What does it actually mean for a website to be HIPAA compliant?
BY Shawn Davis March 27, 2025
0 minute read

The information provided within this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available within this article are for general informational purposes only. The information herein should not be used upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author, who is not a legal professional.


If you or your clients are working with patient information in the United States, you are likely already familiar with the Health Insurance Portability and Accountability Act (HIPAA). 


HIPAA strictly regulates the transmission of Protected Health Information (PHI). PHI is similar to Protected Personal Information (PPI), a topic we discuss often in relation to global privacy laws like the General Data Protection Regulation (GDPR) in Europe or local laws like the Colorado Privacy Act in our own home state. However, unlike PPI, PHI is regulated federally in the United States and includes more topics like plan numbers, dates, and, of course, medical diagnoses or other related health information.


The University of Colorado in Denver shares 18 common identifiers that may constitute PHI, but understand that this list isn’t comprehensive. A good rule of thumb is that if the data can be traced back to a particular patient, it’s PHI. Their list includes, verbatim:


  1. Names;
  2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  4. Telephone numbers;
  5. Fax numbers;
  6. E-mail addresses;
  7. Social Security numbers;
  8. Medical records numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plates;
  13. Device identifiers and serial numbers;
  14. Web Universal Resource Locators (URLs);
  15. Internet Protocol (IP) address numbers;
  16. Biometric identifiers (including finger and voice prints);
  17. Full face photographic images and any comparable images; and,
  18. Any other unique identifying number, characteristic, or code (with some exceptions and requirements).


HIPAA compliance can be a major source of anxiety for web professionals. So much so that many agencies in particular won’t even bother taking any medical clients out of an over-abundance of caution. If that sounds like you, I’ve got some good news—you are more than capable of creating great websites for medical practitioners. That’s because, and I may be getting ahead of myself a little here, there really is no such thing as a “HIPAA compliant website.”


What HIPAA is, and what it isn’t


At its core, HIPAA is a form of privacy regulation. However, unlike generalized regulations like the Colorado Privacy Act or the European Union’s GDPR, HIPAA is narrowly tailored towards protecting patient data. Whether or not HIPAA applies to you, then, depends upon where you lie on the “chain of liability.”


The chain of liability is a metaphor that describes how compliance requirements flow through the various actors interacting with patient data. Doctors, medical systems, and insurers all exist on the chain—for obvious reasons. They interact with that data directly, and may even originate it. Under HIPAA, these links on the chain are known as “covered entities,” because they’re directly covered by HIPAA. 


However, doctors aren’t the only ones who may interact with patient data. Intermediates, like cloud storage providers, IT contractors, and billing networks, may, in some capacity or another, find themselves exposed to patient data. These entities are referred to as “business associates." Unlike covered entities, business associates are tangential to the administration of care, yet they still interact with PHI.


Agencies are not inherently business associates—although, if they aren’t careful, they certainly could be.


Imagine that an agency has contracted with a dermatologist in Boulder, CO to create a beautiful new patient-facing website advertising their services. This agency creates a brochure-style website full of interesting copy, stock photos, and contact information, but no interactive elements. Since this website doesn’t, in any way, collect or store PHI, the agency who created it would not be classified as a business associate under HIPAA.


Now, what if a competing agency in Denver, CO contracted with a different dermatologist to create a more interactive website. Theirs is in many ways similar to the website the Boulder agency created, except it includes one small addition; a contact form. The inclusion of this form exposes the agency to PHI, linking them to the chain of liability. It also links their form processor to the chain, a serious liability if the form isn’t explicitly HIPAA compliant.


This singular focus on healthcare information is what separates HIPAA from other privacy laws. The Boulder agency may use analytic software on their website, or may employ a website builder that includes embedded analytic tools, but that doesn’t matter. Current HHS guidance differentiates between “authenticated” and “unathenticated” traffic; meaning an IP address alone isn’t identifiable enough to fall under HIPAA purview. The data needs to connect a person to their PHI.


