What Makes a Website HIPAA Compliant

HIPAA's Security Rule organizes requirements into three categories: administrative safeguards, physical safeguards, and technical safeguards. For websites, all three apply in different ways.

Administrative safeguards include policies, procedures, workforce training, and risk management programs. Physical safeguards cover data center security, workstation controls, and device disposal. Technical safeguards are the code-level and infrastructure controls most relevant to website compliance: access controls, audit controls, integrity controls, and transmission security.

Understanding which category each requirement falls into helps you assign ownership across your organization — IT owns technical controls, operations owns physical controls, and compliance/legal owns administrative controls.

The technical safeguards in 45 CFR § 164.312 are the most directly relevant to website architecture. They require:

• Access Controls (§164.312(a)(1)): Unique user identification, automatic logoff, and encryption/decryption of ePHI at rest
• Audit Controls (§164.312(b)): Hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI
• Integrity Controls (§164.312(c)(1)): Mechanisms to authenticate ePHI and ensure it has not been altered or destroyed improperly
• Transmission Security (§164.312(e)(1)): Guards against unauthorized access to ePHI during transmission — this is where HTTPS/TLS requirements live

Each of these maps directly to specific website features that can be audited and verified.

Any third-party vendor that creates, receives, maintains, or transmits PHI on your behalf is a Business Associate and must sign a BAA before you share PHI with them. For websites, this covers a surprisingly broad range of vendors.

Common website vendors that typically require BAAs include: web hosting providers, form processing services, email marketing platforms (if health data is involved), analytics tools on authenticated pages, CDN providers serving ePHI, chat and scheduling tools, and CRM systems storing patient records.

Operating without a BAA where one is required is a direct HIPAA violation — even if no breach occurs. The OCR has levied fines against covered entities specifically for missing BAAs.

Patient portals and any website section displaying PHI must implement robust authentication. HIPAA does not mandate multi-factor authentication by name, but it is considered an addressable implementation specification, meaning you must implement it or document a comparable alternative.

• Enforce strong password policies (minimum length, complexity, expiration)
• Implement automatic session timeout after periods of inactivity
• Log all login attempts, including failures
• Use role-based access controls to limit data exposure by user role
• Disable or remove accounts immediately upon employee termination

For telehealth platforms and patient portals, MFA is effectively the industry standard and should be considered required in practice.

The Privacy Rule's minimum necessary standard requires that you only collect, use, and disclose the minimum amount of PHI necessary to accomplish the intended purpose. For websites, this translates into thoughtful form design and data architecture.

• Only request fields you actually need — avoid collecting diagnoses or medication lists in general contact forms
• Do not log PHI in standard web server access logs or error logs
• Avoid storing PHI in URL parameters, which appear in server logs and browser history
• Implement data retention policies and automate deletion of PHI that is no longer needed
• Ensure database fields containing PHI are encrypted at the column level where possible