What HIPAA and APA Actually Require for Your Psychology Practice Website (And What They Don't)

The HIPAA Privacy Rule (45 CFR §164) applies to your psychology practice website when it collects, transmits, or stores protected health information (PHI). Understanding exactly when HIPAA applies—and when it doesn't—prevents both over-engineering your compliance approach and dangerous gaps.

When HIPAA applies to your website:

• Contact forms asking about symptoms, diagnoses, or treatment history
• Online scheduling systems where patients indicate appointment reasons
• Patient portals with access to records or secure messaging
• Intake forms collecting health information before first appointments

When HIPAA typically doesn't apply:

• General contact forms collecting only name, email, and phone number
• Newsletter signup forms
• Blog content and educational resources
• Your Google Business Profile listing

The critical distinction: if someone could identify a patient AND connect them to health information through your website, HIPAA protections apply. A form asking "What brings you to therapy?" creates PHI the moment someone submits it.

Technical requirements when HIPAA applies:

• SSL/TLS encryption (HTTPS) for all pages collecting PHI—not just the form page
• Business Associate Agreement with your web hosting provider if they can access PHI
• BAA with any third-party form processors (many popular form plugins aren't HIPAA-compliant)
• Access controls limiting who can view form submissions
• Audit trails documenting access to submitted information

Note: This is educational content about HIPAA requirements, not legal advice. Consult a healthcare attorney for your specific situation.

The APA Ethical Principles of Psychologists (Standards 5.01-5.06) govern how you can advertise your practice. These standards apply to your website, directory listings, social media, and any SEO content you publish.

Standard 5.01 - Avoidance of False or Deceptive Statements:

You cannot make false, deceptive, or misleading claims about your services. This includes:

• Claiming expertise in specialties where you lack training or experience
• Using superlatives like "best," "top," or "leading" without objective verification
• Implying designed to outcomes for treatment
• Misrepresenting your credentials, degree, or licensure status

Standard 5.02 - Statements by Others:

You're responsible for statements others make on your behalf. If you hire an SEO agency that makes exaggerated claims about your practice, you bear ethical responsibility. This is why working with marketers who understand psychology ethics matters.

Standard 5.04 - Media Presentations:

Blog posts, videos, and podcast appearances fall under this standard. Educational content must be based on appropriate psychological literature and practice, not personal opinion presented as fact.

What's permitted under APA standards:

• Accurate descriptions of your training, credentials, and experience
• Factual information about your approach and theoretical orientation
• Educational content about mental health topics within your competence
• Accurate listings of services you actually provide

Verify current APA ethics requirements at apa.org and with your state psychology board.

[ethics of patient testimonials](/resources/accountants/cpa-testimonial-review-compliance) create dual HIPAA and APA ethics concerns that most psychology practices should avoid create a compliance intersection where HIPAA, APA ethics, and state board rules all apply—usually pointing toward avoidance rather than creative workarounds.

HIPAA concerns with testimonials:

A patient testimonial inherently reveals that someone received mental health treatment from you. Even if the patient volunteers this information, using it for marketing purposes requires written authorization under HIPAA. The authorization must be specific to marketing use, separate from general consent for treatment.

APA Standard 5.05 - Testimonials:

Psychologists do not solicit testimonials from current therapy clients or others who may be vulnerable to undue influence. This standard effectively prohibits requesting testimonials from:

• Current clients
• Recent former clients (the "vulnerable" period isn't defined—use conservative judgment)
• Anyone in an ongoing professional relationship with you

What about unsolicited Google reviews?

When patients leave Google reviews without your solicitation, you face a different situation. You didn't violate APA 5.05 by requesting them. However:

• Responding to reviews that confirm therapeutic relationship may implicate HIPAA
• Some state boards prohibit even passive use of testimonials in advertising
• Featuring or promoting unsolicited reviews may cross into "use" under ethics rules

The practical approach many practices adopt:

Don't solicit reviews from therapy clients. If unsolicited reviews appear, consult your state board's guidance before responding. Consider whether a brief, generic response ("Thank you for your feedback") avoids confirming the therapeutic relationship.

State board rules vary significantly on testimonials—check your specific jurisdiction's requirements.

