HIPAA

Why Your Medical Practice Website Might Be Violating HIPAA Right Now

LoricaWeb
Why Your Medical Practice Website Might Be Violating HIPAA Right Now

If you run a medical practice, your website is likely handling Protected Health Information (PHI) — and there’s a good chance it’s doing so in a way that violates HIPAA regulations.

The U.S. Department of Health and Human Services (HHS) has increasingly focused enforcement on digital compliance, including websites and online patient interactions. Fines range from $100 to $50,000 per violation, with a maximum of $1.5 million per year for each violation category.

Here are the five most common HIPAA violations we find during our website compliance audits.

1. Unencrypted Contact Forms

When a patient fills out a contact form on your website describing their symptoms or medical concern, that’s PHI. If your form transmits that data over an unencrypted connection (HTTP instead of HTTPS), or sends it to a standard email inbox without encryption, you’re in violation.

The fix: All forms collecting health-related information must use TLS encryption (HTTPS), and the data should be stored in a HIPAA-compliant system — not forwarded to a regular Gmail inbox.

How we handle it at LoricaWeb: Every contact form we build — or bring into compliance — uses end-to-end TLS encryption and routes data exclusively through HIPAA-compliant processing systems. We replace insecure email-based workflows with encrypted form handlers that protect PHI from the moment a patient clicks “Submit.”

2. No Business Associate Agreement (BAA) with Your Web Host

Your web hosting provider has access to any data stored on your website’s server. Under HIPAA, any entity that handles PHI on your behalf is a Business Associate and must sign a BAA.

Most mainstream hosting providers (GoDaddy, Bluehost, basic shared hosting) do not offer BAAs. If your host doesn’t have a BAA with you, every piece of patient data that passes through your website is a potential violation.

The fix: Move to a HIPAA-compliant hosting provider that will sign a BAA, or use a compliance-focused web service provider who manages this for you.

How we handle it at LoricaWeb: We provide HIPAA-compliant hosting infrastructure and sign a Business Associate Agreement with every healthcare client. Your practice gets full legal protection — we take on the responsibility for safeguarding any PHI that passes through your website’s hosting environment.

3. Analytics Tools Capturing PHI

Google Analytics, Facebook Pixel, and similar tracking tools can inadvertently capture PHI through URL parameters, form field data, or page titles that contain patient information.

For example, if your appointment confirmation page URL includes a patient name or appointment type, Google Analytics is recording PHI — and Google is not your Business Associate.

The fix: Audit your analytics implementation. Strip PHI from URLs, exclude sensitive pages from tracking, or use HIPAA-compliant analytics alternatives.

How we handle it at LoricaWeb: We perform a full analytics audit as part of every compliance engagement — identifying every tracking script, pixel, and third-party tool that could be capturing PHI. We reconfigure or replace non-compliant analytics with privacy-first alternatives that still give you the traffic insights you need, without any patient data exposure.

4. Inaccessible Patient Portals

While accessibility (ADA/WCAG) and HIPAA are separate regulations, they intersect significantly. If patients with disabilities cannot access your online appointment scheduling, patient portal, or health information, you face both ADA and potentially HIPAA liability.

The fix: Ensure all patient-facing web applications meet WCAG 2.1 AA standards. This includes keyboard navigation, screen reader compatibility, proper color contrast, and accessible form inputs.

How we handle it at LoricaWeb: Accessibility is built into everything we deliver. We audit every patient-facing page — scheduling, portals, intake forms — against WCAG 2.1 AA criteria and remediate issues systematically: keyboard navigation, screen reader support, contrast ratios, and form labeling. Your patients get equal access, and your practice stays compliant with both ADA and HIPAA.

5. Missing or Inadequate Privacy Notices

HIPAA requires a Notice of Privacy Practices (NPP) that must be made available on your website. Many practices either don’t have one online, have an outdated version, or have one that doesn’t cover their digital practices.

The fix: Review and update your online NPP to specifically address how your website collects, uses, and protects patient information. Include details about online appointment scheduling, contact forms, and any patient portal functionality.

How we handle it at LoricaWeb: We develop a custom privacy notice tailored specifically to your practice’s digital footprint — covering appointment scheduling, contact forms, patient portals, and any third-party integrations. The notice is aligned with HIPAA Notice of Privacy Practices requirements and written in clear, patient-friendly language.

What You Should Do Next

If any of these issues sound familiar, you’re not alone — we find an average of 12 compliance issues per medical practice website during our audits.

The good news: most of these can be fixed within a few weeks with the right expertise. The important thing is to identify and address them before HHS enforcement does.

Get a free HIPAA compliance audit for your website →

We’ll analyze your medical practice website against current HIPAA requirements and give you a prioritized report of every issue — with clear steps to fix each one.