HIPAA eCommerce

12-Step HIPAA-Compliant Website Checklist for 2024

Updated June 3  |  11 min read
Key Takeaways
  • Following a HIPAA website checklist ensures legal compliance with HIPAA regulations, which is mandatory for all healthcare providers.
  • It helps protect patient privacy by ensuring that appropriate security measures are in place, such as encryption and secure login procedures.
  • Following a HIPAA compliance checklist also helps healthcare providers prevent data breaches and protects a care provider's reputation.
  • Compliance with a HIPAA risk assessment checklist is essential for safeguarding patients' sensitive health information and avoiding legal and financial consequences.

Understanding What HIPAA Means for Your Site

Every medical practice, clinic, pharmacy, nursing home, and healthcare provider must adhere to HIPAA rules when they have an online presence that transfers medical information. Healthcare organizations failing to do so could lead to substantial fines from the government.

Even worse, you'll lose the trust of your patients and ruin your good reputation. Customers trust their health to physicians and caregivers, and they want to feel just as confident that their health information is in good hands. That's why you need to invest in a robust HIPAA-compliant website if you plan to transfer or store ePHI.

A HIPAA-compliant website secures protected health information.

Duty of Care for HIPAA Compliance

Anyone who handles encrypted data in the form of ePHI needs to make sure they are in compliance with the Health Insurance Portability and Accountability Act of 1996, more often referred to as HIPAA.

Covered entities are companies subject to HIPAA regulations. This encompasses doctors, pharmacies, healthcare providers, and nursing homes that transfer medical information.

This individually identifiable medical information includes electronic medical records (EMR), electronic health records (EHR), or (electronic) protected health information (PHI or ePHI). HIPAA security rules also state such entities also include health insurance companies, HMOs, government agencies that subsidize health care (Medicare), and military and veterans' organizations.

Sharing this information has become an important part of modern healthcare, but compliance also creates a burden for medical providers. We can't stress this enough: Covered entities bear the final responsibility for their compliance with all HIPAA guidelines and regulations.

Following is a free checklist to make a HIPAA-compliant site so you can be prepared when you need to follow HIPAA compliance rules.

12-Step HIPAA Checklist

A HIPAA checklist ensures compliance with the HIPAA compliant web hosting

1. Create a HIPAA-Compliant Website Checklist

The first step to make sure your website is HIPAA compliant is creating a HIPAA compliance checklist that serves needs specific to your company. Having a plan in place for HIPAA-compliant website design and hosting is one of the most important business objectives you'll ever pursue. Don't approach this haphazardly; you need to have a personalized HIPAA-compliant checklist to ensure you meet every HIPAA standard.

2. Research Healthcare Industry Needs

When considering the needs of your website, you must first consider the HIPAA laws in place that affect every healthcare provider and then personalize your plan to comply. Simple, unsecured websites are no longer an option and often suffer HIPAA violations, even if you just include a contact form for patients to fill out. Be sure to find trusted information so that you can find an IT partner familiar with compliance.

3. Determine If HIPAA Is Necessary

Next, you need to determine if your data fits the description you'd find on a HIPAA-compliant requirements checklist at all. Asking yourself "do I need to be HIPAA compliant" could be the end of your checklist if the answer is no.

HIPAA-compliant websites are only necessary if it is used to collect, store, process, display, or transmit ERM/EHR/PHI. HIPAA-compliant web forms must be used to secure protected health information.

Because HIPAA was designed to improve healthcare by providing easy access to information, there aren't many computer systems in the medical industry that don't require strict compliance.


Looking for a HIPAA-Compliant Website?

We can help there, too. We developed HIPAA-compliant eCommerce that is customizable to your needs.
Check it out to get started!

HIPAA compliant website solutions require secure sockets layer SSL.

4. Learn HIPAA Website Basics

Before you understand how to make your website HIPAA compliant and how to avoid HIPAA violations, familiarize yourself with HIPAA requirements, which state that healthcare websites must:

  • Implement rules and safeguards to protect patient health information.
  • Limit sharing of confidential data to authorized stakeholders who directly help patients in some way.
  • Ensure any contractors or corporate partners sign a business associate agreement, safeguard PHI, and share information only when done so in each patient's best interests, and in a HIPAA-compliant manner.
  • Limit who can access PHI and train employees about security rules and confidentiality best practices.

