Most website designers don't understand HIPAA. They don't know what PHI is. They don't know what a BAA is. They build therapy websites the same way they build coffee shop websites.
The platforms they use make it worse.
Wix stores form submissions on their servers by default. Squarespace does too. WordPress itself doesn't β but plugins like WPForms, Contact Form 7, and Gravity Forms store submissions in your database. That may include PHI you never intended to collect.
That's a problem. Your patients trust you with their most sensitive information. Your website should reflect that trust β not undermine it.
This guide will help you:
- β Understand what to look for in a therapist website designer
- β Spot red flags before you sign a contract
- β Ask the right questions
- β Avoid designers who put your practice at risk
HIPAA-Conscious Approach
They understand the difference between PHI and non-PHI. They don't build patient portals β they link to your existing tools.
- No contact forms on your site
- Privacy-first analytics (e.g., Fathom, not Google)
- No PHI collection or storage
- Willing to sign a BAA if asked
Hand-Crafted Code
They don't use Wix, Squarespace, WordPress, or page builders. They write HTML, CSS, and JavaScript from scratch.
- No page builders or plugins
- No databases storing PHI
- Fast load times (sub-3s LCP)
- Static, secure code
Privacy-First Analytics
They use tools that don't collect IP addresses or personal data.
- Fathom or similar privacy-first tools
- No Google Analytics collecting visitor IPs
- No cookies tracking patients
Speed & Performance
They understand that speed=trust in healthcare. Slow sites feel unsafe and rank lower on Google.
- Sub-3s Largest Contentful Paint (LCP)
- 90+/100 PageSpeed scores β a proven factor in rankings and conversions
- No bloated code
- Mobile-first design
- Faster sites can lower Google Ads costs β slow sites raise them
Your website's colors and fonts shape how a visitor feels before they read a single word. The wrong choices can create stress and anxiety β not trust.
Ask Your Designer
Do they understand how color and font choices affect patient anxiety and trust? If not, keep looking.
Red Flag
Designers who treat therapy websites like your typical restuarant or home service website often miss the subtle design cues that make patients feel safe.
If a designer does any of these, run.
- Building on Wix or Squarespaceβ By default, these website builders store contact form data directly in their internal dashboards. This means sensitive client messages automatically turn into unsecured PHI. Squarespace forms are fundamentally non-compliant, and while Wix allows for HIPAA-compliant adjustments, most therapists are unaware they need to explicitly sign a BAA with them. They're also notorious for being slower and less brand-friendly than a custom-built site.
- They are plugin-happyβ Many designers install SEO or performance plugins that promise results but barely move the needle. Each plugin adds another potential attack surface, slows your site down, and requires constant updates. One outdated plugin can compromise an entire site β and your patients' data.
- They use WordPress with contact form pluginsβ WordPress itself isn't the only problem. Plugins like WPForms, Contact Form 7, and Gravity Forms store submissions in your database. That's PHI sitting on your server β on top of WordPress's other performance and security issues.
- They don't know what HIPAA isβ If they can't explain PHI, BAA, or the difference between a marketing site and a patient portal, they're not qualified.
- They dismiss speedβ If they ignore Google's PageSpeed Insights scores or Core Web Vitals, they don't understand that slow sites often rank lower, can increase ad costs, and cause many visitors to leave before your site even loads. Studies show over 50% of mobile users abandon sites that take longer than 3 seconds β and new visitors suffer the most since they don't have your site cached (saved).
- They try to sell you a "patient portal"β Unless they're a HIPAA-compliant software company with a BAA, they shouldn't be building patient portals.
- They outsource the workβ Ask: "Do you do the work in-house?" If they hesitate, they're white-labeling. You're paying a middleman.
- They guarantee #1 rankingsβ Nobody can guarantee rankings. Not even me. Run.
"What platform do you use?"
If they say Wix or Squarespace, ask about form storage and BAAs. If they say WordPress, ask which plugins they use and where data is stored.
"Do you guarantee rankings?"
If yes, they're lying. Nobody can guarantee rankings. Google doesn't sell them. There is no secret.
"What analytics do you use?"
Google Analytics collects IP addresses. Fathom doesn't. The right answer is Fathom or similar.
"Will you sign a BAA?"
If they hesitate or say no, move on. A good designer will be happy to sign one.
"Where are your designers located?"
If something goes wrong and they aren't located in the USA πΊπΈ, pursuing legal action across international borders is exponentially more difficult and expensive. Some countries have little to no cooperation with the US justice system. For patient data and HIPAA compliance, that's a risk you don't need to take.
"How does speed affect my ad costs?"
If they don't understand that faster sites can lower Cost-Per-Click (CPC) by improving Quality Score, they're missing a core part of how Google Ads works. This isn't optional β it's how the auction system is designed. If they can't explain this, they don't understand the full value of a fast website.
Your Patients Trust You
They share their deepest struggles with you. They trust you to keep that information private. Your website is part of that trust.
A bad designer can break that trust without you ever knowing.
The Stakes Are High
- HIPAA finesβ I'm sure you already know, but HIPAA fines are nothing to mess with.
- Reputation damagecan kill a private practice
- Patient trustis hard to earn and easy to lose
- Slow sitesβ often rank lower than faster competitors and can increase your ad costs. On Google, the first page is the only page that matters to most patients.
Hand-Crafted Code
No page builders. No plugins. No databases. Just clean, fast, secure code.
HIPAA-Conscious
I don't build patient portals. I don't collect PHI. I link to your existing tools. No BAA required β but happy to sign if you need it.
Privacy-First Analytics
I prefer Fathom Analytics as it collects no IP addresses, no personal data, and uses no cookies. Your patients' privacy is protected.
Bottom line:I build websites that prioritize patient privacy, clarity, and inclusivity β and your ROI.
If you're thinking about a new siteβor not sure where to startβI'd love to hear from you.
Reach out
Call or email. Whatever works for you.
Talk it through
No pressure. Just a conversation.
Decide
Clear next steps. No obligation.
If you're based in or near Knoxville, TN, I'm happy to schedule a visit at your office.