WordPress Websites
for Medical Practices

HIPAA and Your Website: What Actually Applies

HIPAA (the Health Insurance Portability and Accountability Act) is frequently cited in conversations about medical websites, often in ways that overstate what it requires. Here is a clear framework.

HIPAA's Security Rule governs electronic protected health information — ePHI. ePHI is individually identifiable health information that is created, received, maintained, or transmitted in electronic form. A standard informational website — one that displays your practice's hours, services, providers, and a general contact form asking for a name and phone number — does not collect ePHI. A general contact form is not regulated by HIPAA's Security Rule.

HIPAA becomes directly relevant to your website when it collects or transmits ePHI. Specific examples include:

• Online intake forms that ask patients to describe symptoms, medical history, or current medications
• Patient portals that display health records, lab results, or prescription history
• Telehealth scheduling forms that combine identity with health condition information
• Any online form where patients transmit health status to receive care

When your website or its forms do collect ePHI, you need a Business Associate Agreement (BAA) with your hosting provider — a contractual commitment that the host will safeguard ePHI appropriately. The 2026 updates to the HIPAA Security Rule, published by HHS, also make encryption of ePHI at rest and in transit effectively required for all covered entities (previously, encryption was listed as "addressable" rather than strictly required in most contexts). For current HIPAA guidance specific to your practice situation, consult your compliance officer or a healthcare attorney — this article provides general context, not legal or compliance advice.

What this means practically for your WordPress site

If your website is informational and uses standard contact forms for appointment requests (name, phone, preferred time), a standard managed WordPress host is appropriate. If you are collecting health information through web forms, you need a hosting arrangement with a BAA and forms built specifically to avoid storing sensitive data unencrypted. Your developer should ask you about this before recommending a hosting setup.

ADA Accessibility: Not Optional for Healthcare

The Americans with Disabilities Act (ADA) and its applicability to websites has been established through Department of Justice enforcement and federal court decisions. While the DOJ's final rule requiring WCAG 2.1 Level AA compliance was specifically directed at state and local government websites (published April 2024), DOJ has consistently taken the position that private businesses' websites that serve the public — including medical practices — are subject to Title III of the ADA. Federal courts have broadly upheld this interpretation.

For a medical practice, accessibility compliance is both a legal risk management issue and a straightforward ethical one — patients with visual, motor, or cognitive disabilities need to access your services. WCAG 2.1 Level AA is the standard your developer should be designing to.

Specific WCAG requirements that affect medical websites include:

• All images have descriptive alt text (relevant for provider photos, procedure images)
• All form fields have associated labels (critical for appointment request forms)
• Color contrast ratios meet the 4.5:1 minimum for normal text
• The site is navigable by keyboard alone (no mouse required)
• Error messages in forms are descriptive and identify the specific field

Accessibility overlays — third-party JavaScript widgets that claim to make a site accessible — are not a substitute for accessible HTML structure. Multiple lawsuits have been filed against businesses using overlay tools, with courts finding the underlying site still inaccessible. The only reliable path is building the site accessibly from the start.

Online Scheduling: What Patients Expect

Online appointment scheduling is among the most-requested features for medical practice websites. The most common implementation connects WordPress to a third-party scheduling system through an embed or API integration. Widely used scheduling platforms that offer WordPress integrations include:

• Jane App — used by many independent healthcare practitioners; includes HIPAA-compliant intake forms
• Zocdoc — patient-facing marketplace with a booking widget that can embed on your site
• Acuity Scheduling (now part of Squarespace) — general scheduling tool with embed options
• Your EHR's patient portal — most EHR systems (Epic, Athenahealth, eClinicalWorks) include a patient portal with scheduling; embedding or linking from your website is straightforward

The choice of scheduling platform is separate from the choice of website platform. Your WordPress site links to or embeds whatever scheduling tool your practice already uses — the website developer does not need to replicate the scheduling system itself.

Local SEO for Medical Practices

Most patients searching for a new provider search locally — "internist near me," "pediatrician in [city]." The factors that most influence local search visibility for medical practices are:

• Google Business Profile. Your Google Business Profile (formerly Google My Business) needs to be claimed, fully completed, and updated with current hours, services, and photos. This is separate from your website but directly affects what appears in Google Maps and local search results. Consistent NAP information (Name, Address, Phone) across your website and your Google Business Profile is a foundational requirement.
• Individual provider pages. Search engines index pages, not practices. A dedicated page for each provider — with their name, specialty, training, and conditions treated — gives Google more specific content to rank for condition- and specialty-specific searches.
• Service and condition pages. A page dedicated to each condition you treat or service you offer (e.g., "diabetes management," "sports injury evaluation") performs better in search than a single page listing all services in a bullet list.
• Schema markup. WordPress themes and SEO plugins (Yoast, Rank Math) can add structured data to your pages — including schema for physician, medical clinic, and medical specialty — that helps search engines understand and display your content accurately.

What to Ask a WordPress Developer

Before engaging a developer for a medical practice website, ask these questions:

• Will you sign a Business Associate Agreement if our site collects any patient health information? A developer who does not know what a BAA is, or who refuses to discuss it, is not the right fit for a healthcare client.
• How are you building accessibility into the site? The answer should reference WCAG 2.1 Level AA and describe a development process — not an overlay plugin.
• What hosting arrangement are you recommending, and does it include a BAA?
• How will you handle contact forms — where does form data go, who has access, and how is it stored?
• Can you show me examples of healthcare sites you have built?