Salomon Web Services Salomon Web Services
Get a free quote
Home/ Blog/ Healthcare
Healthcare

HIPAA-Compliant Websites: What Every US Clinic Owner Must Know in 2026

Most clinic websites in the US that ask any patient for contact information are violating HIPAA, and most owners have no idea. The Office for Civil Rights has issued fines from $40,000 to $1.5 million per incident over the last five years for exactly this. The frustrating part is that fixing it is straightforward when you know what to look for. This article covers what HIPAA compliance for a clinic website actually requires in 2026, without the consultant jargon.

Salomon Web Services · June 3, 2026 · 11 min read
Medical professional reviewing patient information on a secure tablet at a clinic

HIPAA is the law that scares the most clinic owners and gets the least correctly applied. Walk into any independent clinic in the US and ask the owner whether their website is HIPAA-compliant, and you will get one of three answers. “Yes, my web guy said so.” “I think so.” “Probably not, but no one has complained.”

All three are dangerous. HIPAA enforcement does not require a patient complaint. The Office for Civil Rights routinely audits and fines clinics whose websites collect protected health information without the safeguards the law requires. The fines start at $100 per violation and go up to $1.5 million per year per type of violation. A single sloppy contact form has cost clinics in the six figures.

This article is not legal advice. It is a practical breakdown of what a clinic owner needs to verify, what to fix immediately, and what is OK as is. Get this right and you sleep at night.

What HIPAA actually says about websites

HIPAA, the Health Insurance Portability and Accountability Act, has two main rules that apply to clinic websites:

The Privacy Rule. This governs how Protected Health Information (PHI) can be used and disclosed. PHI is any individually identifiable health information, including the fact that someone is your patient.

The Security Rule. This governs the technical and administrative safeguards required when PHI is stored or transmitted electronically. It applies to anything digital.

A clinic website becomes subject to both rules the moment it does any of the following:

If your website does none of these things, you are probably fine. If it does any of them, you have HIPAA obligations whether you realize it or not.

The contact form is the single biggest violation source

This is where most clinics fail without knowing it. The classic clinic contact form asks for name, email, phone, and “reason for visit”. The reason for visit is the problem.

The moment a patient types “I need to see a doctor about migraines” or “I had a procedure last month and have questions” or even “follow-up appointment”, that text becomes PHI under HIPAA. It is individually identifiable health information transmitted electronically. The form is now subject to the Security Rule.

What the Security Rule requires for that form to be compliant:

What most clinics actually have:

This is a textbook HIPAA violation. It has been the subject of multiple six-figure OCR fines. The fix is straightforward but requires actually doing it.

What a compliant intake flow looks like

A clinic website that is doing this right has the following:

1. A form hosted on infrastructure with a signed BAA. Major options include Jotform Healthcare, Formstack, MD Webmail, or custom infrastructure hosted on AWS or Azure with their healthcare BAAs. Free services like Google Forms and basic Mailchimp do not offer BAAs and cannot be used for any form that may receive PHI.

2. End-to-end encryption from browser to storage. TLS in transit, AES-256 at rest. This is now standard on any HIPAA-compliant hosting, but verify it.

3. No submission via standard email. The form submission writes to a database or secure inbox the staff accesses via authenticated portal, not to a regular Gmail. If you must email it, use a HIPAA-compliant email service (Paubox, Virtru, or similar) that encrypts the email itself.

4. Audit logging. Every time a staff member opens a submission, the system logs who did it and when. This is required by the Security Rule and most clinics ignore it.

5. Individual logins for every staff member who can see PHI. Shared logins are a violation. Each person has their own credentials so the audit log shows who saw what.

6. A patient privacy notice on the form. The form must inform the patient that their information is being collected, what it will be used for, and link to the clinic’s Notice of Privacy Practices.

