HIPAA doesn't automatically apply to every page of your physical therapy website. The regulation triggers when your site collects, stores, or transmits Protected Health Information (PHI)—identifiable health data connected to a specific patient.
Your homepage, service descriptions, and blog posts about exercises don't involve PHI. A contact form asking "What brings you in?" probably does. Understanding this distinction prevents both under-protection of actual patient data and over-engineering of pages that don't need it.
Common PHI Collection Points on PT Websites
- Online intake forms: Medical history, current conditions, medications, insurance information
- Appointment scheduling: When connected to specific patient names and treatment types
- Secure messaging portals: Any patient communication about their care
- Payment processing: When linked to treatment records or insurance claims
- Outcome tracking forms: Patient-reported progress data connected to identifiable individuals
A simple "Request an appointment" form with name, phone, and preferred time? That's contact information, not PHI. A form asking about injury type, pain levels, and treatment goals? Now you're collecting protected information.
This is educational content about HIPAA requirements—consult a healthcare compliance attorney for guidance specific to your practice.