Skip to main content

Are Client Contact Form Submissions for Therapist Websites Regulated by HIPAA?

By Joseph Abear ·

Contact form submissions on a therapist's website become regulated by HIPAA when the form collects protected health information (PHI) and the practice is a covered entity, because that data is electronic PHI the moment it is transmitted and stored. A basic "request an appointment" form with only a name and email is lower risk, but any health detail a client enters should be encrypted and stored under a Business Associate Agreement (BAA).

TL;DR: Quick answer

  • A therapist contact form is HIPAA-regulated once it collects any protected health information.
  • Name and email alone are lower risk; symptoms, diagnoses, or reason-for-visit fields raise the form to ePHI.
  • PHI collected through a form must be encrypted in transit and stored under a signed BAA.
  • Standard form plugins and email notifications often leak PHI, so the whole pipeline must be HIPAA-aware.

When does a contact form become PHI?

If a client submits identifying information together with anything about their health, condition, or need for care, that submission is PHI in the hands of a covered entity. A therapist is typically a covered entity, so a form that asks "what brings you in?" or collects symptoms is collecting ePHI from the first submission.

Which fields raise the risk?

  • Lower risk: name, email, and a general "please contact me" checkbox.
  • Higher risk: reason for visit, symptoms, diagnosis, medication, insurance details, or anything describing the person's health.

The safest design collects the minimum necessary and avoids free-text fields that invite clients to describe their health.

Where do therapist forms usually go wrong?

The most common failures are in the pipeline, not the form's appearance. A plugin emails submissions in plain text, stores them in an unprotected database, or sends a notification to a personal inbox. Each of these can disclose PHI on every submission. Treat the full path, from the browser to storage to notifications, as in scope.

How do you make a therapist contact form HIPAA compliant?

  • Use a form and processor that will sign a BAA.
  • Encrypt submissions in transit (TLS) and at rest.
  • Avoid sending PHI through standard email notifications.
  • Limit fields to the minimum necessary and restrict who can access submissions.
  • Host the site and stored data on HIPAA-compliant infrastructure.

Frequently asked questions

Does a contact form need to be HIPAA compliant?

If it collects PHI for a covered entity, yes. A minimal name-and-email form is lower risk, but any health detail makes the form's data ePHI.

Are website forms considered PHI?

The form is not PHI; the data it collects can be. Identifying information combined with health details is PHI in the hands of a covered entity.

How do I make a therapist contact form HIPAA compliant?

Use a BAA-backed form processor, encrypt submissions, keep PHI out of plain email, minimize fields, and host on compliant infrastructure.

Where to go from here

Forms are one of the most common PHI leak points. See our key security measures and who needs HIPAA-compliant hosting.

This guide is general information, not legal advice.

← Back to all posts