Your Website Probably Wasn't Built With HIPAA in Mind. Here's Why That Matters.

What HIPAA Asks of You

HIPAA is short for the Health Insurance Portability and Accountability Act. The pieces that matter to a small practice website are:

• Protected Health Information (“PHI”) — Any health information about an identifiable patient. A name plus an appointment request to a psychiatric NP is PHI. A name plus a symptom checkbox is PHI. (45 CFR § 160.103¹)
• Use and disclosure rules— You can only share PHI in ways the rule allows. (45 CFR § 164.502²)
• The Security Rule— Electronic PHI must be protected for confidentiality, integrity, and availability. (45 CFR §§ 164.306, 164.308, 164.312³)
• Business Associate Agreements (“BAA”) — Any third party that touches PHI on your behalf needs a written BAA with you. (45 CFR §§ 164.502(e), 164.504(e)⁴)
• Breach notification— If unsecured PHI is exposed, you have to tell affected patients within 60 days, and tell the federal government if 500+ people are affected. (45 CFR §§ 164.404, 164.408; 42 USC § 17932⁵)

That last point matters. A “breach” doesn't require a hack. A misconfigured form that emails patient symptoms in plaintext to an inbox the wrong person can read is a breach.

Why a Static Intake Form Is Risky

A static intake form means: a form built into your website, where the data is emailed to you, stored in your website host's database, or both. Here's what happens behind the scenes:

1. The patient types their information into the form — name, date of birth, sometimes reason for visit.
2. The website sends that information over the internet to your hosting provider.
3. The hosting provider either emails it to you or stores it in a database.
4. Your email service receives and stores the email.
5. You read it on your phone, your laptop, maybe forward it to a colleague.

Every step in that chain is a place where PHI lives. Under HIPAA, every party that handles PHI on your behalf — your web host, your email provider, the form plugin vendor — needs a signed BAA with you. Most consumer-grade web hosts and email providers (typical shared hosting, standard Gmail, regular Outlook) will not sign a BAA. That means the chain isn't legal for PHI even if no breach ever happens.

State laws can be stricter. In California, the Confidentiality of Medical Information Act lets a patient personally sue you for $1,000 per violation plus damages — HIPAA itself does not allow patient lawsuits.⁶ In Texas, HB 300 extends the rules beyond traditional covered entities to anyone touching PHI, and caps penalties at $250,000 per violation.⁷ In New York, the SHIELD Act requires you to notify the state Attorney General within 5 business days.⁸ In Washington, the My Health My Data Act protects “consumer health data” even outside the clinical encounter — that includes form data on your marketing pages.⁹

What Federal Enforcement Has Actually Looked Like

These are real settlements published on hhs.gov:

• Steven A. Porter, M.D. (2020) — $100,000.A solo Utah gastroenterology practice that had not completed a security risk analysis and had not implemented sufficient safeguards for electronic PHI. OCR's investigation was triggered by a breach report tied to a dispute with an EHR vendor.¹⁰
• iHealth Solutions (2023) — $75,000.A small business associate exposed PHI of 267 patients through an unsecured server. The cited failure was — again — no risk analysis.¹¹
• Gums Dental Care, LLC (2024) — $70,000 civil monetary penalty.A solo dental practice that mishandled a patient's records-access request.¹²
• Cadia Healthcare Facilities (2025) — $182,000. Posted patient names, photos, and treatment details on the practice's social media accounts as “success stories” without proper authorization. 150 patients affected. The same rule applies to anything a practice publishes — social posts, website testimonials, Google Business Profile updates — patient authorization is required before publication.¹³
• MMG Fusion, LLC (2025) — $10,000 + 3-year corrective action plan. A dental-marketing-software vendor whose breach affected 15 million individuals. The penalty was kept low only because the company was financially distressed.¹⁴

The pattern is consistent: small practices, modest-sounding amounts, large operational disruption — and almost always, a missing risk analysis or a missing BAA at the root.

What We Do Instead

Rather than build patient-facing forms into your website, we route those interactions through vendors who specialize in HIPAA compliance and who will sign a BAA with you. Our standard stack as of June 2026:

We do not use Calendly. Calendly publicly refuses to sign a BAA on any tier, including Enterprise, and its terms of service prohibit PHI. We see clinicians put it on their website constantly. It's the single most common compliance mistake we untangle.¹⁵

What Your Website Actually Does in This Setup

When we build your site, the patient-facing form does one of three things:

1. Routes them to a HIPAA-compliant scheduler.Your “Book a Visit” button links to Spruce, SimplePractice, or Jane App. The form is hosted by the vendor with a BAA in place. Your website never touches the data.
2. Collects only non-PHI contact info— name and a phone number, no symptoms, no reason for visit. We then route them to a phone call or a HIPAA-compliant text channel for anything clinical.
3. Hands the call off to your answering service (Ruby) or your business phone (Spruce/Quo).

That's it. Your marketing website does what marketing websites are supposed to do — explain who you are, what you treat, how to reach you — and then hands the patient off to the compliant tool before anything sensitive gets typed.

Talk to Us

If you've been collecting intake info through a generic form, you're not alone — and you're not necessarily in trouble yet. The fix is usually a couple of swaps to your existing setup, not a rebuild.

Book a 20-minute call — no clinical information collected on this form; we'll route the conversation to a compliant channel before anything sensitive comes up.