Is Squarespace HIPAA Compliant? What You Need to Know About BAA, PHI, and Alternatives

Squarespace HIPAA Compliance Overview

Squarespace’s core website platform is not designed to store, process, or transmit Protected Health Information (PHI) and does not provide a Business Associate Agreement. Without a signed BAA, a vendor cannot handle PHI on your behalf, so you should not use native Squarespace tools (forms, email campaigns, analytics, chat, or commerce) for any information that could identify a patient in relation to health care.

You can still use Squarespace for a marketing site—hours, services, biographies, and educational content—so long as you keep PHI out of the platform. When you need to collect or transmit PHI, route patients to systems that do offer a BAA and purpose-built PHI Security Measures.

• Safe uses: branding pages, service descriptions, blogs without PHI, general inquiries that avoid medical details.
• Unsafe uses: contact/intake forms capturing symptoms or treatment details, appointment details with patient identifiers, sending PHI via built-in email, or embedding trackers on PHI workflows.

Acuity Scheduling HIPAA Configuration

Squarespace Scheduling (formerly Acuity Scheduling) can be configured for HIPAA-related use, but it requires the right plan, execution of a Business Associate Agreement, and strict settings. Treat HIPAA enablement as a complete HIPAA Compliance Configuration—not a switch you turn on and forget.

Steps to configure

• Request and countersign the BAA within your Scheduling account before collecting any PHI.
• Enable the platform’s HIPAA setting; this typically limits integrations, exports, and notification content to reduce exposure.
• Keep notifications generic. Do not include diagnoses, reasons for visit, or other PHI in email or SMS reminders.
• Control calendar sync. Use generic event titles and avoid pushing PHI to third-party calendars that lack a BAA.
• Restrict staff access, require MFA, and review audit logs regularly.
• Use Scheduling’s built-in intake forms for PHI only if HIPAA mode is active and the BAA is in place.

Even with HIPAA configured, isolate PHI to Scheduling itself. Do not copy PHI back into Squarespace pages, form blocks, or email campaigns.

Secure Form Integration Methods

If you must collect PHI on your website, do not use native Squarespace forms. Instead, embed HIPAA-Compliant Form Services that host data on their own compliant infrastructure and offer a BAA.

Two safe patterns

• Hosted link-out: Place a clear call-to-action that opens your form or patient portal in a new tab on the provider’s domain.
• Isolated embed: Use the provider’s iframe/embed so submissions flow directly to the provider—never through Squarespace, email, or non-compliant logs.

Implementation checklist

• Sign the provider’s BAA before launching.
• Build forms with minimal necessary PHI; encrypt at rest and in transit.
• Disable email delivery of responses; use portal-based access instead.
• Confirm the embed doesn’t expose PHI to page analytics, chat widgets, or CDN logs.
• Document your data map: what’s collected, where it’s stored, who can access it, and retention policies.

Common HIPAA-ready form providers

Examples include Jotform (HIPAA-enabled plans), Formstack, FormAssembly (compliance editions), IntakeQ, and LuxSci SecureForm. Always verify HIPAA Compliance Configuration details and execute a BAA with your chosen vendor.

HIPAA-Compliant Email Providers

Email can be a major risk surface. Choose a HIPAA-Compliant Email Provider that will sign a BAA and supports enforced TLS, secure message portals, robust access controls, and logging.

• Google Workspace (with BAA, configured correctly)
• Microsoft 365 (with BAA, configured correctly)
• Paubox (always-on TLS with inbound/outbound controls)
• Hushmail for Healthcare (portal-based secure messaging)
• LuxSci (secure webmail, SMTP, and SecureLine options)

Configuration matters: enforce TLS, keep subjects free of PHI, use secure portals for message bodies and attachments, apply DLP rules, enable MFA, and retain audit logs per your policy.

Alternative HIPAA-Compliant Platforms

If you need end-to-end online intake, scheduling, messaging, and file exchange with PHI, consider platforms that are built for healthcare and provide a BAA.

• Practice management suites with websites/portals: SimplePractice, Jane App, Healthie, and Tebra offer scheduling, intake forms, messaging, and patient portals under a signed BAA.
• Custom sites on HIPAA-Compliant Hosting: Build with WordPress or a static site generator on a hosting provider that signs a BAA and supports encryption, access controls, logging, and backups compliant with HIPAA.
• Patient portals from your EHR: Link your marketing site to a portal where all PHI lives; keep the marketing site strictly non-PHI.

These options centralize PHI within systems engineered for compliance, reducing the chance of accidental data leakage through marketing tooling.

Understanding Business Associate Agreements

A Business Associate Agreement is a legally required contract between a covered entity (like a provider) and a vendor that creates, receives, maintains, or transmits PHI. The BAA defines permitted uses, safeguards, breach notification duties, and subcontractor obligations.

You must have a BAA in place before any vendor touches PHI. Hosting providers, email services, form tools, CRMs, and scheduling systems all become business associates when they handle PHI. Without a BAA, do not send them PHI—period.

Best Practices for Handling PHI Online

PHI security measures to apply

• Minimize data: collect only what you need; avoid free-text fields where possible.
• Strong authentication: MFA for staff; least-privilege, role-based access.
• Encryption: TLS in transit; encrypted storage with managed keys at rest.
• Segmentation: keep PHI in compliant systems; keep the marketing site PHI-free.
• Logging and monitoring: audit trails for access and changes; alerts for anomalies.
• Data lifecycle: retention schedules, secure deletion, tested backups, and recovery plans.
• Third-party hygiene: remove trackers from PHI pages; vet all vendors and execute BAAs.
• Incident readiness: written breach response plan and staff training with periodic drills.

Key takeaway: Use Squarespace for brand and education only, and move PHI into systems that provide a BAA and robust safeguards. With the right architecture—HIPAA-Compliant Hosting where needed, HIPAA-ready forms, secure email, and disciplined processes—you can reduce risk while delivering a smooth patient experience.

FAQs

Does Squarespace sign a Business Associate Agreement?

No. The core Squarespace platform does not offer a Business Associate Agreement, so you should not store or transmit Protected Health Information through built-in forms, email campaigns, analytics, or chat.

Can Acuity Scheduling be made HIPAA compliant?

Yes—Squarespace Scheduling (Acuity) can operate in a HIPAA-oriented mode when you sign a BAA and enable its HIPAA Compliance Configuration. Expect restrictions that keep data safer, like generic notifications and limited integrations.

What are the risks of using Squarespace for PHI?

Sharing PHI without a BAA can trigger HIPAA violations, breach notifications, penalties, and reputational damage. Common pitfalls include PHI in contact forms, detailed email/SMS reminders, third-party trackers on intake pages, calendar syncs that expose PHI, and data in backups or logs outside compliant systems.

Which platforms are better alternatives for HIPAA compliance?

Use a purpose-built platform that signs a BAA—such as a practice management suite with portals (e.g., SimplePractice, Jane App, Healthie, Tebra)—or combine HIPAA-Compliant Hosting with HIPAA-Compliant Form Services and a compliant email provider. Keep PHI out of your marketing CMS and inside systems engineered for compliance.