The “we just use email” problem

Most independent clinics in the US receive patient information through standard email channels every week. Patient calls, leaves a message, staff replies by email with appointment details. Patient sends a photo of a rash via SMS to ask if they need to come in. Doctor emails a follow-up note to a patient.

All of this is a HIPAA violation unless the email channel is HIPAA-compliant. Standard Gmail, Outlook, Yahoo Mail, and basic Office 365 are not. Even Google Workspace Business is not, unless the clinic has signed a BAA with Google AND enabled the BAA-eligible services AND restricted PHI to those services.

The realistic fix:

This is not optional. Email-related HIPAA violations are the most common source of OCR fines.

What about chatbots and AI assistants?

This is the newest frontier of HIPAA confusion. Many clinic websites now use chatbots or AI assistants to help patients schedule appointments or answer common questions.

If the chatbot discusses anything health-related (symptoms, conditions, medications, appointments for specific issues), it processes PHI. The same rules apply:

Most consumer chatbot platforms are not HIPAA-eligible. OpenAI does offer a BAA for ChatGPT Enterprise as of 2024, but the standard ChatGPT API does not include one. Anthropic offers BAAs for healthcare use of Claude. Custom-built AI agents using these APIs can be HIPAA-compliant if configured correctly.

Generic website chatbots that route through unregulated platforms are a violation waiting to happen.

What HIPAA does NOT require for clinic websites

It is worth being clear about what HIPAA does not require, because some web designers over-engineer in ways that hurt the patient experience without adding compliance value.

A HIPAA-compliant clinic website can be just as warm, fast, and beautiful as any other website. The compliance lives in the back end and in specific forms, not in the user experience.

The 5 things every clinic should verify this month

If you are running a clinic in the US and the last time you thought about HIPAA was when you signed your hosting contract, here is the checklist:

1. Audit every form on your website. Make a list of every form. For each one, ask: does this collect anything health-related? Does the submission go to standard email? Is the host on a BAA?

2. Get a Business Associate Agreement from your hosting provider. Every hosting provider serving healthcare clients has a BAA template. Sign one. If they refuse, change hosts. Many shared hosts will not provide BAAs and require an upgrade to their healthcare-tier plan.

3. Verify your email channel for patient communication. If staff use Gmail or basic Outlook to email patients about anything health-related, that has to change. Sign up for a HIPAA-compliant email service and migrate patient comms to it.

4. Check that staff have individual logins. No shared accounts. Each person logs in with their own credentials.

5. Document it. HIPAA requires written policies. A short document that states “this is how we handle patient data, this is who has access, this is our incident response plan” is enough for an independent clinic. Many violations turn into bigger fines specifically because the clinic could not show that they had thought about HIPAA at all.

The cost of getting this right vs the cost of getting it wrong

A clinic website that is HIPAA-compliant from scratch costs roughly the same as one that is not. The hosting is similar, the form infrastructure is similar, the email service costs $30-50 per user per month. The total annual added cost for a 5-person clinic is around $2,500 to $4,000.

The cost of a single HIPAA violation is between $100 and $50,000 per violation, with annual caps in the millions. The cost of having to publicly disclose a breach is harder to measure but typically destroys patient trust in the practice.

The math is not subtle. Compliance is dramatically cheaper than the alternative.

Where to start

If you are reading this and you are not sure whether your clinic website is compliant, the first step is to inventory what data you collect and where it goes. Most clinics that do this honestly discover they have at least one form that is not properly handled, one email channel that is not encrypted, or one third-party tool that is processing PHI without a BAA.

The fix usually takes one to three weeks of focused work. The result is a clinic that can grow its patient base online without spending nights worried about an OCR audit.

This is the kind of infrastructure decision that does not feel urgent until the day it becomes very urgent. The clinics that handle it early treat it as boring operational maintenance. The clinics that wait usually handle it during a crisis. The first version is much cheaper.

Want to apply this to your business?

We'll walk you through the implementation step by step, no commitment required.

Get a free quote More articles