What does it actually mean for a website to be HIPAA compliant?
BY Shawn Davis March 27, 2025
0 minute read

The information provided within this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available within this article are for general informational purposes only. The information herein should not be used upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author, who is not a legal professional.


If you or your clients are working with patient information in the United States, you are likely already familiar with the Health Insurance Portability and Accountability Act (HIPAA). 


HIPAA strictly regulates the transmission of Protected Health Information (PHI). PHI is similar to Protected Personal Information (PPI), a topic we discuss often in relation to global privacy laws like the General Data Protection Regulation (GDPR) in Europe or local laws like the Colorado Privacy Act in our own home state. However, unlike PPI, PHI is regulated federally in the United States and includes more topics like plan numbers, dates, and, of course, medical diagnoses or other related health information.


The University of Colorado in Denver shares 18 common identifiers that may constitute PHI, but understand that this list isn’t comprehensive. A good rule of thumb is that if the data can be traced back to a particular patient, it’s PHI. Their list includes, verbatim:


  1. Names;
  2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  4. Telephone numbers;
  5. Fax numbers;
  6. E-mail addresses;
  7. Social Security numbers;
  8. Medical records numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plates;
  13. Device identifiers and serial numbers;
  14. Web Universal Resource Locators (URLs);
  15. Internet Protocol (IP) address numbers;
  16. Biometric identifiers (including finger and voice prints);
  17. Full face photographic images and any comparable images; and,
  18. Any other unique identifying number, characteristic, or code (with some exceptions and requirements).


HIPAA compliance can be a major source of anxiety for web professionals. So much so that many agencies in particular won’t even bother taking any medical clients out of an over-abundance of caution. If that sounds like you, I’ve got some good news—you are more than capable of creating great websites for medical practitioners. That’s because, and I may be getting ahead of myself a little here, there really is no such thing as a “HIPAA compliant website.”


What HIPAA is, and what it isn’t


At its core, HIPAA is a form of privacy regulation. However, unlike generalized regulations like the Colorado Privacy Act or the European Union’s GDPR, HIPAA is narrowly tailored towards protecting patient data. Whether or not HIPAA applies to you, then, depends upon where you lie on the “chain of liability.”


The chain of liability is a metaphor that describes how compliance requirements flow through the various actors interacting with patient data. Doctors, medical systems, and insurers all exist on the chain—for obvious reasons. They interact with that data directly, and may even originate it. Under HIPAA, these links on the chain are known as “covered entities,” because they’re directly covered by HIPAA. 


However, doctors aren’t the only ones who may interact with patient data. Intermediates, like cloud storage providers, IT contractors, and billing networks, may, in some capacity or another, find themselves exposed to patient data. These entities are referred to as “business associates." Unlike covered entities, business associates are tangential to the administration of care, yet they still interact with PHI.


Agencies are not inherently business associates—although, if they aren’t careful, they certainly could be.


Imagine that an agency has contracted with a dermatologist in Boulder, CO to create a beautiful new patient-facing website advertising their services. This agency creates a brochure-style website full of interesting copy, stock photos, and contact information, but no interactive elements. Since this website doesn’t, in any way, collect or store PHI, the agency who created it would not be classified as a business associate under HIPAA.


Now, what if a competing agency in Denver, CO contracted with a different dermatologist to create a more interactive website. Theirs is in many ways similar to the website the Boulder agency created, except it includes one small addition; a contact form. The inclusion of this form exposes the agency to PHI, linking them to the chain of liability. It also links their form processor to the chain, a serious liability if the form isn’t explicitly HIPAA compliant.


This singular focus on healthcare information is what separates HIPAA from other privacy laws. The Boulder agency may use analytic software on their website, or may employ a website builder that includes embedded analytic tools, but that doesn’t matter. Current HHS guidance differentiates between “authenticated” and “unathenticated” traffic; meaning an IP address alone isn’t identifiable enough to fall under HIPAA purview. The data needs to connect a person to their PHI.


That’s why websites themselves shouldn’t be a concern when considering HIPAA compliance. It’s the interactive elements, and the processors behind those elements, who may or may not be compliant. Think forms, questionnaires, payment processors, scheduling tools, etc. The website itself? Not so much.


That doesn’t mean you’re in the clear, though. Customers, including patients, expect interactivity from their websites. SMBs do too. In a survey we conducted last year, 88% of SMBs desired some kind of direct integration between their website and backend software. So, how can you offer the experiences your customers, and their customers, expect without linking yourself to the chain of liability?


Oh iframes, my beloved


One of the most popular, and underrated, technologies in the world of compliance is the iframe. This is a technology you’re undoubtedly familiar with. If you’ve ever embedded anything, from a Youtube video to a Google Maps element, you’ve used an iframe.


