Is My Small Business Website HIPAA Compliant? A Plain-English Checklist

6 min read · April 2026

HIPAA applies to dentists, therapists, chiropractors, optometrists, and any practice whose website collects appointment requests or health-related info. This checklist helps you identify the gaps.

The checklist

Contact forms use HTTPS (encrypted)

Check your site URL starts with https://. Any form collecting health info must be encrypted in transit.

Form submissions are not stored in plain text

Some form plugins log submissions unencrypted. Any field that could contain health info needs encrypted storage.

Third-party tools (analytics, chat) have BAAs

Tools like Google Analytics may store data on their servers. You may need Business Associate Agreements with these vendors.

Your hosting provider signs a BAA

Your web host stores your site data. Under HIPAA they need to sign a Business Associate Agreement. Ask yours if they offer this.

Website logins use strong, unique credentials + 2FA

Shared CMS logins are a HIPAA problem. Use unique passwords and enable two-factor authentication.

Your privacy policy should specifically address when health info is collected, how it is stored, and who can access it.

Note: This is not legal advice. HIPAA compliance is complex and fact-specific. Work with a qualified attorney alongside your technical team.

Back to Resources Get a Security Review