How to Make a Website HIPAA-Compliant

Q: Can I collect patient data on Wix?

Not with Wix’s native tools. Use a HIPAA app like HIPAAtizer in the Wix App Marketplace.

Q: Is Webflow HIPAA-Compliant?

No, but it can be used with apps like HIPAAtizer or Jotform with a HIPAA plan.

Q: Do I need HIPAA hosting for my site?

Only if your site stores PHI. If it doesn’t, embedded forms on that store data on HIPAA-Compliant servers, like HIPAAtizer, are enough.

Q: What is a BAA, and do I need one?

A BAA is a Business Associate Agreement. It is a HIPAA requirement for third party service providers, like HIPAAtizer, that provide services that handle PHI. And, yes you, as a Covered Entity need one with the service provider if the service provider is handling PHI.

August 18, 2025

Category: Blog

You built your website on a platform you know and love, maybe it’s WordPress, Wix, or Webflow. You’ve designed every page, perfected the layout, and even set up SEO. But then someone from the clinic or your client says the magic word: HIPAA. Cue the panic.

Here’s the good news: You don’t need to rebuild your entire site to make a website HIPAA Compliant. In fact, most of your website doesn’t even handle Protected Health Information (PHI). It’s usually just the forms – like patient intake, appointment requests, or consent forms – that need to follow HIPAA rules.

Let’s walk through exactly how to make the forms on your website HIPAA Compliant, platform by platform, without breaking your website, your brand, or your budget.

What Makes a Website HIPAA Compliant?

When Is HIPAA Required?

HIPAA applies when you’re collecting, transmitting or storing PHI. That includes:

Online forms that collect symptoms or insurance info
Medical appointment requests
Consent and intake forms
Online payments tied to medical services

If your website only includes a blog or general contact form (without medical details), HIPAA likely doesn’t apply.

What Counts as PHI on a Website?

A patient’s name + condition = PHI
Email + reason for visit = PHI
Newsletter signup? Not PHI

HIPAA and Your Website Builder: WordPress, Wix, and Webflow

WordPress HIPAA-Compliant Forms

WordPress is flexible but not HIPAA Compliant out of the box, as it doesn’t offer a BAA for its users.

Use a WordPress HIPAA-Compliant plugin.

Options:

HIPAAtizer’s WordPress Plugin
HIPAA Forms Online

Pro Tip: Choose a plugin that allows styling and provides print-friendly submission views for doctors.

Wix HIPAA-Compliant Forms

Wix is easy and attractive, but doesn’t offer a BAA. You can’t collect PHI using Wix’s built-in forms.

Use a third-party app like HIPAAtizer’s Wix App. Learn more

Pro Tip: Always test on mobile. Many patients use phones to fill out forms.

Webflow HIPAA-Compliant Forms

Webflow is a favorite among web designers. Clean code, intuitive interface, but no BAA.

Use a third-party solution:

Jotform (with HIPAA-Compliant plan)
HIPAAtizer Webflow App (officially listed in the Webflow marketplace)

Learn more about the Best HIPAA-Compliant Form Builders in 2025

Features to Look for in HIPAA-Compliant Online Forms for your Website

End-to-end encryption
Business Associate Agreement (BAA)
No-code
Custom styling
Printable submissions
Mobile responsiveness
E-signature & e-payment support
Save & continue, autofill, conditional logic
Submission management, access control
Easy embed (iframe, plugin, script)

Common Mistakes to Avoid While Making Your Website HIPAA Compliant

Using Built-in Website Forms

Forms provided through WordPress, Webflow, or Wix aren’t compliant without proper security and a BAA.

Handling Submissions Without a BAA

Agencies or contractors working on a medical site must not access PHI unless a BAA is signed. Viewing form submissions without a BAA can be a violation.

Using a non-password-protected PDF or Word patient form attached to a website

If a patient downloads a PDF or Word form and fills it out, they usually send it via a personal email account, which in most cases is not HIPAA Compliant. These forms are also inconvenient to fill out on a mobile device, which creates a user-experience issue in addition to potential HIPAA Compliance risks.

HIPAA-Compliant Website Use Cases & Real-Life Examples

A Solo Therapist Using WordPress

A practitioner aims to reduce wait times by adding a consent form to their website for patients to complete in advance. They used one of the WordPress plugins and embedded a HIPAA-Compliant online consent form with printable submissions that mimics the original PDF.

A Pediatric Clinic Using Webflow

Used conditional logic to serve the correct intake form based on visit type. Branded and mobile-friendly.

A contact form on a WordPress Dental Clinic Website

A dental office realized that its Contact Form 7 is not HIPAA-Compliant. They switched their form into a HIPAA-Compliant Contact form with HIPAA form plugin in the WordPress marketplace without needing to change their WordPress website.

Pediatric Clinic that uses a fax machine

Added a Contact form with File Upload to a Wix website and received the required medical documents online and consents via the website in a HIPAA-Compliant manner.

Helpful Tip: Having HIPAA forms embedded on a clinic website contributes to local SEO as patients visit the website to sign forms.

How to Add HIPAA-Compliant Forms to Any Website

1. Choose a HIPAA-Compliant Form Builder

Look for:

HIPAA-Compliant hosting
No-code drag-and-drop builder
Branded, styled forms
Printable submission formats
Signed BAA

(HIPAAtizer offers all of the above and is free for developers.)

2. Create or Convert Existing Forms

You can build a form manually or use a service like HIPAAtize to convert your PDF or Word forms for free.

3. Test Your Forms

Test across devices. Check styling, branding, submission format, and mobile responsiveness.

4. Embed on Your Website

Use plugins, iframe, or direct link (e.g., in email or QR code).

HIPAA Hosting vs Embedded Forms

Do You Need HIPAA Hosting for Your Entire Website?

Short answer: No.

HIPAA only applies to parts of your site that handle PHI. If your forms are embedded and hosted on a HIPAA-Compliant platform, your main website doesn’t need to be HIPAA hosted.

The HIPAA-Compliant “Contact Us” Page: A Simple Test

Not sure if your website is collecting PHI? Here’s a quick test: Look at your Contact Us form. Does it ask for symptoms, reasons for visit, insurance info, or anything medical? If so, it’s collecting PHI, even if it’s just one field.

That means you can’t use your chosen platform’s default form. But the fix is easy: embed a HIPAA-Compliant form just for that page. You’re only targeting the part of your website that needs to be compliant, and it keeps your site on the right side of HIPAA.

FAQs About HIPAA-Compliant Websites

Is WordPress HIPAA Compliant?

Not by default, but yes, if you use a plugin that hosts forms on a HIPAA-Compliant server.

Can I collect patient data on Wix?

Is Webflow HIPAA-Compliant?

Do I need HIPAA hosting for my site?

What is a BAA, and do I need one?

Yes, You Can Make Any Website HIPAA-Compliant!

You don’t need to start from scratch. Whether your site is built on WordPress, Wix, Webflow, or another platform, by adding a HIPAA-Compliant form, you can make your site secure and compliant, while keeping your design intact.

And, if you’re looking for an easy, flexible, doctor-approved way to do it?

Try HIPAAtizer. It’s no-code, fast, customizable, and always free for developers.

Still have questions? Contact us

How to Make Any Website HIPAA-Compliant in 2025