5. Research and Follow HIPAA Rules

HIPAA compliance rules don't stop with information protection; it's also adamant about tracking information access. They also require covered entities to keep track of who has viewed PHI, why they are accessing it, what they are accessing, and if the information has been transferred in any way. Working with a HIPAA eCommerce integration company that has experience protecting both is a must.

6. Encrypt HIPAA Patient Intake Forms

Another important part of a HIPAA compliance audit checklist is protecting web forms. A web form is any information-collecting form that is filled out by a patient or client. Common examples include desktop or mobile forms that collect medical and health insurance information. This information is then collected to create long-term and centralized medical records.

HIPAA-compliant web forms ensure that the connection between the browser and the website is encrypted, so information entered on the site or web forms is protected against unauthorized access. You must make sure your HIPAA-compliant website is hosted by a company that knows what it's doing when transferring contact forms to the HIPAA web server. Clarity is ready to help ensure HIPAA privacy and make your forms HIPAA secure.

A HIPAA compliance checklist can help avoid a HIPAA audit.

7. Use HIPAA-Approved Contact Forms

Any page that allows patients to submit information can be considered a contact form. This includes HIPAA-compliant web forms such as pre-visit health surveys, patient portals, and live chat facilities. Even the simplest contact form has to be secure; a person contacting a doctor will not want anyone to have easy access to their inquiries regarding particular health problems. When going over your HIPAA-compliant website list, make sure that web forms meet HIPAA guidelines and rules.

8. Protect HIPAA Web Servers

PHI must be protected at every step. HIPAA-compliant servers must include the most secure protection available while PHI is in the cloud, but it also must be secure during any sort of internet transfer. That includes end-to-end encryption for any information that is sent back to or between healthcare providers.

  • Collecting PHI: If your website collects any individually identifiable medical information, such as symptoms, conditions, or requested healthcare services, you are collecting PHI. That information must be ferried securely to the web server.
  • Storing PHI: Whether you store individually identifiable health information on your own server or on a third-party server, you must ensure that the security of the information is compliant with HIPAA and that regular maintenance is done to keep it so.
  • Transmitting PHI: PHI must also be secure and encrypted when it is transferred in any way. This includes direct transfer between servers, via email, or any other digital transference. 

9. Install a Robust SSL Certificate

Secure Sockets Layer (SSL) is the industry standard for transferring data over internet channels, usually between a web server and a browser. SSL certificates make sure that data is encrypted from end to end and is not readable by third parties. The “s” in https:// that is found on most websites indicates that any information transferred on that site will be secure thanks to the SSL certificate. Some of the best low-cost—or even free—SSL certificate providers are:

Be careful; free SSL certificates often don't offer the most stringent security and could lead to a HIPAA violation. Properly installing an SSL certificate can be a tricky business as well. Since it's one of the most important parts of this HIPAA risk assessment checklist, you'll probably want to trust this step with a company familiar with HIPAA-compliant database design. We'll take care of it for you.

An SSL certificate (secure sockets layer) satisfies Health and Human Services for HIPAA-compliant websites for health care providers

HIPAA-Compliant eCommerce in Days, Not Months

We can set up a HIPAA eCommerce solution for you that's tailored to your business in a matter of days. Stop waiting to be HIPAA compliant!

10. Choosing Your HIPAA-Compliant Solution

Who you work with can determine whether or not you truly have a HIPAA-compliant website. As you saw from the previous points, the website must be secure from many angles. Clarity provides HIPAA-compliant solutions to seamlessly secure PHI that's transmitted to and from your website, all the while adhering to HIPAA-compliant server requirements.

11. Finding a Hosting Provider

Don't trust just anyone with your web hosting. HIPAA-compliant web hosting requires some of the most robust security available. Since security is so important to your business, make sure you find a HIPAA-compliant web host that specialized in protecting medical encrypted data.

12. Securely Back Up Data

Backing up patients' PHI—perhaps a lifetime's worth of data—is a must. But backups usually mean that data is being duplicated from one server to another. Protection must be just as protected during the backup as when it's on the original server.