That’s why websites themselves shouldn’t be a concern when considering HIPAA compliance. It’s the interactive elements, and the processors behind those elements, who may or may not be compliant. Think forms, questionnaires, payment processors, scheduling tools, etc. The website itself? Not so much.


That doesn’t mean you’re in the clear, though. Customers, including patients, expect interactivity from their websites. SMBs do too. In a survey we conducted last year, 88% of SMBs desired some kind of direct integration between their website and backend software. So, how can you offer the experiences your customers, and their customers, expect without linking yourself to the chain of liability?


Oh iframes, my beloved


One of the most popular, and underrated, technologies in the world of compliance is the iframe. This is a technology you’re undoubtedly familiar with. If you’ve ever embedded anything, from a Youtube video to a Google Maps element, you’ve used an iframe.


What makes this technology so popular in the world of compliance is their ability to sandbox data. Without getting too technical, essentially a website cannot view, modify, or manipulate the contents of an iframe. Stripe, a leading payment processor, uses this to create a PCI compliant environment within a website without the entire webserver needing to be PCI compliant. This works because the card information entered into the iframe isn’t accessible to the website in any capacity.


Many third-party software providers offer HIPAA compliant solutions using the same fundamental technology. Jotform, for instance, offers HIPAA compliant forms that can be embedded onto websites via an iframe. So long as the website itself isn’t collecting any PHI, then the coast is clear.


Other website owners simply link off from the marketing front-end to a back-end technology, like Epic’s ever-so-popular MyChart portal.


SaaS companies integrating Duda into their solution can leverage this flow as well by creating custom widgets that use iframes to deliver their technology to client websites. However, those clients should not use Duda’s first-party forms, as the backend is not HIPAA compliant.


Do I need to worry about HIPAA compliance?


If you’re an agency building websites for medical professionals, you should be aware of HIPAA but you shouldn’t worry about it. It’s easy to avoid exposure to PHI by simply refusing to accept it. Include specific language in your client contract that you are not responsible for PHI, and communicate clearly with your clients that they are responsible for the management of any patient data. You can recommend HIPAA compliant software, but do not retain any login information for that software.

SaaS companies should absolutely concern themselves with HIPAA, but not in regards to their clients' websites. They should instead embed their own HIPAA compliant technologies into the website builder via custom widgets, ensuring a seamless, low-stress experience for their customers.


Remember, PHI needs to be both safe and secure. The easiest way for an agency to ensure that is by not collecting that data at all.


Headshot of Shawn Davis

Shawn Davis

Content Writer, Duda

Denver-based writer with a passion for creating engaging, informative content. Loves running, cycling, coffee, and the New York Times' minigames.

Did you find this article interesting?


Thanks for the feedback!
A screenshot of a plumber's website with a

Help your SMB clients adopt eCommerce: Tearing down the walls!

By Renana Dar May 5, 2025
Many SMBs still hesitate to embrace eCommerce. As the agency partner, you have the opportunity to tear down the perceived walls of eCommerce and show clients how eCommerce can make their business more efficient, accessible, and profitable. Read all about it!
A computer screen with a graph on it and a purple background.

How platform ecosystems drive revenue

By Santi Clarke April 24, 2025
Learn how platform ecosystems drive revenue and why they are essential for the growth of SaaS businesses.

