Is My Website HIPAA Compliant?

A practical guide to evaluating your website's current compliance posture and identifying the gaps most likely to draw regulatory scrutiny.

Published April 7, 2026 4 min read

Start with a Basic Technical Audit

The fastest way to get an initial answer is to run an automated scan. Tools like HIPAA Guard analyze your publicly accessible pages for the most common technical violations: SSL configuration, missing privacy notices, insecure form endpoints, and third-party tracking on sensitive pages.

An automated scan will not catch everything — it cannot see inside your database, review your policies, or verify whether your vendors have signed BAAs — but it will surface the technical issues that are most immediately visible and most commonly cited in enforcement actions.

Start your evaluation with a free scan, then use the results as a structured checklist to investigate each flagged item in depth. Many organizations are surprised to discover issues they didn't know existed, particularly around third-party scripts loaded by marketing teams without IT review.

Check Your SSL Configuration

Visit your website in a browser and verify you see the padlock icon in the address bar. Then dig deeper:

  • Use a tool like SSL Labs to grade your TLS configuration
  • Confirm your certificate expiration date and who manages renewals
  • Verify HTTPS is enforced sitewide and that HTTP requests redirect to HTTPS
  • Check all subdomains — patient portals, scheduling tools, and intake forms often live on different subdomains
  • Ensure HSTS (HTTP Strict Transport Security) headers are set

An "A" grade on SSL Labs with HSTS enabled is a strong baseline for transmission security compliance, though it is only one element of the full picture.

Review Your Forms and Data Flows

Make a complete inventory of every form on your website and ask for each one: what data does it collect, where does it go, and is that destination covered by a BAA?

  • Contact forms that ask about health conditions or symptoms
  • Appointment request forms
  • New patient intake forms
  • Insurance verification forms
  • Newsletter signup forms on healthcare websites

Trace each form submission to its destination. If it sends an email via a standard SMTP relay, that relay must have a BAA. If it writes to a CRM, that CRM must have a BAA. If it stores data in a spreadsheet in Google Drive, your Google Workspace account must have a BAA with Google activated.

Audit Third-Party Scripts

Open your browser's developer tools on any page where patients might be authenticated or where health information appears, and review the Network tab. Every external domain that receives a request is a potential data recipient.

Common problematic patterns include:

  • Meta Pixel or TikTok Pixel on appointment confirmation pages that pass appointment type or referring page as event metadata
  • Google Analytics on patient portal pages where the page title or URL reveals a diagnosis code or procedure
  • Live chat widgets that log conversation transcripts to servers outside your BAA coverage
  • CDN providers serving content from patient-facing pages without a BAA

The OCR's 2022 bulletin on tracking technologies makes clear that these scenarios are enforcement priorities.

Review Your Privacy Notice

HIPAA requires covered entities to post a Notice of Privacy Practices that meets the content requirements of 45 CFR § 164.520. Review your existing privacy policy against this checklist:

  • Does it describe all uses and disclosures of PHI you make?
  • Does it list patients' rights (access, amendment, accounting of disclosures)?
  • Does it name your Privacy Officer or provide contact information?
  • Does it state your legal duties regarding PHI?
  • Is it clearly linked from all pages where PHI is collected?
  • Does it carry a revision date within the last three years?

A generic "Privacy Policy" that covers GDPR and CCPA but does not address HIPAA-specific rights is not sufficient for covered entities.

Check your site for free — Instant HIPAA compliance scan, no signup required.
Scan Now

Frequently Asked Questions

Can I check my own website's HIPAA compliance without a consultant?
Yes — you can perform a meaningful self-assessment using automated scanning tools and the checklists available through HHS.gov and HIPAA Guard. Self-assessment is valuable for identifying technical gaps quickly. However, a formal HIPAA risk assessment as required by the Security Rule should involve qualified personnel and typically benefits from external review for objectivity and completeness.
What are the most common HIPAA website violations found during audits?
The most frequently cited issues are: missing or inadequate Notice of Privacy Practices, tracking pixels on patient-facing pages without BAAs, unencrypted web forms transmitting PHI via standard email, expired or misconfigured SSL certificates, and lack of session timeout controls on patient portals. These five categories account for the majority of technical findings.
How long does a HIPAA website compliance review take?
An automated scan takes seconds to minutes. A thorough internal review covering forms, vendors, scripts, and documentation typically takes one to three business days for a small practice website. A comprehensive third-party audit for a complex healthcare platform can take two to four weeks and involves interviews, documentation review, and technical testing.
What should I do immediately if I discover a compliance gap?
Document the finding, assess whether PHI may have been exposed or transmitted improperly, and remediate as quickly as possible. If the gap could constitute a breach (unauthorized disclosure of PHI), follow your breach notification procedure, which may require notifying affected individuals and reporting to HHS. Do not delete evidence of the gap before documenting it — that documentation is part of your compliance record.

Related Articles

Guides
HIPAA Website Compliance Checklist
A step-by-step checklist covering every technical and administrative control your healthcare webs...
Read More →
Articles
What Makes a Website HIPAA Compliant
Breaking down the specific technical, administrative, and physical safeguards your website must i...
Read More →
Articles
HIPAA-Compliant Web Forms: Complete Guide
Web forms are one of the most common entry points for PHI on healthcare websites — and one of the...
Read More →
Articles
HIPAA-Compliant Email for Healthcare
Email is one of the most common ways PHI is inadvertently disclosed. Get the technical and policy...
Read More →

Explore More HIPAA Resources

HIPAA Website Compliance ChecklistWhat Makes a Website HIPAA CompliantIs My Website HIPAA Compliant?Understanding the HIPAA Security Rule for WebsitesHIPAA Compliance Guide for Telehealth PlatformsHIPAA-Compliant Web Forms: Complete GuideHow HIPAA Website Scanning WorksFree HIPAA Compliance Checker: What You Get and What You MissHIPAA Risk Assessment for WebsitesChoosing HIPAA-Compliant Web HostingHIPAA Covered Entities: Who Needs to Comply with HIPAAHIPAA Business Associate Agreement: What You Need to KnowHIPAA Breach Notification Rules for WebsitesProtecting PHI on WebsitesHIPAA Compliance and Website Cookies and Tracking PixelsHIPAA-Compliant Email for HealthcareHIPAA Compliance for Small Medical PracticesHIPAA Guard Automated Scanning vs Manual HIPAA AuditsHow do I choose the best HIPAA compliance tool?What is a HIPAA website scanner?How does a HIPAA risk assessment tool work?HIPAA Website Scanner vs. Free Compliance Checker: Which is better?How do I fix HIPAA compliance failures identified by a tool?What factors influence the cost of HIPAA compliance tools, and how can I budget for them?