Atlantic.Net Blog

How to Make a HIPAA-Compliant Website: 2024 Guide

What Is Needed to Make Your Website HIPAA Compliant?

Any website that handles electronic patient information must adhere to the Health Insurance Portability and Accountability Act (HIPAA) standards to prevent data breaches.

The HIPAA legislation demands that any website handling electronic patient data via a web server must comply with the physical, technical, and administrative safeguards of HIPAA.

The bottom line is that you need a compliant site if you are collecting PHI (protected health information), and that means any individually identifiable healthcare information collected during the provision of healthcare.

Below you can find our 10-step checklist to make your website HIPAA compliant, which includes steps like identifying PHI, applying SSL encryption, and signing business associate agreements (BAAs).

The easiest way to achieve HIPAA compliance is to outsource this responsibility to a hosting provider that specializes in HIPAA-compliant hosting. Atlantic.Net is a leading provider that specializes in HIPAA-compliant web hosting. this. Atlantic provides dedicated, HIPAA-compliant web servers running Apache, Nginx, or Microsoft IIS, as well as a one-click WordPress cloud solution.

HIPAA Compliant Website Checklist

Here are key HIPAA compliance concerns that should guide your efforts:

  1. Privacy Rule
  2. Security Rule
  3. SSL encryption
  4. HIPAA-compliant website platform
  5. Business associate agreements
  6. Healthcare focus of infrastructure
  7. Security of data center & auditing
  8. Offsite CDP backups
  9. Managed multi-factor authentication
  10. Managed firewall

1. Adhere to the Privacy Rule

The HIPAA Privacy Rule applies to all healthcare providers, plans, and clearinghouses, as well as to their business associates (any organizations handling health information on their behalf).

What Is the Privacy Rule?

The Privacy Rule mandates that there should be protections in place to safeguard the privacy of health information. The rule also establishes rights that patients have related to their information, such as the right to get a copy of health information and to review it, as well as to ask for corrections.

What Is Protected Health Information (PHI)?

PHI is any personally identifiable material that directly relates to patients’ healthcare. Any statistics collected on contact forms that are anonymized are out of HIPAA compliance scope and not considered PHI.

Examples of PHI

Here are some examples of information collected for physician medical records where HIPAA regulations apply and HIPAA-compliant web forms/contact forms would be necessary:

  • Any part of a name;
  • Any location information that is more specific than the state, such as a street address, town, or county
  • The months and days of any patient services or events (birthdate, date of treatment, etc.), although the year is unprotected.
  • Any email addresses, telephone or fax numbers belonging to the patient;
  • Social Security numbers;
  • The number identifying the record;
  • Numbers associated with health insurance or plans;
  • The ID number for the account;
  • Numbers associated with state registrations or licenses;
  • Car tags or vehicle identification numbers;
  • Any data related to particular computers, including serial numbers;
  • URLs specific to individual patients;
  • IP’s of patient devices;
  • Anything classifiable as biometric and that identifies the individual, such as a fingerprint;
  • Photographs in which the person’s face is visible; and
  • Any other features or numbers that directly relate to the patient.

2. Adhere to the Security Rule

The HIPAA Security Rule creates national standards to safeguard health information in electronic form, whether an organization is producing, receiving, sending, or storing it.

It requires the adoption of “reasonable and appropriate” technical, physical, and administrative safeguards, so organizations can protect the security, integrity, and confidentiality of ePHI in a HIPAA-compliant manner. The easiest way for covered entities with a website to achieve compliance with the security rule is to use HIPAA-compliant website hosting providers (see section 4 below).

3. Implement SSL Certificate Encryption (TLS)

You must implement a secure sockets layer (SSL) [TLS] encryption certificate for your website, transitioning from HTTP to the secure HTTPS protocol. This protocol encrypts all data that is in motion between the client device and the server.

Web developers should know how to install SSL certificates, but you can also work with your hosting provider on SSL-encrypting your site.

4. Use a HIPAA-Compliant Platform and HIPAA-Compliant Web Forms

To make sure your website is HIPAA-compliant, you must utilize a compliant content management platform and HIPAA-compliant web forms. No platform is inherently HIPAA-compliant, but some platforms are HIPAA-compliant when the proper procedures and safeguards are in place. For example, can help you set up a HIPAA-compliant WordPress instance.

