HIPAA Compliant Web Design

The Health Insurance Portability and Accountability Act (HIPAA) changed how the United States works with health information. For the most part, HIPAA concerns private medical information and keeping it secure.

The act passed in 1996 and did not directly reference the Internet — but that doesn’t mean it doesn’t apply. In fact, if you plan to do anything with people’s protected health information (PTI) online, you need a website that complies with HIPAA’s high standards.

HIPAA web design starter checklist

When you’re laying the groundwork for your site, these are the major points you need to remember for HIPAA compliance.

  1. Secure sockets layer (SSL) protection
  2. Full data encryption (especially during transfers)
  3. Full data backup with encryption
  4. Permanent deletion options for all data
  5. Restricted, specific access for admins and users
  6. Regular password changes
  7. Data breach protocol
  8. Appointed HIPAA compliance officer
  9. Prominent, published HIPAA policy on site
  10. HIPAA business associate agreement with site host and other vendors

There are more precautions you need to take for a HIPAA-compliant site, but these 10 are the most important starting points for your business.

Now, let’s take a look at each quality individually.

1. SSL protection

SSL protection is a networking protocol that includes client authentication, server authentication, and encrypted communications between the two. That means whenever someone logs into your site or manages their account, everything is safely encrypted at all times.

In other words, no one could make sense of it if they stole or intercepted the information.

2. Full data encryption

While SSL protection deals with user and server encryption, you also need to encrypt any data you store.

This is also important with communications between users and servers, as you must encrypt all data during transmission to make sure people can’t read it if it’s intercepted.

3. Full data backup

Once you have information from your clients, you need to store the essentials and encrypt them as well. Basically, only one person should be able to see the information they submit to your site, and that’s the user.

If there’s a clear or obvious flaw in your backup storage security, you’re not adhering to HIPAA.

4. Permanent data deletion

HIPAA also mandates that you delete all data that’s no longer relevant to your business. So if you have a client who leaves your service for one of your competitors, you must permanently delete all of their information from your servers.

“Permanent” is a critical word here. If you delete someone’s information from your servers, you can’t have the opportunity to recover it. When someone leaves your company, their information goes too.

5. Restricted access

In a nutshell, restricted access means only your administrators can access administrative functions.

In addition, only a specific user can access their data, and they can only access their own data. Likewise, only your administrators can make changes to your site. This is especially critical since any minor change — even to a user’s profile — could constitute a breach of HIPAA’s strict regulations.

6. Regular password changes

Most of the time, this is just a good idea. But with HIPAA, it’s law. You must regularly change the passwords of your administrators and users to keep your data properly protected.

Failure to regularly update or change passwords constitutes a breach of HIPAA’s standards.

7. Data breach protocol

Even if you have the most secure, top-of-the-line security on your site, you still need protocol for a data breach.

Establishing a contingency plan for compromised data ensures you can quickly neutralize a breach if it arises. It’s also a great way to show users that you’re prepared for anything.

Hopefully, you’ll never have a real data breach, but you need to have a plan and practice it in case a breach ever happens.

8. HIPAA compliance officer

A HIPAA compliance officer is someone you select to make sure your website is constantly up-to-date with any changes made to HIPAA.

That means they have to be aware of HIPAA’s current laws, any potential upcoming laws, and which laws no longer apply. This officer (or officers, if you have a big site) keeps you compliant all day, every day while also keeping your users’ data safe.

Without an appointed officer, you’re practically guaranteed to miss critical updates and fall short of HIPAA’s strict standards.

9. Published HIPAA policy online

Since you adhere to all HIPAA regulations, you need to say so on your site.

Doing this tells your users that you know the law, you adhere to the law, and that their information is always secure.

10. HIPAA business associate agreement with site host

As a HIPAA-compliant site, you must have business associate agreements with any vendors you use. That includes your site host.

This is the reason that a lot of site hosts won’t work with HIPAA-compliant sites. There’s a lot more work, regulation, and cost associated with a site that needs so much security. As a result, you’ll almost definitely pay more for a HIPAA-compliant site than a standard site. But you need at least one with your site host if you want to succeed.

Now that we’ve looked at 10 factors for HIPAA-compliant sites, let’s see how they stack up against standard websites.

How do standard websites compare?


Typical websites don’t encrypt information on transmission, and they don’t have to use data backups to secure information. They may also have authorization issues, loopholes, or backdoors that leave administrators and users vulnerable to attacks.

Most websites also don’t include a failsafe that shows when someone has accessed or tampered with data, which is essential to any HIPAA-compliant site.

They also don’t encrypt their stored data, they don’t usually have options to permanently delete data, and most server hosts can’t adhere to HIPAA’s standards without changing their pricing (or even their whole business).

In a nutshell, standard websites are not made to HIPAA’s standards.

What this means for you

If you want your site to be HIPAA-approved, you need to oversee every single detail of your site to make sure you’re compliant. If you don’t, you risk breaching HIPAA’s standards, which is a serious issue for several reasons.

First and most obviously, it’s the law.

Second, it hurts your reputation when people see or hear that you breached HIPAA’s standards.

And last, it makes people trust you less. Healthcare is a competitive industry, and if your competition has a spotless record of HIPAA compliance, you can’t afford any breaches on your part. They’ll look better, and they’ll funnel customers away from you without breaking a sweat.

WebFX knows HIPAA’s standards

At WebFX, our talented team of web designers has worked with clients in virtually every industry, including healthcare — so we have experience with HIPAA’s standards. Even with all of its stipulations, we’ve helped clients achieve success with HIPAA-complaint websites, and we can do the same for you!

Do you want a safe, secure, and highly-functional website? Contact us today to start planning your business’s HIPAA-compliant site!