How to make your SaaS platform stickier

By Santi Clarke April 24, 2025
One of the greatest challenges for SaaS platforms is keeping users engaged long-term. The term “stickiness” refers to a product's ability to retain users and make them want to return. In the context of SaaS platforms, creating a sticky product means that users consistently find value, experience seamless interactions, and continue using the product over time. The following are 7 practical strategies you can take to improve the stickiness of your SaaS solution. 1. Offer websites that help customers build their digital presence One of the most effective ways to make your SaaS platform sticky is by offering websites to your users. Many businesses today need an online presence, and by providing a platform where your customers can easily build and manage their websites, you increase their reliance on your product. When you offer users a website-building solution, you’re helping them create something foundational to their business. Websites, in this case, aren’t just a tool—they become a part of their identity and brand. This deepens their engagement with your platform, as they need your product to maintain and update their site, ultimately making them less likely to churn. Plus, websites naturally encourage frequent updates, content creation, and customer interactions, which means your users will return to your platform regularly. When you can give your users the tools to create something so essential to their business, you make them more dependent on your platform. This creates a higher barrier to exit, as migrating a fully built website to another service is no small task. In fact, websites are some of the stickiest products you can sell, so adding them to your product portfolio can be one of the best decisions you can to keep your customers using your technology for the long haul. 2. Deliver continuous value through product innovation The key to keeping users coming back to your SaaS platform is ensuring that they consistently see value in it. This means not only meeting their immediate needs but also evolving to address their growing demands. Constant product innovation is essential for keeping your users satisfied and invested in your platform. One way to achieve this is through regular updates that add new features or improvements based on user feedback. A SaaS platform that evolves with its users will keep them engaged longer, making it harder for competitors to steal their attention. Encourage user feedback and prioritize updates that create tangible improvements. This creates an ongoing relationship with your users, which boosts stickiness. 3. Offer a multi-product solution Another powerful way to increase your platform’s stickiness is by offering a suite of products or features that integrate well together. When your users adopt multiple products, they are more likely to stay because they become embedded in your ecosystem. The benefits of this strategy are clear. Research shows that once users adopt more than one product, especially when they integrate >4 tools into their workflow, their likelihood of churn decreases significantly. This happens because the more a user integrates into your suite of products, the harder it is for them to switch to a competitor. These users have invested time in learning your ecosystem and rely on it for their day-to-day operations, making it much harder for them to make the switch. 4. Create a personal connection with your users Human connection is one of the most powerful drivers of user retention. People don’t want to feel like they’re using a cold, faceless platform. By offering exceptional customer support, personalized communication, and community engagement, you build a relationship with your users that goes beyond the product itself. Make sure your support team is responsive, knowledgeable, and empathetic. You can also consider offering tailored onboarding experiences to ensure users understand how to make the most of your platform. When users feel like their success matters to you, they are more likely to remain loyal. 5. Leverage data to personalize the user experience Using data to drive personalization is another strategy that can significantly increase the stickiness of your platform. By tracking user behavior and usage patterns, you can tailor the experience to each individual user’s needs. This could mean recommending features they haven’t yet explored or sending them reminders about tools they may not be fully utilizing. Personalization gives users the feeling that the platform was designed specifically for them, making it harder to walk away from. By demonstrating that you understand their unique needs, you can build a stronger connection and ultimately increase retention rates. 6. Focus on seamless integrations and API capabilities To further increase stickiness, consider expanding your product’s ability to integrate with other tools your users already rely on. Whether it’s email marketing software, CRM systems, or social media management tools, seamless integrations add tremendous value by making it easier for users to incorporate your platform into their existing workflows. The more your product can work in tandem with other popular tools, the more indispensable it becomes. In fact, users who depend on integrations are less likely to churn since their entire ecosystem is tied to your platform’s functionality. 7. Encourage user advocacy and community building User advocacy is another powerful tool in building a sticky product. When users feel a sense of community or even ownership over the platform, they become your most passionate promoters. Encourage your users to share their success stories, join community forums, or contribute to product development through beta testing or feedback loops. A thriving user community not only increases user engagement but also creates a sense of loyalty. When users are part of something larger than themselves, they are more likely to remain committed to your platform, reducing churn and increasing lifetime value. Create deep, lasting customer relationships Making your SaaS platform sticky is all about creating a deep, lasting connection with your users. This requires building a platform that continuously delivers value, creating a seamless and personalized experience, and integrating features that keep users coming back. By focusing on product innovation, offering a multi-product ecosystem, and fostering strong user relationships, you’ll be well on your way to reducing churn and boosting user retention. Stickiness isn’t just a nice-to-have; it’s essential for long-term success. Focus on creating a platform that users can’t imagine living without, and you’ll see them stick around for the long haul.
Show More

Latest posts