HIPAA and Therapist Websites: What You Need to Know
If you’re a therapist building your private practice online, you’ve probably heard the scary whispers: “Your website has to be HIPAA compliant or you’ll get fined into oblivion.”
Cue panic.
What does that even mean? Does HIPAA apply to therapists? And is your Squarespace site secretly breaking the law just by existing?
Take a breath. You don’t need a law degree to figure this out. You just need some clear answers, a few smart tools, and the right approach to HIPAA compliant website design.
This post will walk you through it — in plain English.
Table of Contents
What is HIPAA (and Does It Apply to Therapists)?
HIPAA stands for the Health Insurance Portability and Accountability Act. It’s a U.S. law that protects “Protected Health Information” (PHI).
PHI includes things like:
Names, addresses, phone numbers
Health conditions, treatment details
Any info that could identify a client in connection with their care
So yes — if you’re a therapist in the U.S., HIPAA applies to you.
But here’s the key: your website only falls under HIPAA if it collects, stores, or transmits PHI.
A static “brochure” site with no forms? → You’re safe.
A site with a contact form, intake form, or scheduling tool? → You need to think HIPAA.
HIPAA Website Requirements (in Plain English)
One of the top search queries therapists type in is “HIPAA website requirements.” Let’s simplify.
Here’s what you need for your website to even be in the ballpark:
✅ SSL Encryption (HTTPS) → protects info as it’s transmitted
✅ HIPAA-Compliant Hosting / Tools → vendors must sign a BAA (Business Associate Agreement)
✅ Secure Forms → no regular Squarespace or Google Forms for PHI
✅ Encrypted Email → Gmail/Outlook ≠ HIPAA compliant
✅ Privacy Policy + Disclaimer → let visitors know how their info is used
✅ Access Control → only authorized people can access client info
Translation: you don’t have to rebuild your site from scratch — but you do need to handle data carefully.
Common Therapist Website Features That May Break HIPAA
This is where most therapists get tripped up. Some everyday website features can put you out of compliance:
Contact Forms: Native Squarespace forms are not HIPAA compliant.
Email Links: If your “Contact Me” button just opens Gmail, you’re not compliant.
Live Chat Widgets: Most standard chat tools store messages insecurely.
Scheduling Tools: Only HIPAA-compliant systems like SimplePractice or TherapyNotes should handle booking.
Client Portals: Must be password-protected + encrypted.
THE TAKEAWAY: it’s not your website design that’s risky. It’s what happens when sensitive info moves through it.
Squarespace and HIPAA: What’s Possible (and What’s Not)
Let’s clear up a big one: Squarespace is not HIPAA compliant out of the box.
You cannot store PHI inside Squarespace (like form submissions).
You should not rely on Squarespace’s built-in email forms.
But… you can absolutely use Squarespace for your HIPAA compliant website design.
Here’s how:
Use Squarespace for the look, feel, and branding of your site.
Integrate third-party HIPAA-compliant tools for the sensitive stuff:
Forms: Hushmail, Jotform HIPAA, FormDr
Scheduling: SimplePractice, TherapyNotes
Secure messaging: Spruce Health
Add disclaimers: “Please do not submit personal health information through this form.”
That way, your Squarespace site looks beautiful, but the PHI is handled safely elsewhere.
Best Practices for HIPAA Compliant Website Design
Here’s how to make your therapy site safe and effective:
Keep forms minimal → don’t ask for diagnosis details or treatment history.
Always use SSL → your site should show “https://.”
Use trusted vendors → only ones that provide BAAs.
Post a privacy policy → transparency builds trust.
Brand with warmth → compliance doesn’t mean sterile. Your site should still feel safe, welcoming, and “you.”
Balancing HIPAA and Client Experience
One fear I hear from therapists: “If I make everything HIPAA-compliant, my website will feel cold and corporate.”
Not true.
You can have a warm, calming site that:
Uses gentle colors + fonts that put clients at ease
Shares your story and approach in your own words
Offers resources (blogs, downloads) without touching PHI
Still plugs in secure tools where needed
Example: My Aurora Squarespace therapy template is designed with therapists in mind. It gives you all the calming, professional design you want — and it’s flexible enough to integrate HIPAA-compliant tools for forms and scheduling.
Conclusion: You Don’t Need to Panic
HIPAA compliance isn’t about making your website scary or sterile. It’s about protecting sensitive info while still letting your personality shine.
Here’s the truth:
Psychology Today can get you seen.
Your website (done right) builds trust, connection, and compliance.
If you’re ready to create a safe, welcoming, HIPAA-compliant website design, I’ve put together a guide with the best Squarespace therapy templates — including ones (like Aurora) built to make compliance easy.
Because your clients deserve more than a cookie-cutter profile. And you deserve a website that feels like home.
Check my website templates for therapists!
HIPAA & Therapist Websites - FAQs
-
Yes. If you’re a therapist in the U.S. and you handle protected health information (PHI), you must comply with HIPAA — even if you’re a solo private practice.
-
A HIPAA-compliant website must use secure, encrypted tools for collecting or transmitting PHI (like intake forms or scheduling), have a valid SSL certificate (HTTPS), and ensure any third-party vendors sign a Business Associate Agreement (BAA).
-
Standard Gmail and Outlook accounts don’t offer the security measures required for HIPAA, such as end-to-end encryption, audit logs, and BAAs. While Google and Microsoft do offer HIPAA-compliant versions (G Suite/Google Workspace with a BAA, or Microsoft 365 with a BAA), the free consumer accounts are not compliant.
-
No. Squarespace by itself is not HIPAA compliant and shouldn’t be used to collect PHI via built-in forms. However, you can still design your site on Squarespace and integrate HIPAA-compliant third-party tools (like Hushmail, Jotform HIPAA, or SimplePractice) for forms and scheduling.
-
Not always. If your site is purely informational (no forms, no scheduling, no data collection), HIPAA compliance doesn’t apply. But the moment you start collecting client info, you need HIPAA-compliant tools in place.
-
The design can look the same — the difference is in how sensitive data is handled behind the scenes. A HIPAA-compliant website uses secure hosting, encrypted forms, BAAs with vendors, and clear privacy policies to protect client information.
-
No. A disclaimer like “Don’t submit personal health info here” helps, but it’s not enough if your form or email could still collect PHI. True compliance requires secure systems and agreements with vendors.
-
Costs vary depending on the tools you use. Adding HIPAA-compliant forms or email services (like Hushmail or FormDr) often starts around $10–50/month. It’s an investment, but far less costly than fines or lost trust.