For a compliant environment, think about how people will use your site. The ways that patients can use HIPAA-compliant websites inform the types of security measures needed. The concern is specifically related to ePHI – whether your organization is creating, transmitting, receiving, or maintaining it.

If you are collecting information through forms on your site, you will need to ensure all that data is protected per HIPAA regulations. Any form collecting health data should protect the information under HIPAA regulations for safeguarding ePHI; the form must defend any identifiable health information against unauthorized access and potential data breaches. Read our list of the top HIPAA-compliant form tools here.

5. Sign a Business Associate Agreement

If you are going to work with any outside providers or businesses on any aspect of your site that involves the handling of ePHI, you need to sign a business associate agreement (BAA) with them. To meet HIPAA compliance rules, you must verify all health data that you store and that it is sent through your site securely (whether at rest or transmitting PHI in transit).

Be aware that your website developer is a direct business associate, but they will in turn have subcontractor business associates who independently perform services for them. Confirm that the website designer has BAAs with each of its third-party subcontractors – so that all applicable parties are included within HIPAA compliance upfront. Failure to identify business associates is no defense and led to a $1.5 million HHS fine in one case.

6. Select a Healthcare-Specific Infrastructure or Host

For organizations that handle individually identifiable medical information, choosing the right host for your ePHI is an important step. You need a hosting provider that is dedicated to following the Privacy Rule and Security Rule, and that has technical, administrative, and physical safeguards in place to protect PHI.

Atlantic.Net is a leading provider of HIPAA-compliant hosting services.

7. Select a Regularly Audited Secure HIPAA Data Center

Determine whether your host is secure and audited according to the appropriate HIPAA guidelines. One thing you can do to get a better sense of a host’s security stance is to look beyond those healthcare law certifications to an audit based on the insight of the American Institute for Certified Public Accountants (AICPA), Statement on Standards for Attestation Engagements 18 (SSAE 18; formerly SSAE 16), SOC 2 and SOC 3. provides its services within a HIPAA-compliant data center.

8. Perform Regular Off-Site Backups

It is best practice to have a replicated offsite copy of the daily backups of your IT infrastructure for business continuity and disaster recovery capabilities, and this is also true for HIPAA-compliant websites.

At, we can back up your website data to any of our eight data center locations. Replicated offsite backups are easily retrievable and you can quickly and easily restore them when needed.  Custom retention periods and backup frequency are available such as 5 minutes, 15 minutes, and hourly backups.

What About Onsite Backups?

Onsite backups using the ACP Onsite Backup solution create daily backups of your required servers and store the data geographically locally in a protected secured area. These backups are easily retrievable and if a restore is needed, the process is incredibly quick.  Custom retention periods and backup frequency are available such as 5 minutes, 15 minutes, and hourly backups.

9. Implement Multi-Factor Authentication

You want a managed multi-factor authentication access system that is available through one sign-on. The system should perform diagnostics on devices to ensure their health. Infected and high-risk devices can be blocked via scanning for outdated applications and enforcing security controls.

10. Implement a Managed Firewall

A strong managed firewall will include powerful security response, routine device health checks, log monitoring, and control of network ingress and egress points. The system should include load balancing, redundancy via a secondary firewall, global blacklisting, virtual private network (VPN) connectivity, stateful filtering, monitoring, reporting, and management of router IP addresses.

Your HIPAA-Compliant Website

Many organizations work with third parties on their data systems, particularly if they are in rigorously controlled sectors such as healthcare. Contracting with outside organizations is not simply a way to push away off-focus work; it is also a way to tap expertise that is not present in-house. When you need a healthcare website, work with organizations that are HIPAA and HITECH certified, as well as SOC 2 and SOC 3 audited, so that they are prepared to meet their obligations to the Department of Health and Human Services. See our HIPAA-compliant web hosting solutions.

Read More About HIPAA Compliant Hosting

Get a $250 Credit and Access to Our Free Tier!

Free Tier includes:
G3.2GB Cloud VPS a Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year