Abu Noaman | Apr 18, 2026

Checklist for Building HIPAA Compliant Websites

Checklist for Building a HIPAA Compliant Websites

Building a HIPAA-compliant website is about protecting a patient’s Protected Health Information (PHI). This includes anything that can identify a person, such as their name, phone number, medical history, or even their appointment time. For high-growth healthcare platforms, the website must act as a “Hardened Security Machine” designed to handle appointments and patient records while keeping the “privacy shield” intact. To be compliant, ensure that this data is handled with integrity i.e. it is kept private, safe from hackers, and only seen by the right people.

Here is a basic checklist that popular healthcare platforms use to ensure its systems have total Integrity.

1. The Legal Foundation

To build a HIPAA compliant website:

  • Sign Business Associate Agreements (BAA): The healthcare platform must sign a BAA with its hosting (like AWS), its email providers, its database services and its cookie management systems (like OneTrust). This is a legal contract where both sides promise to protect patient info in accordance with HIPAA rules.
  • Designate a Privacy Officer: There must be one person in the company whose “job” is to watch over security and make sure no “noise” or leaks occur.

2. The Technical Security

You cannot use cheap, shared hosting for a HIPAA site. This is how the data is physically protected from hackers:

  • Cookie Policy: Establish a website cookie banner up, with all non-strictly-necessary cookies held back from firing until after the visitor has affirmatively consented/accepted the cookies.  
  • Data Capture: For any section/page of the website where a visitor enters personal information or makes an appointment, use GTM to remove all non-strictly-necessary passive tracking irrespective of acceptance of a banner. Some guidelines: (a) Home Page / General Info is a general “signal” only, so tracking is permissible. (b) Conditions / Treatment Pages signal “health intent, so it’s best to remove all tracking. (c) Appointment / Login Pages contain “Direct PHI”, so all tracking must be removed. (d) Patient Portal is considered “Data Integrity” zone, so all tracking is prohibited and must be removed.
  • No PHI in URLs or Query Parameters: Because it ends up in server logs, browser history, referrer headers, and analytics tools. Use Post method for anything that includes patient headers.
  • No PHI in Analytics Tools Without a BAA: Google Analytics does not sign a BAA by default. As a precaution, audit your tracking events.
  • Strong Passwords: Require all staff to use long, complex passwords and Two-Factor Authentication (2FA).
  • Encryption at Rest: All patient data (names, birthdays, symptoms) must be “scrambled” while it sits in the database. If a hacker broke in or stole your servers, all they would see is gibberish.
  • Encryption in Transit via SSL/TLS: When a patient books an appointment on their phone, their data must travel through a secure, encrypted “tunnel” (SSL/TLS) to reach the server. Never use standard “Contact Us” forms for medical info.
  • Unique User IDs: No two employees should share a login. Every person has their own “unique key” to enter the system.
  • Backup System: You must have a secure way to back up your data in case of a “system failure” or a natural disaster.

3. The Monitoring System

A compliant website must be “Self-Aware” i.e. it needs to know exactly what is happening inside its walls at all times.

  • Audit Logs: The system must keep a permanent “signal” of every action. If an employee looks at a patient’s record, the system records who looked, what they saw, and when they did it.
  • Automatic Log-off: If a doctor or scheduler walks away from their computer, the website must automatically log them off after a few minutes to prevent “unauthorized access.”
  • Integrity Checks: The system must regularly check its own data to make sure it hasn’t been altered or corrupted by a “system failure.”

4. The Communications Protocols

How the platform talks to patients is the most common place for “security leaks.”

  • No PHI in Notifications: When Luna sends you a text or an email, it should say, “You have a new message in your portal,” rather than “Your physical therapy for your back is at 2:00 PM.” Keeping the details behind a login is the only way to stay compliant.
  • Secure Portals: All actual medical talk happens inside a “perfected” secure portal, never through basic, unencrypted emails and texts. Use a professional service (like Google Workspace or Microsoft 365) specifically configured for HIPAA.
  • Clear Privacy Policy: Your website must have a clear page explaining how you protect patient data and what their rights are.

5. Other Non-Web Administrative Safeguards

This list does not include broader organizational issues such as

  • HIPAA training
  • Workforce authorization
  • Contingency plans
  • Risk management plans
  • Risk assessment completed and documented
  • Security incident procedures
  • Off boarding checklist
  • Conducting access review regularly

If you are seeking a healthcare marketing agency,  view our capabilities and consider partnering with us.

Related posts:

  1. Website Design Agency for Naturopathic Colleges Rebrands and Redesigns Southwest College for Naturopathic Medicine Responsive Website
  2. News, Views and Advocacy Magazine for Oncology Nursing Society
  3. Pittsburgh Web Development Agency Shares Web Development Best Practices

Tags:

Categories:

About

Welcome to the Elliance Aha! Blog where we share digital marketing ideas, insights and inspirations for higher education, manufacturing, B2B, B2C and nonprofit brands. We are a Pittsburgh-based digital marketing agency that leverages brand, search, social, mobile and web to bring prosperity to our national and global clients.