What HIPAA and ADA Actually Require from Your Physical Therapy Website

HIPAA doesn't automatically apply to every page of your physical therapy website. The regulation triggers when your site collects, stores, or transmits Protected Health Information (PHI)—identifiable health data connected to a specific patient.

Your homepage, service descriptions, and blog posts about exercises don't involve PHI. A contact form asking "What brings you in?" probably does. Understanding this distinction prevents both under-protection of actual patient data and over-engineering of pages that don't need it.

Common PHI Collection Points on PT Websites

• Online intake forms: Medical history, current conditions, medications, insurance information
• Appointment scheduling: When connected to specific patient names and treatment types
• Secure messaging portals: Any patient communication about their care
• Payment processing: When linked to treatment records or insurance claims
• Outcome tracking forms: Patient-reported progress data connected to identifiable individuals

A simple "Request an appointment" form with name, phone, and preferred time? That's contact information, not PHI. A form asking about injury type, pain levels, and treatment goals? Now you're collecting protected information.

This is educational content about HIPAA requirements—consult a healthcare compliance attorney for guidance specific to your practice.

Every vendor that handles PHI through your website requires a signed Business Associate Agreement (BAA). This isn't optional—it's a core HIPAA requirement, and violations can result in penalties ranging from $100 to $50,000 per incident.

Vendors Typically Requiring BAAs

• Form builders: JotForm, Formstack, IntakeQ—if they touch patient health data
• Scheduling platforms: When appointment types reveal treatment information
• Email marketing tools: If you segment by condition or treatment history
• Website hosting: Only when PHI is stored on their servers
• Analytics platforms: If tracking involves identifiable patient behavior patterns

Vendors That Usually Don't Need BAAs

Standard website hosting with no PHI storage, general contact forms without health questions, and analytics tracking anonymous site behavior typically fall outside BAA requirements.

The critical question: Does this vendor have access to information that could identify a specific patient and their health condition? If yes, get the BAA signed before launch.

Many popular tools offer HIPAA-compliant tiers with BAAs available. JotForm, for example, offers a Healthcare plan specifically designed for covered entities. Don't assume your current plan includes HIPAA compliance—verify and document.

Patient testimonials create unique HIPAA exposure because they often reveal both identity and health information simultaneously. A standard marketing release isn't sufficient—you need HIPAA-specific authorization that meets regulatory requirements.

What Valid Testimonial Authorization Requires

• Specific description of the PHI being disclosed (name, condition, treatment, outcomes)
• Clear identification of who may receive the information (website visitors, social media audiences)
• Explicit statement that the patient may revoke authorization at any time
• Expiration date or event (can be "none" if patient agrees)
• Signature and date from the patient

Using a general "I consent to use my image and words for marketing" release exposes your practice. The authorization must specifically address health information disclosure.

Video Testimonials Add Complexity

Video testimonials showing patients performing exercises or discussing their recovery create permanent records that patients may later want removed. Build revocation procedures into your workflow—how quickly can you remove a testimonial across your website, YouTube, and social platforms if a patient changes their mind?

Many practices find written testimonials with initials and general condition descriptions ("knee rehabilitation patient") reduce risk while still providing social proof. Consult your compliance officer or healthcare attorney before implementing video testimonial programs.

Physical therapy practices face intensified ADA web accessibility expectations because your patient population includes people with disabilities. A practice specializing in stroke rehabilitation or neurological conditions serving patients through an inaccessible website creates obvious contradictions—and legal exposure.

WCAG 2.1 Level AA: The Practical Standard

While no federal regulation specifies exact website accessibility standards, courts and settlement agreements consistently reference WCAG 2.1 Level AA as the benchmark. Key requirements include:

• Text alternatives: All images, including exercise demonstration photos, need descriptive alt text
• Keyboard navigation: Every function accessible without a mouse
• Color contrast: 4.5:1 ratio for normal text, 3:1 for large text
• Form labels: Programmatic labels for screen readers, not just visual placeholders
• Video captions: Synchronized captions for exercise videos and testimonials

Common Accessibility Failures on PT Websites

Exercise demonstration videos without captions, appointment scheduling widgets that don't work with keyboard navigation, and intake forms with unlabeled fields are the issues we see most frequently. These aren't edge cases—they affect patients with visual impairments, motor limitations, and hearing loss who are specifically seeking physical therapy services.

Accessibility overlays (those widgets claiming to "fix" accessibility) don't provide compliance and have faced their own lawsuits. Genuine accessibility requires proper site architecture.

Beyond HIPAA and ADA, state physical therapy practice acts impose advertising restrictions that vary significantly by jurisdiction. What's permissible in Texas may violate California board rules.

Common State-Level Restrictions

• Specialty claims: Many states restrict use of "specialist" without board-recognized certification
• Outcome guarantees: Most states prohibit guaranteeing treatment results
• Comparative claims: "Best physical therapist in [city]" may violate unfair advertising rules
• Credential display: Requirements for how PT, DPT, and other credentials appear
• Testimonial restrictions: Some states limit how patient outcomes can be presented

Direct Access Advertising Considerations

In states with direct access provisions, how you advertise that patients can receive PT without physician referral may be regulated. Some states require specific disclosures; others restrict direct access advertising entirely.

Before launching SEO campaigns targeting specific conditions or outcomes, verify your state board's advertising rules. The Federation of State Boards of Physical Therapy provides links to individual state practice acts, but interpretation often requires consultation with healthcare attorneys familiar with your jurisdiction.

State regulations change frequently—verify current rules with your licensing board before implementing advertising strategies.

Compliance doesn't require perfecting everything simultaneously. Prioritize based on risk level and patient data exposure.

Immediate Priority (Address This Week)

1. Audit current intake forms: Are they collecting PHI? If so, is the form builder HIPAA-compliant with a signed BAA?
2. Review scheduling integration: Does your scheduling tool have BAA coverage?
3. Check testimonial authorizations: Do existing testimonials have valid HIPAA authorization?

Short-Term Priority (This Month)

1. Run accessibility audit: Use WAVE or axe DevTools to identify major accessibility failures
2. Review vendor contracts: Confirm BAA status for every tool touching patient data
3. Document policies: Written procedures for handling PHI through website channels

Ongoing Maintenance

• Quarterly accessibility spot-checks as you add new content
• Annual review of state practice act advertising rules
• Re-authorization process for testimonials as circumstances change

The gap between "we think we're compliant" and documented compliance creates risk. When OCR investigates a complaint, they ask for documentation—not assurances. Build verification into your regular practice management workflows rather than treating compliance as a one-time project.

For practices uncertain about their current compliance status, a structured HIPAA-aware SEO audit for physical therapy practices identifies gaps before they become violations.