top of page

What Therapists Need to Know About Web & Online HIPAA Compliance

  • Writer: Shayah Reed, Founder
    Shayah Reed, Founder
  • 2 days ago
  • 7 min read

Does your website's contact form ask what someone hopes to work on in therapy? That single question could be collecting protected health information, whether you meant it to or not.


For many therapists, HIPAA feels like something that lives in the therapy room, not on the website. But HIPAA compliance for therapists goes further than clinical paperwork on confidentiality. Your online presence, from contact forms to emails to appointment reminders, all play a bigger role in therapist HIPAA compliance than most practitioners realize.


In this blog post, we’ll break down what HIPAA compliant websites require, where the highest-risk areas tend to hide, and what small, intentional changes can protect both your clients and your practice.


A quick note before we get started: this article offers general guidance on web-related HIPAA considerations. It is not legal advice. For guidance specific to your practice, we recommend consulting a healthcare attorney or compliance specialist.


What Therapists Need to Know About Web & Online HIPAA Compliance

Does HIPAA Apply to Your Therapy Website? 


Yes, if your website collects any health-related information from clients, HIPAA rules likely apply to how that data is handled.


Most therapists think of HIPAA as a clinical requirement, something that governs session notes and treatment records. But HIPAA also applies to protected health information (PHI) that's created, received, or transmitted electronically, and that includes your website.


If you accept insurance, use an electronic health record, or bill through a clearinghouse, you're almost certainly considered a covered entity under HIPAA. That means your website, intake forms, scheduling tools, and email fall under the same privacy and security standards as your in-office paperwork.


Even solo practitioners who are private-pay only should approach their website with the same care. Clients trust you with sensitive information the moment they fill out a form, and that trust is part of your brand, not separate from it.


Does HIPAA Apply If You're a Solo, Private-Pay Therapist? 


It depends on how your practice operates, but many private-pay therapists still choose to meet HIPAA-level standards to protect client trust.


Technically, HIPAA applies to "covered entities," which includes providers who bill insurance electronically. If you're strictly private-pay and don't submit electronic claims, you may fall outside HIPAA's formal requirements.


That said, most state licensing boards and professional ethics codes still expect therapists to safeguard client confidentiality online, insurance or not. 


From a trust standpoint, clients don't distinguish between "technically required" and "the right thing to do." A website that protects their information, regardless of your billing structure, reflects the same intentional care you bring to your work with them.


What Counts as Protected Health Information Online?


PHI includes names, contact details, and health information linked together, such as an intake form listing someone's therapy goals or diagnosis.


Not every piece of information collected through your website counts as PHI. For example, a general "I'd like more information" submission with just a name and email usually isn't protected health information on its own. The risk increases once identifying details are paired with anything clinical. 


Here are a few examples:

  • A contact form that asks what someone wants to work on in therapy

  • An appointment request that includes a reason for the visit

  • Insurance information submitted through an online form

  • Any note referencing a diagnosis, symptoms, or treatment history


The moment personal identifiers and clinical detail live in the same form submission, that data should be treated as protected.


Is Your Website's Contact Form HIPAA Compliant?


Most standard website contact forms aren't HIPAA compliant by default, though Wix now offers a HIPAA compliance feature you can activate.


Most website builders are designed for marketing and lead generation first, so their default, out-of-the-box forms aren't built to encrypt or restrict access to sensitive health data. 


Wix has recently introduced a HIPAA compliance feature that changes this (more on that shortly), but it has to be actively turned on and paired with an eligible plan. Until it is, your standard contact form should be treated as public-facing, not clinical.


That doesn't mean your website can't have a contact form. It means the form should be designed with intention. Keep your public-facing form simple: name, email, phone number, and a general inquiry field. Save anything clinical, like intake questionnaires or symptom checklists, for a form built on a properly activated HIPAA-compliant platform.


The safest approach is to keep your website's contact form general, and route anything clinical to a dedicated, HIPAA-compliant intake system.


How Does HIPAA Apply to Email and Online Communication?


Standard email isn't encrypted by default, so exchanging clinical details over email can put your practice out of compliance with HIPAA.


Email feels casual, but it's one of the higher-risk areas of a therapist's online presence.


For example, even a quick note confirming "see you Thursday for our EMDR session" contains PHI the moment it's tied to a client's name. If that email isn't sent through an encrypted, HIPAA-compliant system, it's a compliance gap.