Business associates can help you back up your data to follow Health and Human Services guidelines.

BONUS: Healthcare Organization Tips

  • Ensure that third-party service providers sign a business associate agreement (BAA) stating that they accept some responsibility for the security of the PHI
  • Ensure HIPAA-compliant website hosting
  • Implement secure user authentication with a hosting provider
  • Work with HIPAA-compliant web hosting providers for security needs
  • Secure the website using an SSL certificate
  • Encrypt all web forms
  • Using HIPAA-compliant email encryption

If you don’t want to deal with all of this yourself—or hire multiple companies to complete each task individually—you’ll want to seek out someone with experience in HIPAA integration. Click here to make it easy on yourself.

The Four HIPAA Compliance Rules

There are four HIPAA security rules that further define how covered entities and business associates safeguard protected health information (PHI). The four rules are:

  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • HIPAA Enforcement Rule
  • HIPAA Breach Notification Rule

In the normal course of business operations, only the first three rules apply to covered entities and their associates who have signed business associate agreements. The last rule comes into play only when HIPAA violations occur or websites are breached and there's a risk that PHI has been compromised.

HIPAA solutions come in many shapes and sizes. From a simple online pharmacy to a complex doctor-patient portal to a mobile application, they all need to acting in a HIPAA-compliant manner regarding PHI.

1. Privacy Rule Considerations

In addition to all of the privacy protection mentioned above, care providers must consider other patient PHI privacy concerns. For instance, they can share information with authorized individuals such as family members in certain circumstances. An example is if the patient is mentally incapacitated or if the patient is a minor.

Generally, rules that makes sure a website is HIPAA compliant prevent healthcare providers from sharing or exposing confidential information in electronic, written, and oral forms. This means that those in the healthcare industry have a duty even when discussing health records over the phone where they could be overheard by unauthorized people.

In some cases, outside service providers may need access to information to provide medical services, so these cases are exempted from privacy restrictions. The Privacy Rule applies to computer information about patients, conversations between doctors and medical staff, billing information, medical charts, and prescription information.

2. Security Rule Considerations

National standards of security protect the information in healthcare organization databases, eCommerce customer lists where medical records are part of the database, medical clearinghouses, pharmacies, health insurance companies, and other care providers and business associates.

The HIPAA Security Rule has three components: technical safeguards, administrative safeguards, and physical safeguards. Some of the major highlights of when working a HIPAA Security Rule checklist include—but aren't limited to—the following points:

  • Performing periodic risk analysis to determine physical and digital vulnerabilities of PHI.
  • Reducing risks to acceptable levels.
  • Regularly reviewing system activities, digital logs, and audit trails.
  • Authorizing and supervising the employees who have access to PHI.
  • Protecting PHI from unauthorized parent companies, subcontractors, and partner organizations.
  • Sending regular updates to staff members about security issues and training employees to recognize malware, malicious software, and other virtual and real-world threats.
  • Implementing a system of access controls.
  • Providing encryption and decryption tools, especially when you transmit PHI.
  • Facilitating safeguards like automatic logoffs.
  • Establishing mandatory policies for using workstations and mobile devices.
Partners should sign a business associate agreement (BAA) to make a HIPAA-compliant website.

3. Enforcement Rule Considerations

The HIPAA Enforcement Rule mostly concerns penalties and investigations when companies are found to be non-compliant, but eCommerce companies do have some enforcement responsibilities through the administrative section of the Security Rule. These include getting authorization forms for disclosing information to third-party sources, providing customers with a Notice of Privacy Practices, and getting partners to sign a business associate agreement (BAA) to acknowledge their responsibilities under HIPAA.

4. Breach Notification Rule Considerations

Breaches occur when unauthorized people gain access to protected health information in some manner that's not permitted under the HIPAA Privacy Rule. These breaches include unauthorized access to physical areas, inadvertent disclosures, stolen or misplaced documents, and digital hacks. If the HIPAA Breach Notification Rule is violated, covered entities must:

  • Determine if PHI is compromised.
  • Assess the type and amount of data involved.
  • Find out who used the PHI illegally or to whom information was disclosed.
  • Chronicle steps taken to mitigate the breach.
  • Ascertain if the breach was closed or information returned before being used.
  • If the breach occurred inadvertently under a covered associate’s or entity’s authority.
  • Send notices of breach incidents to each patient's last known address by First Class mail or email if electronic notifications are authorized.
  • If the Breach Notification Rule is broken, write notices in easy-to-understand language and include a summary of how the situation occurred, the date of exposure, and other relevant details.

