Is Squarespace HIPAA compliant? What therapists actually need to know
Squarespace does not sign BAAs, but that does not mean therapists can't use it. Here is what HIPAA actually requires of your practice website, in plain language.
The short answer: Squarespace does not sign Business Associate Agreements, which means it is not the right place to collect or store client health information. But that does not mean therapists can't use Squarespace. It means you need to understand which parts of your web presence handle protected health information and which don't, and set each one up accordingly.
I build websites for therapists on Squarespace, and I also have years of experience managing the front office of a psychological practice. Here is the plain-language version of what HIPAA actually asks of your website, without the fear-mongering. This is part of my guide to hiring a web designer.
What HIPAA requires, and what it doesn't
HIPAA's Privacy and Security Rules protect health information. When it comes to your website, the key question is: does protected health information (PHI) flow through this tool?
Your marketing website itself, meaning the pages that describe your practice, your specialties, your fees, and how to contact you, does not handle PHI. Someone visiting your "About" page is not transmitting health information. Squarespace is fine for this, the same way a physical office's front door and waiting room don't need to be HIPAA-compliant.
Where HIPAA matters is in the tools that collect, transmit, or store client information: intake forms, scheduling systems, email, messaging, and increasingly, analytics and tracking.
The practical upshot: Squarespace is an excellent platform for your practice's website. But the tools that touch client information, forms that ask about symptoms, scheduling tools that store appointment details, email systems for client communication, need to come from vendors willing to sign a Business Associate Agreement with your practice.
What a Business Associate Agreement is and why it matters
A BAA is a contract between your practice and any vendor that handles PHI on your behalf. It legally requires them to protect that information and makes them liable if they don't. Without a signed BAA, your practice carries all the risk, and you may be in technical violation of HIPAA regardless of whether a breach ever occurs.
Squarespace does not sign BAAs. This is not a secret or a flaw. It is stated in their documentation. Squarespace is a website platform, not a healthcare tool, and they're clear about that boundary.
How to set up a therapist website correctly on Squarespace
The setup that works:
The website (Squarespace): all your public-facing pages: home, about, specialties, fees, FAQ, testimonials, blog, contact page with a simple form that asks only for name, email, phone, and a general message (not symptoms, diagnoses, or health details).
Intake forms (a BAA-covered tool): the actual intake paperwork, anything that asks for health history, symptoms, diagnoses, medications, or insurance details, runs through a separate tool that will sign a BAA with your practice. You embed it on your Squarespace site or link to it from a button.
Options that offer BAAs for intake and secure messaging:
- SimplePractice (includes intake, scheduling, billing, and telehealth, all BAA-covered)
- IntakeQ (intake forms, scheduling, secure messaging, BAA available)
- Hushmail (HIPAA-compliant email and web forms, BAA included)
- Google Workspace (BAA available when configured at the organization level, though setup requires care)
- Jane App (intake, scheduling, charting, BAA available)
Scheduling (BAA-covered or low-risk): if your scheduling tool stores appointment type or reason-for-visit, it's handling PHI and needs a BAA. SimplePractice and Jane cover this natively. If you use Acuity Scheduling (included with some Squarespace plans), be aware that Acuity's parent company Squarespace does not sign BAAs, so don't collect health details through Acuity's booking forms, keep it to name, contact, and time slot only.
Email: your regular Gmail or Outlook account is not HIPAA-compliant. Client-related email communication should happen through a secure channel. This is true regardless of your website platform.
The analytics question
In recent years, federal regulators issued specific guidance cautioning healthcare providers about tracking technologies on their websites. The concern is that tools like Google Analytics, Meta Pixel, and similar trackers can inadvertently share information about what health-related pages a person visited, linking browsing behavior to identifiable individuals.
For a therapy practice website, this means being thoughtful about which analytics tools you install and what data they collect. A conservative approach: use a privacy-focused analytics tool (like Fathom or Plausible) that doesn't use cookies or track individuals, or configure Google Analytics with IP anonymization and without any ad-network integrations. Do not install Meta Pixel, TikTok Pixel, or similar advertising trackers on a therapy practice website.
I set this up as part of every practice site I build, and I'll explain the choices in plain terms.
What you can stop worrying about
A few things the internet makes sound scarier than they are:
Having a Squarespace website is not a HIPAA violation. HIPAA does not regulate website platforms. It regulates what happens with protected health information. If your Squarespace site doesn't collect PHI (and it shouldn't, that's what the separate intake tool is for), the platform choice is not a compliance issue.
Your practice blog is fine. Writing about anxiety, depression, trauma, or any clinical topic on your blog does not involve PHI. You're publishing general information, not client records.
A simple contact form is fine. "Name, email, phone, how can I help?" does not collect PHI. A form that asks "describe your symptoms and psychiatric history" does. Keep the website form simple, and move the detailed intake to the BAA-covered tool.
When to ask a compliance professional instead of a web designer
I'm a designer, not a compliance attorney, and the line between my expertise and theirs matters. I can set up your website correctly, choose appropriate tools, configure analytics conservatively, and explain why each choice was made. What I cannot do is interpret edge cases in HIPAA law, advise you on breach notification obligations, or audit your overall practice compliance.
If you're starting a new practice and want a compliance review of your entire setup (website, EHR, email, telehealth, cloud storage), that conversation belongs with a HIPAA consultant or a healthcare attorney, and the investment is worth it. Your website is one piece of a larger compliance picture.
The bottom line
Squarespace is a good platform for therapist websites. It is not a good place to collect client health information. Those are two different things, and the setup that handles both correctly is straightforward: Squarespace for the site, a BAA-covered tool for intake and scheduling, conservative analytics, and a clear understanding of where the boundary is.
This is exactly how I build every practice website, and I'm happy to walk you through the setup in a free call. See my therapist website packages for the full picture. For general pricing, see how much a Squarespace designer costs.
Frequently asked questions
Can I use Squarespace forms for therapy intake?
Not for forms that collect health information. Keep your Squarespace contact form limited to name, email, phone, and a brief message. Actual intake paperwork (health history, symptom checklists, insurance details) should go through a BAA-covered tool like SimplePractice or IntakeQ, embedded on or linked from your site.
Does my therapist website need an SSL certificate?
Yes, and Squarespace includes one automatically on every site at no extra charge. SSL encrypts data in transit (the padlock icon in the browser bar). It's a baseline, not a HIPAA checkbox, but it's essential.
Is telehealth through my website a separate HIPAA issue?
Yes. Telehealth platforms need their own BAAs and have their own compliance considerations. Zoom for Healthcare, Doxy.me, and SimplePractice Telehealth all sign BAAs. Regular Zoom does not meet the standard on its own. This is separate from your website setup.