Is Squarespace HIPAA Compliant? How to Build a Safe Therapy Website
If you’re a therapist, coach, or wellness practitioner, you probably love Squarespace: it’s sleek, easy to use, and makes your brand look polished. But here’s the million-dollar question: is Squarespace HIPAA compliant?
The short answer: No, not on its own.
Squarespace does not sign Business Associate Agreements (BAAs), and its built-in forms and email handling don’t meet HIPAA standards for handling protected health information (PHI).
That doesn’t mean you can’t use Squarespace. It just means you need to set it up carefully — and integrate HIPAA-safe tools for anything involving client data.
Table of Contents
Why Squarespace Isn’t HIPAA Compliant by Default
At first glance, Squarespace looks like a dream: SSL certificates, secure hosting, clean design. But HIPAA compliance requires more than encryption — it demands strict control over how client data is transmitted, stored, and accessed.
No BAA: Squarespace won’t sign a Business Associate Agreement, which is required for any vendor handling PHI. That means you can still use it for your marketing site, but never for sensitive client information.
Native Forms Are Not Secure: The default form block sends submissions via email (like Gmail/Outlook), which is not encrypted to HIPAA standards.
Email Forwarding: Even if you collect info through forms, the data gets routed through non-compliant systems.
So: Squarespace = beautiful for branding, design, SEO. But for intake, scheduling, messaging, or forms? You need outside help.
HIPAA-Compliant Tools You Can Integrate With Squarespace
Here’s the good news: Squarespace doesn’t have to go. You just need to “bolt on” HIPAA-compliant tools that do the heavy lifting for secure forms, scheduling, and communication.
By embedding third-party tools into your Squarespace site, you keep the beautiful design and branding you love, while ensuring client data is handled correctly. Think of Squarespace as the storefront — and these integrations as the locked filing cabinet inside.
🔒 Secure Forms
Instead of the built-in form block, use:
Hushmail for Healthcare → encrypted contact + intake forms, easy embed.
Jotform HIPAA → drag-and-drop form builder with HIPAA plan, embeddable in Squarespace.
FormDr → healthcare-focused HIPAA forms, including patient intake, consent forms, etc.
📅 HIPAA-Compliant Scheduling
Skip the native scheduling integrations (like Acuity, unless HIPAA plan is available). Use:
SimplePractice → practice management + scheduling, embeddable on your Squarespace site.
TherapyNotes → scheduling and EHR with HIPAA compliance.
TheraNest → another option for HIPAA-compliant booking + client management.
📧 Secure Messaging & Email
Forget Gmail/Outlook free accounts. For HIPAA-compliant communication:
Hushmail → encrypted email for healthcare providers.
Paubox → HIPAA-compliant email service that looks like normal email but encrypts automatically.
Google Workspace or Microsoft 365 with BAA → only the business versions with a signed BAA can be HIPAA-compliant.
🌐 Other Helpful Integrations
Telehealth / Video: Zoom for Healthcare (HIPAA plan), Doxy.me (professional plan).
File Sharing: Dropbox Business or Google Drive Business with BAAs signed.
Best Practices for Using Squarespace Safely with HIPAA
Even with HIPAA-compliant integrations, the way you structure your site matters. Compliance isn’t just about the tools — it’s also about minimizing risk.
Never use the built-in form block for PHI.
Embed HIPAA-compliant forms and scheduling tools.
Add a disclaimer: “Please do not submit personal health information through this form.”
Keep your site SSL-enabled (HTTPS) — Squarespace includes this by default.
Ask vendors for BAAs — if they store or process PHI, they must sign one.
Collect only what’s necessary — don’t ask for diagnoses or treatment history online.
The Bottom Line
Squarespace itself is not HIPAA compliant. But with the right integrations — Hushmail, Jotform HIPAA, FormDr, SimplePractice, TherapyNotes, Paubox — you can safely use it as your practice website while keeping client information protected.
Think of it this way: Squarespace handles your public face (branding, blog, SEO, marketing), while specialized HIPAA-compliant tools handle the sensitive client data.
That balance gives you the best of both worlds: a professional, modern site that feels like you — and the peace of mind that you’re not accidentally putting client privacy (or your license) at risk.
Looking for a professional, therapist-friendly design that works with HIPAA tools?
👉 Check out my Squarespace templates for therapists
Is Squarespace HIPAA Compliant? - FAQs
-
No. Squarespace does not sign Business Associate Agreements (BAAs), and its built-in forms and email handling are not secure enough for Protected Health Information (PHI).
-
No. The native Squarespace form block sends submissions via email, which is not HIPAA compliant. To collect client information safely, you need to embed HIPAA-compliant tools like Hushmail, Jotform HIPAA, or FormDr.
-
Yes — as long as you don’t use it to directly handle PHI. Many therapists use Squarespace for their public-facing website (branding, blogging, SEO) and integrate HIPAA-compliant tools for forms, scheduling, and messaging.
-
You can make Squarespace safer by:
Embedding HIPAA-compliant forms (Hushmail, Jotform HIPAA, FormDr)
Using HIPAA-ready scheduling systems (SimplePractice, TherapyNotes)
Switching to HIPAA-compliant email (Hushmail, Paubox, or Google Workspace w/ BAA)
Adding disclaimers and limiting what you collect online
-
No. Squarespace doesn’t currently offer a HIPAA-compliant hosting tier or BAA. You’ll need to combine Squarespace with third-party HIPAA-ready tools to stay compliant.
-
Collecting PHI through Squarespace’s native forms or email could put you in violation of HIPAA. Risks include client privacy breaches, fines, and professional liability.