Are All Webforms Required to Reach HIPAA Compliance?

Even simple opt-in forms on websites must comply with the HIPAA security rule if the forms collect any kind of personal health information. For example, if website forms only ask for names, email addresses, phone numbers, and physical addresses (i.e., information readily available on the internet), then the forms don't need to be HIPAA compliant.

However, if any medical, insurance, social security, or other information is required, the form must comply with HIPAA requirements, and the storage and transmission of the data collected must adhere as well.

HIPAA-compliant webforms needed for patient data.

HIPAA-Compliant Website Design

Major eCommerce companies usually employ a team of designers for their websites, stores, and online catalogs, and if the website is required to adhere to HIPAA compliance rules, these professionals should know this information and act accordingly.

However, that's not the way things always work. Designers can overlook key elements even if they're following a HIPAA compliant website checklist, and unless your designer is familiar with what HIPAA requires, it's in the company's best interest to confirm Security rule standards to make a HIPAA-compliant website viable.

Design issues that should be added to a HIPAA-compliant website list include:

  • Ensuring that health data being transmitted is always encrypted according to HIPAA guidelines
  • Implementing safeguards to prevent tampering with health logs
  • HIPAA hosting should adhere to HIPAA-complaint rules or a HIPAA Business Associate Agreement
  • Limiting access to PHI to authorized staff
  • Backing up all PHI information in ways that ensure the data is recoverable

Integrate HIPAA with eCommerce

It's important to remember that a website isn't just about protecting HIPAA-protected information. The medical field is a business, after all, and the HIPAA eCommerce side has to be considered as well. It's especially critical to choose the right eCommerce and HIPAA development partner to create the most secure portals and websites possible.

Clarity has been designing and building HIPAA-compliant portals that incorporate eCommerce platforms for more than 16 years. We understand the challenges that come with our clients' projects and the need to secure and transmit PHI, whether health-related or financial. Tell us what you need protecting and we'll protect it.

HIPAA compliance rules for a HIPAA-compliant website

Discover Your HIPAA Solution

We hope this HIPAA compliance checklist has helped. It's vital to know what you and your business associates need to do to comply.

If you'd like to learn more about HIPAA-Complaint websites, we offer a free discovery process where our experts go over your business's needs and help you find the best solution. Feel free to take the information with you anywhere after the session—this is a freebie to get you started. Click the button below to get your free session.



A HIPAA-compliant website is one that adheres to the act of Congress called the Health Insurance Portability and Accountability Act. A HIPAA-compliant website has robust security to protect any patient and customer ePHI (electronic protectedhealth information) that passes through it on its way to servers that meet HIPAA compliance standards, such as the HIPAA security rule and HIPAA privacy rule.

HIPAA rules and guidelines are put in place to keep protected health information safe and are enforced by the HHS (Health and Human Services). This department of the U.S. government can levy fines if a company does not have secure servers, a HIPAA-compliant website, web forms, contact forms, and other HIPAA compliance security measures in place that follow HIPAA guidelines.


Making a HIPAA compliant checklist is vital because it identifies the areas of your business that are most susceptible to attack. It also creates a plan going forward with the subsequent security measures that can be added over time.

If your website needs to be HIPAA compliant and HIPAA rules (HIPAA Security Rule, HIPAA Privacy Rule, are broken by compromising individually identifiable health information, you may be in violation and contacted by HHS (United States Departent of Health and Human Services).

In order to ensure HIPAA compliance, it's best to find developer that has experience making a HIPAA-compliant website. They know what needs to be HIPAA compliant and can ensure adherence with HIPAA-compliant web forms, an SSL certificate, HIPAA-compliant hosting, physical safeguards of protected health information, securing sensitive patient health information, and protecting data at rest.


