HIPAA-Compliant Website Development

On WordPress: WordPress.com and most shared hosting environments won't sign Business Associate Agreements, which rules them out entirely. Self-hosted WordPress on HIPAA-compliant infrastructure with a BAA is technically possible, but it requires serious hardening — encrypted databases, compliant plugins only, audit logging, and removal of every non-compliant third-party script. Honestly, in most cases building on a modern stack like Next.js with compliant infrastructure costs less over a three-to-five year horizon than maintaining a hardened WordPress installation.

On Google Analytics: Google explicitly refuses to sign a BAA and prohibits healthcare organizations from sending PHI through their platform. Under current HHS guidance, an IP address paired with a visit to a health-related page is PHI. Healthcare organizations have paid over $100 million in fines for exactly this. We implement Piwik PRO or a comparable BAA-covered platform that gives you full event tracking without the exposure.

On BAAs: a Business Associate Agreement is a legally binding contract that requires any vendor handling PHI to implement specific security safeguards and accept liability for breaches. HIPAA requires BAAs with every third party that touches PHI — hosting providers, analytics platforms, email services, payment processors, even chat widgets. Using a vendor without a signed BAA is a violation regardless of how secure their infrastructure actually is.

On timelines: a typical HIPAA-compliant healthcare website takes 8-10 weeks from architecture through deployment. Patient portals with EHR integration and complex workflows run 12-16 weeks. Compliance validation and penetration testing are part of that timeline — they can't be compressed. Retrofitting a non-compliant site often takes longer than starting fresh, because you're solving architectural problems before you can build anything on top of them.

On fines: HIPAA penalties in 2025 range from $137 to $2.1 million per violation, depending on negligence level, with annual caps reaching $2 million for repeat violations. Beyond the fine itself, you're looking at mandatory breach notification to affected patients, HHS reporting, corrective action plans that can run two years or more, and real reputational damage with your patient population. Montefiore Medical Center recently landed a $4.75 million penalty with a two-year corrective action plan attached.

On scope: yes, your public-facing website needs to be compliant if it collects, stores, transmits, or displays PHI. That includes appointment scheduling, patient intake forms, symptom checkers, and account login. Even pre-authentication pages can trigger compliance requirements if they collect identifiable health-related data through forms, cookies, or tracking scripts.

Wix, as of the latest information, does not offer HIPAA compliance for its websites. HIPAA compliance requires strict security measures for handling protected health information (PHI), and Wix does not provide the necessary features, such as encryption or business associate agreements (BAAs), which are essential for HIPAA compliance. For healthcare-related sites, it's important to choose a platform specifically designed to meet HIPAA requirements and ensure all data handling processes align with these regulations.