheduling tool or a general platform whose HIPAA-compliant tier has been confirmed with a BAA obtained.
↓
SSL certificate
Active across every page, not just login areas. Encrypts data in transit between visitor and server.
Privacy policy
Updated to accurately reflect how web-collected information is handled, stored, and protected.
None of this requires enterprise-level infrastructure or a dedicated IT team. It requires the right hosting environment, the right tools, and a web partner who understands the difference — and can help you navigate the setup.
At Minnesota Web Studio, we build websites for healthcare providers with an understanding of what that context actually requires. That includes helping clients evaluate and configure HIPAA-compliant hosting, identify appropriate scheduling and form solutions, and get everything in place before the site goes live. If you are starting a new practice website or want to know where your current setup stands, reach out for a free consultation. We are happy to start with a review of what you have now.
References
-
U.S. Department of Health & Human Services — "Summary of the HIPAA Security Rule" :
https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html -
U.S. Department of Health & Human Services Office for Civil Rights — "HIPAA Privacy Rule and Sharing Information Related to Mental Health." :
https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-and-sharing-info-related-to-mental-health.pdf -
U.S. Department of Health & Human Services — "Summary of the HIPAA Privacy Rule" :
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html -
U.S. Department of Health & Human Services — "Business Associate Contracts" :
https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html -
HHS Office for Civil Rights — "Guidance on HIPAA and Cloud Computing" :
https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html
Frequently Asked Questions
Yes, if your practice is a HIPAA covered entity. A name and phone number submitted through a contact form on a healthcare provider’s website becomes Protected Health Information because of the relationship context, not the content of what was entered. Using a HIPAA-compliant form solution with a BAA, or limiting your contact form to non-patient inquiries, are the two compliant approaches.
A BAA is a contract between a covered healthcare entity and a vendor who may handle protected health information on their behalf. For web hosting, it means your host is contractually bound to HIPAA obligations. A host that will not sign a BAA is not appropriate for a healthcare website that handles patient data, regardless of how capable that host is for other use cases.
Yes, with the right hosting setup. WordPress itself is a content management system — compliance depends on where it is hosted and what tools are connected to it. A managed WordPress environment on a purpose-built healthcare hosting provider that offers BAAs and appropriate security controls can meet HIPAA requirements for most small practices.
Neither Squarespace nor Wix currently offers Business Associate Agreements or positions itself as a HIPAA-compliant hosting solution. Healthcare providers who need compliant hosting are generally better served by managed WordPress hosting on a provider built specifically for healthcare use.
Start by reviewing three things: whether your hosting provider will sign a BAA, whether any forms or scheduling tools on your site handle patient information without a BAA in place, and whether your SSL certificate is active across all pages. If any of these are uncertain, a conversation with a healthcare-focused web partner is a practical first step.
Business Resources
These are tools we use daily and recommend to clients. Each delivers strong functionality at a price point that makes sense for small businesses.
Some of the links on this page are affiliate links, meaning that if you choose to make a purchase, we may earn a commission at no additional cost to you. We only recommend tools we actively use with our own clients.