Is Squarespace HIPAA Compliant? The Website vs Acuity Answer in 2026
Last updated: June 18, 2026
Is Squarespace HIPAA compliant? The Squarespace website builder is not. Squarespace will not sign a Business Associate Agreement (BAA) for its website product, so you cannot store or collect protected health information (PHI) on a Squarespace site. There is one exception. Acuity Scheduling, the booking tool Squarespace owns, can be set up for HIPAA under a BAA on a top plan. So the honest answer has two parts. Your website cannot hold patient data. Your scheduling can, but only through Acuity, set up the right way. Under 45 CFR § 164.308(b), a vendor that handles PHI without a signed BAA is a violation. That is why this split matters.
TL;DR: Quick answer
- The Squarespace website builder is not HIPAA compliant. Squarespace will not sign a BAA for it, so PHI cannot go on a Squarespace site.
- Acuity Scheduling (also called Squarespace Scheduling) can be set up for HIPAA under a BAA, but only on a Powerhouse or Enterprise plan with the HIPAA settings on.
- Squarespace is careful with words: Acuity is designed to help you meet the HIPAA Security Rule. It is not labeled "HIPAA compliant" on its own.
- A contact or intake form on a Squarespace site that collects health details is a problem. That data lands in a product with no BAA.
- If your site handles PHI beyond scheduling, move those parts to a host that signs a BAA for the hosting itself.
What "HIPAA compliant" means for a website platform
HIPAA does not regulate software. It regulates Covered Entities and their Business Associates, the vendors that handle PHI for them. A platform that stores or sends PHI for you becomes a Business Associate under 45 CFR § 160.103. It must sign a BAA first. So the question is Squarespace HIPAA compliant comes down to one thing per product: will Squarespace sign a BAA for it? For the website, no. For Acuity, yes, with conditions. For how the contract and the controls fit together, see our complete guide to HIPAA-compliant hosting.
The Squarespace website builder: no BAA, no PHI
Squarespace is a popular website builder. For a practice that only publishes information, it can be a fine choice. What it cannot do is hold patient data. Squarespace offers no BAA for its website product. Its own guidance tells customers not to put PHI through Squarespace outside of Acuity. Without a BAA, patient data on a Squarespace site is a violation on contract grounds, separate from any breach. That is true no matter how the site is built. So for a site that collects health data, is Squarespace HIPAA compliant? No.
This catches practices off guard through one feature: the form. A simple Squarespace contact form is low risk. It becomes a problem the moment it asks a visitor to describe symptoms, request an appointment with health details, or upload records. At that point the form holds PHI, and it sits in a product with no BAA. To check whether your site crosses that line, see our breakdown of who needs HIPAA-compliant hosting.
Acuity Scheduling: the one HIPAA path, with conditions
Here is where Squarespace differs from a flat no. Acuity Scheduling, which Squarespace owns, can be set up to support HIPAA. The conditions are specific. You need a Powerhouse or Enterprise plan. You must sign a BAA with Squarespace. You must turn on the HIPAA settings. And you must limit integrations and keep notifications generic, so PHI does not flow to tools with no BAA. Done that way, a practice can take bookings that involve health details through Acuity.
Note the careful wording. Squarespace says Acuity is designed to help you meet the HIPAA Security Rule. It does not call the product "HIPAA compliant" by itself. That wording is correct for any tool. Compliance depends on your settings and your policies, not a label. So if you ask is Squarespace HIPAA compliant for scheduling, the answer is this: Acuity can be made compliant when you meet every condition. It is not compliant by default.
The trap: a healthcare site that mixes the two
A common mistake is to assume the whole Squarespace setup is covered because Acuity can be HIPAA-configured. It is not. Your Squarespace website, its forms, and its stored entries sit outside the Acuity BAA. Picture a practice that books through a HIPAA-enabled Acuity account but still collects symptoms through a Squarespace contact form. It has protected the scheduling and exposed the form. Treat the two products separately. Only Acuity, set up correctly, may touch PHI.
