If you run an independent practice in the Phoenix area and you’re searching for “HIPAA compliant website design,” you’ve probably noticed the results are either vague, national, or trying to alarm you. This page does neither. It explains, calmly and specifically, what actually makes a practice website sit right with HIPAA, the four decisions that matter, and the exact questions to ask any vendor — including us.
First, the honest framing
There is no such thing as a “HIPAA certified” website. The Department of Health and Human Services doesn’t certify websites, vendors, or software — so any badge claiming certification is decoration, not compliance. What HIPAA actually asks of a website is more practical: if the site collects or transmits protected health information (PHI), that information has to be handled properly, and the vendors touching it have to be under the right agreements.
The good news: for a typical practice website, this comes down to four configuration decisions. Each one is straightforward once it’s stated plainly.
Decision 1: How your forms handle information
Your web pages themselves are public marketing content — no PHI there. The moment of truth is your contact or intake form. When a prospective patient writes “I’d like an appointment about my back pain,” that message can reasonably be considered PHI, and it deserves careful routing. Concretely:
- Form submissions should be stored and transmitted on infrastructure covered by a Business Associate Agreement — not emailed in plain text to a free inbox, and not stored in a form plugin’s cloud account nobody signed a BAA with.
- The form should collect the minimum needed to start a conversation. A marketing-site form can ask for name, contact details, and a general reason for reaching out; detailed clinical intake belongs in a proper patient-intake system.
- Notification emails to your staff should avoid including the message content when the receiving mailbox isn’t covered — a link back to the covered system works well.
Decision 2: BAAs with every vendor that touches PHI
A Business Associate Agreement is the contract that makes a vendor accountable for handling PHI properly. The working rule: every vendor whose systems store, process, or transmit your patients’ information should have a BAA with you. For a website, that typically means the hosting provider, the form-handling service, and any email platform that receives patient messages. Reputable infrastructure providers — Google Cloud among them — offer BAAs as a standard part of doing business with healthcare; a vendor who hesitates or charges heavily extra for one is telling you something about how their stack is arranged.
Note what doesn’t need a BAA: vendors that never touch PHI. Your domain registrar doesn’t need one. The design freelancer who built your pages doesn’t, if they never access patient data. The point isn’t to collect BAAs like stamps — it’s to know exactly which systems patient information flows through, and to have each of those covered.
Decision 3: Analytics and pixels
This is the decision most practice websites get wrong without knowing it. Advertising trackers — the Meta pixel, ad-platform tags, and similar scripts — report visitor behavior back to advertising companies. On a practice website, that can mean transmitting the combination of a visitor’s identity signals and the health-related pages they viewed to a third party with no BAA. Federal regulators have published guidance specifically about tracking technologies on health-related websites, and the practical takeaway is simple: don’t run advertising trackers on a practice website.
You don’t have to give up measurement. First-party, self-hosted analytics — tools like Matomo running on your own covered infrastructure, configured cookieless — tell you which pages work and where visitors come from, without sending anything to an ad network. That’s what runs on this site, and it’s what we deploy for clients as standard.
Decision 4: Where the site is hosted
For the public pages, hosting is mostly a quality question: you want SSL everywhere, current software, daily backups, and security patching that actually happens. It becomes a compliance question the moment forms or any patient-facing function live on the same infrastructure — then you want a host that signs a BAA and a setup where the patient-data plane is deliberately separated from the marketing plane. Ask any prospective vendor to sketch that separation for you. A good one can do it in two sentences.
What to ask any website vendor
Take this list into any sales conversation, including one with us:
- Where do form submissions go, exactly — which systems, in what order — and which of those systems is under a BAA?
- Will you sign a BAA with my practice, and is it included in the price?
- What tracking scripts does the site load? Can you show me the site running with zero third-party trackers?
- Who hosts the site, and who is responsible for security updates and backups after launch?
- If I leave, what do I take with me — content, domain, data — and in what format?
- Can you document the compliance posture in writing, in plain language, so I can keep it with my practice’s records?
A vendor who answers all six directly is worth talking to. A vendor who answers with a certification badge is not answering.
How Clineo handles it
We’re a Glendale company building websites for independent practices across the West Valley and Phoenix, and compliance is included in everything we deliver — it’s a standard feature, never a line item or an upsell. Every engagement includes a signed BAA, forms that run on our BAA-covered Google Cloud stack, first-party cookieless analytics with no ad pixels anywhere, and a documented compliance posture you keep. Our answers to the six questions above are on the record before you ever get a quote, because the prices are published too: a practice site on our platform is a $900 one-time Platform Launch build with the $100/mo Essentials plan, and builds in your own cloud account start at $2,500. The whole menu is on the pricing page.
Already have a website you like? You may not need a rebuild at all — the four decisions above can often be fixed on the site you own. Our free practice audit checks your public site’s trackers, forms, speed, and accessibility and gives you the findings either way, and our stack stewardship service can keep an existing setup tuned.
Frequently asked questions
Is there an official HIPAA certification for websites?
No. HHS doesn’t certify websites, software, or vendors. What matters is how the site actually handles information: covered form routing, BAAs with vendors that touch PHI, no advertising trackers observing health-related browsing, and sound hosting. Any vendor claiming a certification is describing something that doesn’t exist.
Does my whole website need to be on HIPAA-covered hosting?
The public marketing pages don’t handle PHI, so the strict requirement attaches to the parts that do — forms, patient messaging, anything intake-like. A well-designed setup separates those planes deliberately. That said, hosting everything on a covered stack with one accountable vendor is often simpler than managing the boundary yourself, which is how we build.
Can I use Google Analytics on my practice website?
Standard third-party analytics send visitor data to servers outside your control, and regulators have published guidance cautioning health-related sites about exactly this pattern. The clean alternative is first-party, self-hosted analytics such as Matomo, configured cookieless — you keep the insight and the data stays on infrastructure you control. That’s the default in every Clineo build.
What about online scheduling and patient portals?
Scheduling and portal tools handle PHI by definition, so they need their own BAAs with you — most healthcare-focused scheduling vendors offer one. Your website’s job is to link to those tools cleanly. When we build a site, we integrate whatever covered scheduler you use rather than inserting another system in the middle.
My current site was built by a general web designer. Do I have to start over?
Usually not. The most common gaps — an uncovered form service, leftover ad trackers, missing BAAs — can typically be fixed on the site you already own. Start with our free audit, which shows exactly what your public site loads and where the gaps are; fixing is often a small job, not a rebuild.
How much does a HIPAA-appropriate practice website cost in Phoenix?
With Clineo, the published answer: a $900 Platform Launch build plus the $100/mo Essentials plan, which includes BAA-covered managed hosting, a compliant contact form, privacy-safe analytics, backups, and security patching. Practices that want to own the infrastructure outright can have the same posture built in their own cloud account starting at $2,500. Full details on the pricing page.