The three primary ways to make a website HIPAA compliant are to a) ensure transmitted health data is encrypted, b) host websites on web servers that adhere to HIPAA compliant rules, and c) limiting PHI access only to authorized staff.

You need to ensure your website is HIPAA compliant so that you are not in violation of the laws that govern HIPAA-compliant websites. These laws are enforced by the U.S. Department of HHS (Health/Human Services). In short, HIPAA-compliant websites are necessary to ensure you are following the law.


HIPAA stands for the Health Insurance portability and Accountability Act of 1996. Any organization or business that collects and stores PHI (protected health information) is subject to HIPAA-compliant rules.

Holders of this individually identifiable health information are called covered entities, or CEs. Each CE should seek legal counsel to determine the level of security necessary to protect ePHI (electronic protected health information) in transit and at rest. If are considered a CE, then the question "do I need to be HIPAA compliant?" is certainly yes. You may also work with developers that are also tasked with keeping this sensitive patient health information safe, which will require them signing a Business Associates Agreement (BAA).

HIPAA-compliant websites, HIPAA-compliant hosting, physical safeguards, transmitted files, and all associated healthcare data must be protected in order to adhere to HIPAA to protect sensitive patient data.


HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996. HIPAA compliance requirements are enforced to protect ePHI (electronic protected health information). To follow HIPAA rules—such as the HIPAA Security Rule, HIPAA Privacy Rule, and HIPAA Breach Notification Rule— sensitive patient data must be protected at every stage.

For a preexisting website and related servers to avoid HIPAA violations, it’s important to address the most vulnerable and high-value areas first to avoid the most common HIPAA violations. This includes keeping HIPAA compliance with the website, web forms, and the information at rest.

Additional protection can be added as necessary to secure ePHI (electronic protected health information) that may be compromised. Working with an experienced HIPAA developer is an excellent first step for getting a HIPAA-compliant website.


The healthcare provider or organization that owns and operates the website is responsible for ensuring compliance with HIPAA rules and regulations. This includes ensuring that all patient information handled by the website is properly secured and protected and that all employees who handle patient information are properly trained on HIPAA regulations and policies. According to HIPAA compliance requirements, these organization are called covered entities.

The responsibility also extends beyond these healthcare providers to any third-party vendors or partners that handle patient information on behalf of the healthcare provider. The partners with access to this information are called business associates, and the contract is called a business associates agreement.

Ultimately, it's the responsibility of the healthcare provider or organization to follow a HIPAA compliant website checklist to protect patient information and comply with HIPAA regulations, and to quickly and effectively respond to any security incidents that may occur.


HIPAA, the Health Insurance Portability and Accountability Act, are national standards with three primary rules to ensure the confidentiality and security of protected health information (PHI):

  • HIPAA Privacy Rule: The HIPAA Privacy Rule regulates the use and disclosure of PHI by covered entities, such as care providers and their business associates. It also gives individuals control over their health information and outlines permissible uses.
  • HIPAA Security Rule: The HIPAA Security Rule focuses on safeguarding electronic protected health information (ePHI). The security rule mandates that a covered health insurance provider implements administrative, physical, and technical safeguards to protect the integrity and confidentiality of ePHI.
  • HIPAA Breach Notification Rule: The HIPAA Breach Notification Rule requires covered entities to report breaches of unsecured PHI to affected individuals, the Secretary of Health and Human Services (Office of Civil Rights), and, in some cases, the media. It also ensures timely notification to mitigate potential harm and enhance transparency.

These rules—the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule—collectively establish a comprehensive framework for healthcare providers, health plans, and other entities handling PHI.

The Privacy Rule empowers individuals, the Security Rule sets standards for safeguarding electronic data, and the Breach Notification Rule facilitates prompt response to and disclosure of security incidents, fostering a more secure and accountable healthcare environment.

Still have questions? Chat with us on the bottom right corner of your screen #NotARobot

Sitefinity developers can make custom widgets for Sitefinity DX.
Stephen Beer is a Content Writer at Clarity Ventures and has written about various tech industries for nearly a decade. He is determined to demystify HIPAA, integration, enterpise SEO, and eCommerce with easy-to-read, easy-to-understand articles to help businesses make the best decisions.