Squarespace Forms Are Not HIPAA-Compliant. Here’s What to Do Instead.

Private Practice
Written By Melissa Kelly | Go Bloom Founder
Mock up of a contact form on a website

Squarespace is my go-to for all things websites. Except for this one area: forms. 🤦‍♀️

Don’t get me wrong, Squarespace forms are beautiful but they are not HIPAA-compliant. Because I serve therapists I have been on the hunt for good alternatives and that’s what I want to share with you today!

Note: The options I share about today work on any major website platform (Wix, Wordpress, Weebly, etc), not just Squarespace.

 

First, did you know that HIPAA requirements are ramping up for 2025?

In early 2024 The US Department of Health and Human Services (HHS) released it’s Cybersecurity Performance Goals to increase protections for patients. It includes updated requirements for:

  • Stronger patient data encryption

  • Higher email security

  • Disclosure of known security vulnerabilities

  • Enhanced incident planning and reporting

Because of this, if you don’t have secure forms on your website–and a secure way to email with your clients–now is a good time to figure out your plan to become compliant!

Note: I’ve linked the official HHS release above, but if you want something in regular human language 😂 that includes action items, check out this article:

HIPAA Security Rule updates: What it Means for Small Healthcare Practices*

 

Why Squarespace forms are not HIPAA-compliant.

In July of 2023 Squarespace made an update so that when anyone fills out a form on your website all that information will automatically be stored in Squarespace in an area called “Contacts.”

To be fair to my beloved Squarespace, they have never been or claimed to be a HIPAA compliant platform. So they are absolutely not doing anything wrong here.

But, prior to this update, you used to be able to connect your forms to a HIPAA compliant email address and Squarespace didn’t keep a copy of any of that info anywhere. Even that was never 100% secure because the data technically had to pass through Squarespace servers. However, it was an option that many providers felt was a reasonable option.

 

What are the best HIPAA-compliant alternatives to Squarespace forms?

I have been searching high and low the past year-even having meetings with various form creation platforms–and I’m psyched to tell you that I have found some options that are actually affordable for your every day private practice owner (because believe me, there are options out there that will run you $100/month or more-eep!).

 

Option #1 Don’t have a form at all!

Many of my customers and clients have been opting to just list their email on their contact page and in their website footer and calling it good.

Of course, there are advantages and drawbacks to this approach.

Pros

  • No worries about HIPAA.

  • Easy. Just add your email and that’s it.

Cons

  • It adds friction for the client because they have to take an additional step (or even multiple steps) to contact you.

  • Increased friction means less likelihood that potential clients will contact you.

  • Forms allow you to collect specific information that you might want upfront from a potential client. No form, no info.

 

Option #2: Hushmail Forms*

Hushmail is HIPAA-compliant email service for healthcare providers. They’ve been in the game a long time (with over 4 stars on both Trustpilot and Capterra!).

They offer secure forms that you can customize with their drag & drop form builder and then embed those directly onto your website!

Here’s an example of a website that uses a Hushmail form:

Pros

  • Questions are totally customizable.

  • Less than $25 a month (way less than other products out there).

  • You can use it to collect secure online signatures too!

  • Embed it directly onto your site so visitors don’t have to click away to a third-party.

  • It blends in to the background color of your site.

Cons

  • You can’t change fonts or colors (though it does blend with the background color of your site).

  • You can’t use it with another email account, it only works with a Hushmail email account.

 

Are Hushmail Forms right for your practice?

If you don’t already have a HIPAA-secure email account set up and your top priority is protecting PHI, and you don’t have a huge budget, this is an awesome option.

What if I already have an EHR? Is Hushmail still worth it?

If you already have an EHR, I would check out these articles:

4 reasons to use secure email (even if you have EHR messaging)
5 ways to use Hush™ Secure Forms (even if you have an EHR)

BTW, if you want an even further deep dive on using online forms, this article Online forms explained: FAQs and insights into Hush™ Secure Forms is excellent!

 

Option #3 Use Google Forms

Google Forms comes with Google Workspace. It’s really important to note that:

  1. You must have the paid version (aka, not regular gmail which is free).

  2. You must sign a BAA with Google Workspace for it to be HIPAA-compliant.

It’s easy to sign the BAA and it doesn’t cost anything extra. Learn more about using Google Workspace for your therapy practice.

  • Here's the latest guidance as of Oct. 2024:

    1. Sign in to your Google Admin console.

      (make sure you are signed in using the main account that has "super administrator privileges")

    2. In the Admin console, go to:

      Menu -> Account -> Account Settings -> Legal & Compliance

    3. Go to the Security and Privacy Additional Terms section.

    4. Click Google Workspace/Cloud Identity HIPAA Business Associate Amendment to review the amendment.

    5. Click Review and Accept and answer all three questions to confirm that you are a HIPAA covered entity.

    6. To accept the HIPAA BAA, click OK .

      Here's the original documentation link for Google where you can check for updates in case they've changed!

 

Pros

  • Affordable! Google Workspace starts at just $6/month.

  • Add any questions you want with their form builder.

  • You can embed a Google form directly into your website by grabbing the embed code provided by Google.

 

Cons

  • Styling options are very limited, so if you have a beautifully designed site it will stick out like a sore thumb!

  • You can link out to the form instead, but that will bounce people off your site and we want to avoid that if possible.

  • You can’t use it to collect signatures for paperwork.

 

Final Thoughts on Using Secure Forms for Your Therapy Website

HIPAA regulations are becoming stronger in order to serve and protect patients better. Yes, I totally hear you that it’s a pain. As a former therapist, I remember stressing over this stuff too!

But, keeping in mind your patients and the sensitive info they share with you, and the way laws change (in the US anyhow) in such a way that may impact how health info gets used or even used against patients. And of course I don’t have to remind you of legal or license issues.

So even though it is an absolute pain, it’s well worth the time, consideration and investment to keep you and your clients safeguarded in our ever-changing healthcare world!

 
Melissa Kelly | Go Bloom Founder

Melissa Kelly is a former therapist turned website specialist for mental health professionals. Her unique blend of clinical experience, writing skills, and web design expertise allows her to help therapists build engaging online presences that truly resonate with their ideal clients in an ethical and authentic way. Through her courses, templates, and membership program, Melissa teaches therapists to confidently showcase their practices online.

Previous

How to Add Downloadable Files and Intake Paperwork to Your Squarespace Site
Next

What Makes a Good Therapist Website?