It means I never handle your patients' PHI.
I build marketing websites — not patient portals. Your site links to your existing HIPAA-compliant tools like SimplePractice or TherapyNotes if desired. I never collect, store, or process PHI.
What this means for you:
- No BAA required— because I never handle PHI
- Reduced liability— patient data never touches your website or my infrastructure
- Peace of mind— your practice stays compliant
Common Attack Surfaces
Page builders often introduce potential leak points without you realizing it.
- — Contact forms that store submissions on servers
- — Third-party plugins with unknown data practices
- — Server databases that can store PHI unintentionally
- — Third-party analytics services
Page Builder Storage
Wix and Squarespace store form submissions on their servers by default. Many therapists don't realize the HIPAA risks involved on the technical side of websites. Many designers don't understand even the basics of HIPAA.
WordPress Plugins
WPForms, Contact Form 7, and Gravity Forms store submissions in your database. That may include PHI you never intended to collect. Every additional plugin introduces another potential attack surface — and it only takes one outdated plugin to compromise a site.
Designer Blind Spots
Many designers use the same tools for every client — regardless of compliance requirements. Whether they're aware of the risk or not, the result is the same.
My Approach
- Hand-crafted static sites— no databases, no PHI storage
- Zero contact forms— patients use secure channels
- Privacy-first analytics— Fathom uses no cookies, collects no personal data, and never stores IP addresses.
- Direct EHR linking— booking goes to your existing tools
- Cloudflare hosting— secure, fast, no PHI stored
What I Don't Use
- No page builders— Wix, Squarespace, WordPress, or others
- No plugins— nothing that stores or transmits PHI
- No contact forms— no PHI collection at all
- No databases— means no PHI storage
- No BAA required— because I never handle PHI
Bottom line:Your website becomes a secure digital front door — not a liability.
If you're thinking about a new site—or not sure where to start—I'd love to hear from you.
Reach out
Call or email. Whatever works for you.
Talk it through
No pressure. Just a conversation.
Decide
Clear next steps. No obligation.
If you're based in or near Knoxville, TN, I'm happy to schedule a visit at your office.
Everything you need to know.
No.Because I never handle or store PHI, you don't need a Business Associate Agreement with me.
Absolutely. I'm happy to sign one if your practice needs it. Just ask.
I don't use them. Patients are directed to secure communication channels — phone, secure email, or your EHR scheduler. No forms=no PHI sitting in a database.
No.Your site is built on static, database-free code. Patient records stay in your existing HIPAA-compliant tools like SimplePractice or TherapyNotes.
Many designers use the same page builders and plugins for every client. I don't. I hand-craft every site from scratch with no database and no PHI storage. No shortcuts. No compliance risks.
Fathom — a privacy-first analytics tool that collects no personal data, uses no cookies, and never stores IP addresses.
Payments are processed securely through Stripe . I never see, store, or have access to your credit card or banking details. Stripe handles everything. You get a receipt. I get a notification. That's it.
Cloudflare — secure, fast, and I never touch patient records.