Online scheduling increases conversion for therapy practices, but implementation details determine whether you're creating compliance risk or convenient patient access.

When online scheduling triggers HIPAA:

If your scheduling system collects any information beyond basic contact details and preferred times, HIPAA likely applies. Common features that create PHI include:

• Dropdown menus for "reason for visit" or presenting concerns
• Intake questionnaires before scheduling
• New client vs. existing client distinctions (confirms treatment relationship)
• Insurance information collection

Platform requirements for HIPAA compliance:

• The scheduling platform must sign a Business Associate Agreement with your practice
• Data must be encrypted in transit and at rest
• The platform must have access controls and audit capabilities
• You need a process for handling scheduling data in breach scenarios

Platforms commonly used by psychology practices:

Several platforms market specifically to mental health providers with HIPAA compliance, including SimplePractice, TherapyNotes, and Jane App. However, signing a BAA doesn't automatically make your implementation compliant—how you configure forms and data collection matters.

A conservative approach:

Some practices limit online scheduling to contact information and time preferences only, handling intake separately through their EHR portal. This reduces website compliance complexity while still offering scheduling convenience.

Integration with SEO:

Online scheduling improves conversion rates and can support local SEO through user engagement signals. The compliance investment often pays for itself through increased appointment bookings. For guidance on integrating compliant scheduling into your broader search strategy, see our resource on SEO for psychologists done within HIPAA and APA guidelines.

Beyond HIPAA and APA ethics, your state psychology board has advertising regulations that may be more restrictive than national standards. These rules vary significantly—what's permitted in one state may violate regulations in another.

Common state board advertising requirements:

• Display of license number on advertising materials (some states require this on websites)
• Specific language requirements for describing credentials
• Restrictions on specialty claims without board-approved certifications
• Rules about using "Dr." title in advertising
• Requirements for identifying supervised practitioners

State-specific examples (verify current rules with each board):

California: The Board of Psychology requires that advertising include license number and prohibits claims of specialty unless the psychologist has completed board-recognized specialty training.

Texas: The Texas State Board of Examiners of Psychologists has specific rules about advertising telehealth services and requires clear identification of license type.

New York: The State Education Department regulates professional advertising broadly, with requirements about credential representation that affect website content.

Multi-state practice considerations:

If you're licensed in multiple states or provide telehealth across state lines, your website may need to comply with advertising rules in each jurisdiction where you practice. This often means defaulting to the most restrictive requirements.

Keeping current:

State board rules change. Set a calendar reminder to review your state board's advertising regulations annually. When boards update rules, they often provide guidance documents explaining changes—these are worth reading.

This overview reflects common patterns as of 2024. Verify current requirements directly with your state psychology board.

Compliance constraints don't prevent effective SEO for psychology practices—they shape how you implement it. Understanding what's permitted helps you optimize confidently rather than avoiding digital marketing entirely.

Content marketing within APA ethics:

• Educational blog posts on mental health topics within your competence
• Accurate descriptions of therapeutic approaches you use
• Information about what patients can expect in treatment (without outcome guarantees)
• Resources about when to seek professional help

Local SEO within compliance:

Google Business Profile optimization is permissible and effective. You can:

• Accurately list your credentials, specialties, and services
• Post educational content and practice updates
• Respond to reviews carefully (see testimonial section)
• Maintain accurate location and contact information

Technical SEO without compliance concerns:

Most technical SEO—site speed, mobile optimization, proper heading structure, schema markup—has no compliance implications. These improvements help patients find you without creating HIPAA or ethics issues.

Directory listings:

Psychology Today, GoodTherapy, and similar directories are valuable for visibility. Ensure your profile information:

• Matches credentials exactly as licensed
• Doesn't make prohibited claims about outcomes or superiority
• Reflects your actual areas of practice

What requires careful handling:

• Forms collecting health information
• Chat widgets that might receive PHI
• Analytics tools tracking user behavior (consider HIPAA-compliant analytics)
• Any feature where patients might disclose health information

For a comprehensive approach to growing your practice online while maintaining ethical standards, explore our guide to compliant SEO approach for therapy practices.