The Hard Truth

Contact forms are a relic. They were built for convenience, not for healthcare privacy. They introduce risks that far outweigh any benefit they might provide. And they can actually lower outreach. This guide is to inform not just therapists and psychiatrist, but all healthcare providers.

◆ Author: Matthew Williams — Professional Web Designer. I am not a lawyer. This guide does not constitute legal advice. ◆

Every time you put a form on your website, you're inviting visitors to send you whatever they want—names, phone numbers, insurance IDs, credit card numbers, Social Security numbers, detailed trauma histories—and in some cases malicious links that can compromise every computer connected to your home and office internet. You didn't ask for it. You don't want it. But they'll send it anyway.

And once they do, it becomes your responsibility .

This guide exists to inform that:

  • Most designers don't understand healthcare privacy
  • Most form solutions are not designed for HIPAA
  • Even "secure" alternatives introduce new risks
  • The safest form is no form at all and what the alternatives are

The Problems With Contact Forms

1. A Phone Number Becomes PHI

In a healthcare context, any identifiable information—a name, a phone number, an email address—becomes Protected Health Information (PHI) the moment it's submitted through your practice's website. That means HIPAA applies to everything you collect.

What this means: You can't have a "simple" contact form. There is no such thing in healthcare.

2. You Can't Stop People From Oversharing

You can put a disclaimer on the form. You can ask them not to share sensitive information. People will ignore it. They'll paste their entire medical history, their insurance ID, their Social Security number—anything they think might be helpful.

What this means: You now possess data you didn't ask for, don't want, and aren't equipped to protect. Deleting it doesn't erase the fact that you had it.

3. You Create a Chain of Liability

Every time a patient submits a form, you're creating a record. That record must be stored securely, transmitted securely, and disposed of securely. You're now responsible for every submission—even the ones you didn't ask for.

What this means: You've created a new liability channel for a feature that generates far fewer inquiries than a simple phone number — and carries exponentially more risk.

4. Forms Create Friction, Not Convenience

Contact forms have the lowest conversion rate of any contact method. Each additional field often drops submissions by 20-50%. People know that forms get lower response rates than phone calls or emails. They're more likely to call, email, or give up entirely.

What this means: You're introducing risk and overhead for a feature that most visitors won't use. The ROI simply isn't there.

The Alternatives: Risks Disguised as Solutions

Every "secure" form solution introduces new risks. Here's what they're not telling you.

HIPAA-Compliant Form Builders

What they solve: Encryption, BAA, secure storage.

What they introduce: The vendor holds PHI on your behalf. Even with a signed BAA, if that vendor suffers a data breach, your practice's name is on the front page of the news. You are still required to manage the nightmare of patient notifications, risking your reputation and patient trust for a feature you didn't even need.

API-Powered Form Fetch
(JavaScript POST to vendor API)

What they solve: Data bypasses your hosting.

What they introduce: Many designers often mistakenly expose master API keys in client-side JavaScript. Anyone with a browser Inspector can steal an exposed key and potentially pull down every past submission. To do this safely, you have to build a secure backend proxy server—which adds massive engineering complexity, maintenance fees, technical liability to your plate, and still after all of this it doesn't eliminate the risk.

iFrame Embed
(Sandboxed third-party form)

What they solve: Data stays inside the frame, bypassing your hosting.

What they introduce: Clickjacking vulnerabilities, UI redressing attacks, and the frame can still be hijacked by a malicious third party. You're now responsible for maintaining sandbox attributes and X-Frame-Optionsheaders. One misconfiguration and your patients' data is exposed.

Direct HTML POST

What they solve: No API keys exposed.

What they introduce: You multiply your legal paperwork and create an invisible playground for hackers. You must execute and maintain an ironclad BAA with the form vendor and bring your designer into the chain of liability. Worst of all, attackers can log every keystroke dynamically . If a hacker compromises any third-party script on your site (like a basic analytics tool or font library), they can inject a malicious script that steals data in real-time as the patient types—long before they even hit the "Submit" button .

The pattern? Every alternative solves one problem while creating another. You're never eliminating risk—you're just moving it around. I can build you a site that eliminates the problem entirely—not just moves it.

The Only Safe Option

No Form at All

Zero PHI. Zero liability. Zero maintenance.

Instead of a form, give visitors two clear options:

01

Call the Office

While no communication channel is entirely risk-free, traditional phone calls remain the safest, most legally insulated option for initial contact. They bypass website data storage entirely, and hearing a live human voice builds trust much faster than a digital text box.

02

Link to the Patient Portal

The EHR likely already has a secure messaging system. Link to it. They handle the liability. And they have had a team of 20 lawyers scrutinize everything.

The Bottom Line:

You are a therapist, not a software company. Your website should be a marketing tool, not a healthcare data portal. Don't risk your practice, reputation, and patient trust. Leave the clinical communication to the clinical platforms.

The Verdict

Risk greatly outweighs reward.

Contact forms in healthcare settings are a solution in search of a problem. They introduce HIPAA liability, expose you to data you don't want, create new channels to monitor, and add friction for visitors who just want to reach you. And as your designer, my job is to minimize and preferably eliminate these risks for you when possible—not add to them.

The "secure" alternatives—API integrations, iFrames, and HIPAA-compliant form builders—each introduce risks including complex proxy architectures, clickjacking vulnerabilities, disjointed user experiences, and the constant threat of client-side attacks.

There is no silver bullet. There is only risk transfer.

The safest, most responsible, and most professional choice is to not put a contact form on your website at all . Give visitors your phone number and a link to your patient portal. Let them reach you the way they already know how. I design websites that do exactly this — no forms, no liability, no friction. Just patients reaching out the way they already know how.

Your patients will thank you. Your practice will thank you. And if you ever face an audit, you'll be grateful you kept it simple.

Let's Build Your Practice's Site.

If you're thinking about a new website—or just want to make sure your current one is safe—I'd love to hear from you.

01

Reach out

Call or email. Whatever works for you.

02

Talk it through

No pressure. Just a conversation.

03

Decide

Clear next steps. No obligation.

I build websites for mental health providers nationwide—remotely. But if you're based in or near Knoxville, TN, I'm happy to meet at your office.