HIPAA Website Compliance Checklist

A step-by-step checklist covering every technical and administrative control your healthcare website needs to stay compliant.

Published April 7, 2026 4 min read

SSL/TLS Encryption

Every page of your website must be served over HTTPS. HIPAA's Security Rule requires that all electronic protected health information (ePHI) transmitted over public networks be encrypted. An expired, missing, or self-signed SSL certificate is one of the most common violations found during compliance reviews.

Confirm your SSL certificate is valid and issued by a trusted CA
Ensure automatic HTTP-to-HTTPS redirects are in place
Use TLS 1.2 or higher — disable TLS 1.0 and 1.1
Verify that all subdomains used to collect data are also covered
Check certificate expiration dates and set up renewal alerts

Automated scanners like HIPAA Guard check your SSL configuration on every scan so expiration never catches you off guard.

Privacy Policy Requirements

A HIPAA-compliant website must publish a clear, accessible Notice of Privacy Practices (NPP) that explains how patient information is collected, used, and shared. This is distinct from a generic privacy policy and must meet specific regulatory content requirements under 45 CFR § 164.520.

NPP must be prominently linked from every page that collects PHI
Include contact information for your Privacy Officer
Describe patients' rights regarding their health information
State how you respond to data breaches
Date the policy and note the effective date of the most recent revision

Missing or inadequate privacy notices account for a significant share of OCR enforcement actions each year.

Web Forms and Data Collection

Any web form that collects protected health information (PHI) — including appointment requests, intake forms, or symptom checkers — must be secured at rest and in transit. Standard HTML contact forms that send unencrypted email are not HIPAA compliant.

Use encrypted form submission tools or HIPAA-compliant form platforms
Avoid storing form submissions in shared CMS databases without encryption
Do not use standard Gmail, Outlook, or other non-BAA email to receive form data
Implement CSRF protection on all forms
Log form access and submission events for audit purposes

Review the HIPAA compliant forms guide for a deeper look at secure form architecture.

Cookies, Analytics, and Tracking Pixels

Third-party tracking technologies — including Google Analytics, Meta Pixel, and ad retargeting scripts — can inadvertently transmit PHI to vendors who have not signed a Business Associate Agreement (BAA). The FTC and OCR have both issued guidance making clear that tracking pixels on authenticated patient pages constitute a potential HIPAA violation.

Audit every third-party script loaded on pages where PHI appears
Remove tracking pixels from patient portals, appointment confirmation pages, and prescription pages
Obtain BAAs from any analytics or tag management vendor that processes ePHI
Implement a consent management platform to control cookie activation

Hosting and Infrastructure Controls

Your web hosting environment must support HIPAA's administrative, physical, and technical safeguards. This means your hosting provider must sign a Business Associate Agreement and offer documented security controls including access logging, intrusion detection, and data backup.

Confirm your host offers and will sign a BAA
Verify data centers have physical access controls and environmental protections
Ensure database backups are encrypted and tested regularly
Use role-based access controls for server and CMS administration
Enable audit logging for all administrative actions

See our guide on HIPAA-compliant web hosting for recommended providers and what to look for in a BAA.

Ongoing Monitoring and Risk Assessment

HIPAA compliance is not a one-time event. The Security Rule requires covered entities and business associates to conduct periodic risk assessments and implement a process for ongoing monitoring. Websites change frequently — new scripts are added, certificates expire, and third-party integrations evolve.

Schedule compliance scans after every significant site update
Conduct a formal risk assessment at least annually
Document all identified risks and remediation actions
Train staff on HIPAA requirements whenever policies change
Maintain an inventory of all systems that process PHI

Tools like HIPAA Guard automate continuous scanning so you catch regressions before they become violations.

Check your site for free — Instant HIPAA compliance scan, no signup required.

Scan Now

Frequently Asked Questions

Does every healthcare website need to be HIPAA compliant?

If your website collects, stores, transmits, or is used to access protected health information (PHI), it must comply with HIPAA's Security Rule and Privacy Rule. This includes practice websites with appointment forms, patient portals, telehealth platforms, and health apps. Purely informational sites that collect no patient data are generally outside scope, but adding any form of PHI collection changes that.

How often should I run a HIPAA compliance check on my website?

At minimum, run a compliance check annually and after any significant website change — new theme, new plugin, new third-party integration, or server migration. Because SSL certificates expire and third-party scripts change, monthly automated scanning is considered best practice for active healthcare websites.

What are the penalties for a non-compliant healthcare website?

Civil penalties range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category. Criminal penalties can reach up to $250,000 and 10 years imprisonment for willful neglect. State attorneys general can also bring actions under HIPAA. Enforcement has increased substantially since 2020.

Is a standard SSL certificate enough for HIPAA compliance?

SSL/TLS encryption is a necessary but not sufficient condition for HIPAA compliance. You also need secure forms, proper privacy notices, BAAs with vendors, access controls, audit logging, and a documented risk management program. Think of SSL as one item on a long checklist, not the whole checklist.

Can I use WordPress for a HIPAA-compliant website?

WordPress can be used in a HIPAA-compliant manner, but it requires significant hardening: HIPAA-compliant hosting with a BAA, removal of non-compliant plugins, encrypted form solutions, strict user access controls, and audit logging. Out of the box, WordPress is not HIPAA compliant.

Explore More HIPAA Resources

HIPAA Website Compliance Checklist What Makes a Website HIPAA Compliant Is My Website HIPAA Compliant?Understanding the HIPAA Security Rule for Websites HIPAA Compliance Guide for Telehealth Platforms HIPAA-Compliant Web Forms: Complete Guide How HIPAA Website Scanning Works Free HIPAA Compliance Checker: What You Get and What You Miss HIPAA Risk Assessment for Websites Choosing HIPAA-Compliant Web Hosting HIPAA Covered Entities: Who Needs to Comply with HIPAA HIPAA Business Associate Agreement: What You Need to Know HIPAA Breach Notification Rules for Websites Protecting PHI on Websites HIPAA Compliance and Website Cookies and Tracking Pixels HIPAA-Compliant Email for Healthcare HIPAA Compliance for Small Medical Practices HIPAA Guard Automated Scanning vs Manual HIPAA Audits How do I choose the best HIPAA compliance tool?What is a HIPAA website scanner?How does a HIPAA risk assessment tool work?HIPAA Website Scanner vs. Free Compliance Checker: Which is better?How do I fix HIPAA compliance failures identified by a tool?What factors influence the cost of HIPAA compliance tools, and how can I budget for them?