How Squarespace compares to other names you may be weighing
The is Squarespace HIPAA compliant question fits a pattern across mainstream platforms. It helps to see Squarespace next to the others.
| Provider | Signs a BAA? | For what |
|---|---|---|
| Squarespace | Partial | Acuity Scheduling only, on a top plan; not the website builder |
| GoDaddy | Partial | Microsoft 365 email only, not web hosting |
| Bluehost | No | No BAA for any product; PHI prohibited by its terms |
| Wix | No | No BAA for any plan |
| AWS | Yes | BAA via AWS Artifact; you configure the safeguards yourself |
| HIPAA Compliant Hosting (us) | Yes | The website hosting itself, with the BAA and managed safeguards included (this is our service) |
Squarespace sits next to GoDaddy. Each signs a BAA for one side product and none for the core hosting. We cover the others in whether GoDaddy is HIPAA compliant and whether Bluehost is HIPAA compliant. To compare the hosts that sign a BAA for the hosting itself, see our roundup of the best HIPAA compliant hosting providers.
What to do if your healthcare site is on Squarespace
If you are asking is Squarespace HIPAA compliant for your practice, here is the practical path.
- Map where PHI flows. List every form, booking, upload, and notification. Mark the ones that collect health information tied to a person.
- Keep the marketing site if it is clean. A Squarespace site with no PHI, no symptom forms, and no health uploads can stay where it is.
- Use Acuity correctly for scheduling. If you need HIPAA scheduling, put it on a Powerhouse or Enterprise plan, sign the BAA, turn on the HIPAA settings, and limit integrations.
- Move other PHI workflows to BAA-covered hosting. Intake forms, a patient portal, and stored records belong on a host that signs a BAA for the hosting itself and meets the 45 CFR § 164.312 safeguards.
Splitting a site this way is common, and it keeps costs down. The tradeoffs and prices are in our 2026 HIPAA hosting cost guide.
If you would rather hand the compliant part to someone
The cleanest setup is often a simple marketing site plus a separate, BAA-covered home for anything that touches patient data. That second part is what HIPAA compliant hosting built for healthcare provides. Our managed plans arrive with a signed BAA for the hosting itself, encryption, audit logging, hardened logins, and a free migration of your site. We sell this service, so weigh that as a disclosure, not a neutral verdict. We also say plainly when the smarter, cheaper path is to keep your marketing site on Squarespace and move only the PHI parts. If you want a straight read on your setup, tell us what your site collects.
Frequently asked questions
Is Squarespace HIPAA compliant?
The Squarespace website builder is not, and Squarespace will not sign a BAA for it, so it cannot hold PHI. Acuity Scheduling can be set up for HIPAA under a BAA on a Powerhouse or Enterprise plan, which covers scheduling only.
Does Squarespace sign a BAA?
Only for Acuity Scheduling on a qualifying plan, not for its website product. Confirm the current terms with Squarespace before you rely on it.
Can I collect patient intake forms on a Squarespace website?
No. Squarespace forms are part of the website product, which has no BAA. A form that collects health information tied to a person needs a BAA-covered host instead.
Is Acuity Scheduling HIPAA compliant?
Acuity can be set up for HIPAA under a BAA on a Powerhouse or Enterprise plan, with the HIPAA settings on and integrations limited. It is not compliant by default. The setup is what makes it work.
Can I run my whole medical practice site on Squarespace?
Only if the site collects no PHI and you use a HIPAA-configured Acuity account for any scheduling that involves health details. The moment other patient data is involved, that part needs BAA-covered hosting.
Recap: is Squarespace HIPAA compliant?
To recap, is Squarespace HIPAA compliant? The website builder is not, and Squarespace signs no BAA for it, so no PHI on the site. Acuity Scheduling is the one path. It works only when you sign a BAA, use a Powerhouse or Enterprise plan, and turn on the HIPAA settings. Keep a clean marketing site on Squarespace if you like. Run scheduling through a properly set up Acuity account. Move any other patient data to a host that signs a BAA for the hosting itself.
This article is general information, not legal advice. Vendor terms and plan names change; confirm Squarespace's current HIPAA terms directly, consult qualified counsel, and base your safeguards on a documented risk analysis. Reviewed June 2026.
Sources
- Squarespace Help Center: Acuity Scheduling and HIPAA
- Acuity Scheduling Help Center: Acuity Scheduling and HIPAA
- 45 CFR § 164.308 (administrative safeguards, BAA requirement): ecfr.gov
- HHS: Covered Entities and Business Associates