What makes this technology so popular in the world of compliance is their ability to sandbox data. Without getting too technical, essentially a website cannot view, modify, or manipulate the contents of an iframe. Stripe, a leading payment processor, uses this to create a PCI compliant environment within a website without the entire webserver needing to be PCI compliant. This works because the card information entered into the iframe isn’t accessible to the website in any capacity.


Many third-party software providers offer HIPAA compliant solutions using the same fundamental technology. Jotform, for instance, offers HIPAA compliant forms that can be embedded onto websites via an iframe. So long as the website itself isn’t collecting any PHI, then the coast is clear.


Other website owners simply link off from the marketing front-end to a back-end technology, like Epic’s ever-so-popular MyChart portal.


SaaS companies integrating Duda into their solution can leverage this flow as well by creating custom widgets that use iframes to deliver their technology to client websites. However, those clients should not use Duda’s first-party forms, as the backend is not HIPAA compliant.


Do I need to worry about HIPAA compliance?


If you’re an agency building websites for medical professionals, you should be aware of HIPAA but you shouldn’t worry about it. It’s easy to avoid exposure to PHI by simply refusing to accept it. Include specific language in your client contract that you are not responsible for PHI, and communicate clearly with your clients that they are responsible for the management of any patient data. You can recommend HIPAA compliant software, but do not retain any login information for that software.

SaaS companies should absolutely concern themselves with HIPAA, but not in regards to their clients' websites. They should instead embed their own HIPAA compliant technologies into the website builder via custom widgets, ensuring a seamless, low-stress experience for their customers.


Remember, PHI needs to be both safe and secure. The easiest way for an agency to ensure that is by not collecting that data at all.


Headshot of Shawn Davis

Shawn Davis

Content Writer, Duda

Denver-based writer with a passion for creating engaging, informative content. Loves running, cycling, coffee, and the New York Times' minigames.

Did you find this article interesting?


Thanks for the feedback!