The same goes for automated appointment reminders and confirmation emails. Keeping these generic by including something like "You have an upcoming appointment" is safer than including the reason for the visit or type of session.


For anything more detailed, whether that's session notes, treatment plans, or clinical questions, a secure client portal or HIPAA-compliant email service is worth the investment.


That covers one-to-one communication with clients. If you're also sending newsletters or marketing emails to your patient list, our blog post Benefits of Email Marketing For Your Clinic & How to Follow HIPAA/PHIPA Compliance walks through those rules separately. 


Does Wix Support HIPAA Compliance for Therapist Websites?


Yes, Wix now offers a HIPAA compliance feature, including PHI protection and a signed Business Associate Agreement (BAA) for eligible plans.


More website builders are recognizing that HIPAA compliant websites are essential for health and wellness providers, and this is a meaningful shift for therapists building on Wix. 


Through the Compliance, Privacy & Cookies settings, eligible Premium and Studio plans can activate PHI protection, which encrypts protected health information collected through forms, bookings, and client messages, and flags any apps or integrations that aren't compliant. Once activated, you can request a signed BAA directly with Wix.


Activating HIPAA compliance on Wix is a meaningful step, but it works best as one part of a broader, intentional approach to how your website handles client data, rather than a single box to check. Your plan tier matters, and any third-party apps connected to your site need to be reviewed for compliance too.


Text Reminders, Chatbots, and Booking Widgets 


Any tool that sends or stores client information, including text reminders and chat widgets, should be reviewed for HIPAA compliance first.


It's easy to overlook these smaller tools. A booking widget, an SMS reminder service, or a website chatbot can all feel like simple conveniences, but each one is a place where client information passes through a third party. 


Before adding any of these to your site, ask the provider directly whether they're willing to sign a BAA and how they handle data encryption.


If a tool can't answer that clearly, it's worth pausing before you connect it to your website, even if it seems like a small addition. And if your booking flow already feels clunky for reasons that have nothing to do with compliance, our blog post Does Your Website Have Booking Roadblocks? 5 Easy Ways to Increase Conversion & Bookings is worth a look too. 


How To Make Your Website More HIPAA Compliant


Small, intentional changes, like limiting form fields, using secure booking tools, and encrypting email, go a long way toward compliance.


Here are a few places to start:

  • Limit your public contact form to general inquiries, not clinical detail

  • Route intake paperwork and clinical questions to a HIPAA-compliant platform

  • Choose scheduling and booking tools built with healthcare providers in mind

  • Encrypt email communication, or move sensitive conversations to a secure client portal

  • Update your website's privacy policy to reflect how client information is collected and stored

  • Review analytics and marketing tools, like tracking pixels, for anything that could expose PHI

  • Sign a Business Associate Agreement with any vendor that touches client data


What Happens if Your Practice Isn't HIPAA Compliant?


Non-compliance can lead to fines, breach investigations, and a loss of client trust, but most gaps are fixable with the right adjustments.


Most therapists aren't intentionally out of compliance, they just haven't yet looked at their website through this lens. The good news is that most fixes, like adjusting a form or updating a privacy policy, are straightforward once you know where to look.


Beyond the legal risk, there's a relational one. Clients are trusting you with real, personal information before they ever sit down in your office. A website that handles that information with care reflects the same safe space you create in session.


It's also worth remembering that compliance isn't a one-time task. As you add new tools, forms, or scheduling apps to your website, it's worth revisiting your setup to make sure everything connected to your site still meets the same standard.


HIPAA Compliance for Therapists: Building a Website That's Aligned and Protected


Your website should feel like an extension of the care you provide in the room: thoughtful, individualized, and safe. 


HIPAA compliance isn't separate from that mission. It's part of it. Protecting client information online is mindful marketing in action, one more way you show clients they matter before they ever walk through your door.


If auditing your forms, email, and booking tools feels like one more thing on an already full plate, then you’re in the right place. Schedule your free Discovery Call with Virtuwell Balance and we'll help you build a website that's aligned with both your values and your compliance responsibilities.


Shayah Reed

Virtuwell Balance Founder



HIPAA for therapy website and marketing

The Mindful Marketer is our WEEKLY RESOURCE for Therapists and Health Practitioners who are seeking genuine yet effective ways to market their business.


If you're ready to transform your marketing approach to align with your values and join thousands of like-minded practitioners who are learning to market their business in a way that FEELS GOOD, click here to join us!


bottom of page