Skip to main content
Binswar

Your Contact Form and HIPAA: What Many Therapists Don't Know

Mazen Alswar
Laptop displaying a security lock icon on a table with a potted plant and clock.

Over the past year, we have reviewed dozens of therapist and private practice websites and one pattern shows up consistently: almost every site has a contact form, and almost every contact form has an open message field.

That message field is doing more than most people realize.

Therapists want useful context before a first call. A form that invites someone to share a little about what they are looking for helps the therapist understand who is reaching out and whether they are a good fit. And from the other side, someone reaching out for mental health support is likely going to share something real. Why they are reaching out. What they have been going through. What they are hoping to find. Both sides of that exchange have every reason to make that message field meaningful, and so it usually is.

What most practice owners do not realize is that a message sent through a standard website contact form may create HIPAA exposure. Most web designers are not HIPAA-informed, and most practice owners assume that if the form is sending messages to a HIPAA-compliant email address or a compliant platform, the process is covered. The part that often goes unexamined is what happens in between. Standard contact forms route submissions through third-party infrastructure before they ever reach your inbox, and that is where the exposure lives.

What the rule actually says

HIPAA protects what it calls Protected Health Information, or PHI. The definition has two parts: individually identifiable information, and health information. Both have to be present for something to qualify. A name alone is not PHI. A diagnosis alone is not PHI. A name connected to a diagnosis, a treatment, or the fact that someone is seeking mental health care, that is PHI.

This is where website contact forms get complicated.

The problem with standard forms

Most website builders and form tools route submissions through their own infrastructure. When a visitor fills out a form on your site and hits submit, that data passes through the platform's servers before it ever reaches your inbox. If you have not signed a Business Associate Agreement with that platform, you have no legal assurance that the data is being handled in compliance with HIPAA.

A Business Associate Agreement, or BAA, is a contract between a covered entity, which includes most mental health providers, and a third-party service that handles PHI on their behalf. It establishes the service provider's obligation to protect that information. Without one, the arrangement is not compliant, regardless of how secure the platform claims to be.

Standard website form tools do not offer BAAs. They are not built for healthcare. They are built for general-purpose contact forms, and most of their terms of service make that clear. Using one to collect information from patients or prospective patients is a risk, not a technicality.

But my form only asks for a name and phone number

This is the most common objection, and it is a reasonable one. A form that asks only for a name, a phone number, and a general message does not explicitly collect health information. On its face, it looks fine.

Here is the nuance: HIPAA compliance is not just about what you ask. It is also about what people tell you.

Prospective patients reach out through contact forms all the time with more than you asked for. "I am looking for a therapist who works with anxiety and trauma." "I was referred by my psychiatrist." "I am dealing with a difficult divorce and need someone who specializes in that." You may not have asked for any of that. But once it arrives in a submission, you have received it, you are a covered entity, and you are responsible for how it is handled.

There is also a broader interpretive question that some compliance professionals have raised: whether submitting any form on a mental health practice website, even a general inquiry, carries implicit health information simply by the nature of what the site is. This is not settled law. HHS has not issued a ruling that says a name and email submitted through a therapy practice contact form automatically constitutes PHI. But it is a legitimate risk argument, and one worth understanding before dismissing it.

What a lower-risk setup looks like

There is no single right answer here, and none of this is legal advice. But there are approaches that reduce exposure meaningfully.

The simplest is to keep the contact form general. Ask for a name, an email address, and a brief message, and add a short disclaimer letting visitors know that the form is not a secure channel and that they should avoid sharing sensitive health information through it. This does not eliminate risk entirely, but it signals intent, sets expectations for the visitor, and reduces the likelihood that the form becomes a place where PHI lands by default.

For appointment requests specifically, the cleaner solution is to skip the contact form altogether for that purpose and direct prospective patients to your existing HIPAA-compliant booking platform, whether that is SimplePractice, TherapyNotes, Zencare, or whatever your practice already uses. Those platforms were built for this. They have the infrastructure, the encryption, and the Business Associate Agreements already in place. Letting them handle clinical intake is not a workaround. It is the right tool for the job.

A few questions worth asking about your current site

If you already have a website, these are worth looking into:

  • What platform or tool is handling your form submissions, and does it offer a Business Associate Agreement?
  • Are submissions stored anywhere after they are sent, in a database, a CRM, or a third-party dashboard, and if so, is that covered?
  • Does your form language invite clinical detail, either directly or through the way it is worded?
  • Is there a disclaimer letting visitors know the form is not a secure channel?

Need help with your site?

We offer website audit services that help give you insight in how your website measures up in terms of technical foundation, SEO, accessibility, performance, and how your site collects and handles visitor information, including your contact form setup and whether it creates any HIPAA exposure. You get a detailed report and a 30-minute walkthrough call to go through it together.

It is a straightforward way to know exactly what your site is doing well and what is worth addressing.

Learn more about the website audit