Core web vitals: What agencies need to know in 2026

By Shawn Davis April 1, 2026
Core Web Vitals aren't new, Google introduced them in 2020 and made them a ranking factor in 2021. But the questions keep coming, because the metrics keep changing and the stakes keep rising. Reddit's SEO communities were still debating their impact as recently as January 2026, and for good reason: most agencies still don't have a clear, repeatable way to measure, diagnose, and fix them for clients. This guide cuts through the noise. Here's what Core Web Vitals actually measure, what good scores look like today, and how to improve them—without needing a dedicated performance engineer on every project. What Core Web Vitals measure Google evaluates three user experience signals to determine whether a page feels fast, stable, and responsive: Largest Contentful Paint (LCP) measures how long it takes for the biggest visible element on a page — usually a hero image or headline — to load. Google considers anything under 2.5 seconds good. Above 4 seconds is poor. Interaction to Next Paint (INP) replaced First Input Delay (FID) in March 2024. Where FID measures the delay before a user's first click is registered, INP tracks the full responsiveness of every interaction across the page session. A good INP score is under 200 milliseconds. Cumulative Layout Shift (CLS) measures visual stability — how much page elements unexpectedly move while content loads. A score below 0.1 is good. Higher scores signal that images, ads, or embeds are pushing content around after load, which frustrates users and tanks conversions. These three metrics are a subset of Google's broader Page Experience signals, which also include HTTPS, safe browsing, and mobile usability. Core Web Vitals are the ones you can most directly control and improve. Why your clients' scores may still be poor Core Web Vitals scores vary dramatically by platform, hosting, and how a site was built. Some of the most common culprits agencies encounter: Heavy above-the-fold content . A homepage with an autoplay video, a full-width image slider, and a chat widget loading simultaneously will fail LCP every time. The browser has to resolve all of those resources before it can paint the largest element. Unstable image dimensions . When an image loads without defined width and height attributes, the browser doesn't reserve space for it. It renders the surrounding text, then jumps it down when the image appears. That jump is CLS. Third-party scripts blocking the main thread . Analytics pixels, ad tags, and live chat tools run on the browser's main thread. When they stack up, every click and tap has to wait in line — driving INP scores up. A single slow third-party script can push an otherwise clean site into "needs improvement" territory. Too many web fonts . Each font family and weight is a separate network request. A page loading four font files before rendering any text will fail LCP, especially on mobile connections. Unoptimized images . JPEGs and PNGs served at full resolution, without compression or modern formats like WebP or AVIF, add unnecessary weight to every page load. How to measure them accurately There are two types of Core Web Vitals data you should be looking at for every client: Lab data comes from tools like Google PageSpeed Insights, Lighthouse, and WebPageTest. It simulates page loads in controlled conditions. Lab data is useful for diagnosing specific issues and testing fixes before you deploy them. Field data (also called Real User Monitoring, or RUM) comes from actual users visiting the site. Google collects this through the Chrome User Experience Report (CrUX) and surfaces it in Search Console and PageSpeed Insights. Field data is what Google actually uses as a ranking signal — and it often looks worse than lab data because it reflects real-world device and connection variability. If your client's site has enough traffic, you'll see field data in Search Console under Core Web Vitals. This is your baseline. Lab data helps you understand why the scores are what they are. For clients with low traffic who don't have enough field data to appear in CrUX, you'll be working primarily with lab scores. Set that expectation early so clients understand that improvements may not immediately show up in Search Console. Practical fixes that move the needle Fix LCP: get the hero image loading first The single most effective LCP improvement is adding fetchpriority="high" to the hero image tag. This tells the browser to prioritize that resource over everything else. If you're using a background CSS image for the hero, switch it to anelement — background images aren't discoverable by the browser's preload scanner. Also check whether your hosting serves images through a CDN with caching. Edge delivery dramatically reduces the time-to-first-byte, which feeds directly into LCP. Fix CLS: define dimensions for every media element Every image, video, and ad slot on the page needs explicit width and height attributes in the HTML. If you're using responsive CSS, you can still define the aspect ratio with aspect-ratio in CSS while leaving the actual size fluid. The key is giving the browser enough information to reserve space before the asset loads. Avoid inserting content above existing content after page load. This is common with cookie banners, sticky headers that change height, and dynamically loaded ad units. If you need to show these, anchor them to fixed positions so they don't push content around. Fix INP: reduce what's competing for the main thread Audit third-party scripts and defer or remove anything that isn't essential. Tools like WebPageTest's waterfall view or Chrome DevTools Performance panel show you exactly which scripts are blocking the main thread and for how long. Load chat widgets, analytics, and ad tags asynchronously and after the page's critical path has resolved. For most clients, moving non-essential scripts to load after the DOMContentLoaded event is a meaningful INP improvement with no visible impact on the user experience. For websites with heavy JavaScript — particularly those built on frameworks with large client-side bundles — consider breaking up long tasks into smaller chunks using the browser's Scheduler API or simply splitting components so the main thread isn't locked for more than 50 milliseconds at a stretch. What platforms handle automatically One of the practical advantages of building on a platform optimized for performance is that many of these fixes are applied by default. Duda, for example, automatically serves WebP images, lazy loads below-the-fold content, minifies CSS, and uses efficient cache policies for static assets. As of May 2025, 82% of sites built on Duda pass all three Core Web Vitals metrics — the highest recorded pass rate among major website platforms. That baseline matters when you're managing dozens or hundreds of client sites. It means you're starting each project close to or at a passing score, rather than diagnosing and patching a broken foundation. How much do Core Web Vitals actually affect rankings? Honestly, they're a tiebreaker — not a primary signal. Google has been clear that content quality and relevance still dominate ranking decisions. A well-optimized site with thin, irrelevant content won't outrank a content-rich competitor just because its CLS is 0.05. What Core Web Vitals do affect is the user experience that supports those rankings. Pages with poor LCP scores have measurably higher bounce rates. Sites with high CLS lose users mid-session. Those behavioral signals — time on page, return visits, conversions — are things search engines can observe and incorporate. The practical argument for fixing Core Web Vitals isn't just "because Google said so." It's that faster, more stable pages convert better. Every second of LCP improvement can reduce bounce rates by 15–20% depending on the industry and device mix. For client sites that monetize through leads or eCommerce, that's a revenue argument, not just an SEO argument. A repeatable process for agencies Audit every new site before launch. Run PageSpeed Insights and record LCP, INP, and CLS scores for both mobile and desktop. Flag anything in the "needs improvement" or "poor" range before the client sees the live site. Check Search Console monthly for existing clients. The Core Web Vitals report surfaces issues as they appear in field data. Catching a regression early — before it compounds — is significantly easier than explaining a traffic drop after the fact. Document what you've improved. Clients rarely see Core Web Vitals scores on their own. A monthly one-page performance summary showing before/after scores builds credibility and makes your technical work visible. Prioritize mobile. Google uses mobile-first indexing, and field data shows that mobile CWV scores are almost always worse than desktop. If you only have time to optimize one version, do mobile first. Core Web Vitals aren't a one-time fix. Platforms change, new scripts get added, campaigns bring in new widgets. Build the audit into your workflow and treat it like any other ongoing deliverable, and you'll stay ahead of the issues before they affect your clients' rankings. Duda's platform is built with Core Web Vitals performance in mind. Explore how it handles image optimization, script management, and site speed automatically — so your team spends less time debugging and more time building.

Why systems, not tools, are the future of vertical SaaS

By Ilana Brudo March 31, 2026
Vertical SaaS must transition from tools to an AI-powered Vertical Operating System (vOS). Learn to leverage context, end tech sprawl, and maximize retention.

Maximizing SaaS growth with an API-driven website builder

By Shawn Davis March 27, 2026
Automate client management, instant site generation, and data synchronization with an API-driven website builder to create a scalable growth engine for your SaaS platform.
Show More

Latest posts