A medical practice puts a contact form on its website. A prospective patient fills it in and, being a patient, describes their symptoms in the message box. That submission then travels through a standard web form to a marketing email inbox, maybe a tracking pixel, maybe a third-party form plugin that stores the data on servers nobody vetted. The practice just collected protected health information through a pipeline that was never designed to handle it — and most owners have no idea it happened.
This is one of the most common and least understood risks we find when auditing healthcare websites. The intent is innocent: capture more patient inquiries. The execution quietly creates compliance exposure.
Why ordinary web forms are a problem
The moment a form invites a patient to describe their condition, anything they enter can become protected health information under HIPAA. The trouble is that the ordinary web stack treats that data casually:
- Submissions land in regular email, which is not an environment built for PHI and is rarely covered by the right agreements.
- Third-party form tools and analytics may transmit or store that data on infrastructure with no Business Associate Agreement (BAA) in place — the contract HIPAA requires of any vendor touching PHI.
- Marketing pixels and session-recording scripts can inadvertently capture what a patient typed, sending it to ad platforms. Regulators have made clear this is a violation, and it has produced real enforcement actions.
- The data is kept forever, everywhere, with no retention policy and no access control.
How to capture inquiries the right way
The goal is not to remove the form — it is to make capturing a lead and staying compliant the same thing. What NTL of NYC builds for healthcare clients:
- Minimize what you ask for. The intake form requests only what is needed to make contact — name, phone, preferred time — and explicitly tells patients not to include medical details. The clinical conversation happens on a secure channel, not the website.
- Route through HIPAA-compliant infrastructure with a signed BAA — a form and storage vendor that contractually handles PHI, encrypted in transit and at rest, not a generic plugin.
- Strip PHI out of the marketing layer. No analytics or ad pixels on pages that handle patient data, and server-side tracking configured so health information never reaches an ad platform.
- Control access and retention. Only the staff who need inquiries can see them, and submissions are purged on a defined schedule rather than living forever in an inbox.
The takeaway for practice owners
You can absolutely use your website to grow the practice — in fact you should, because patients increasingly start their search online. But the lead-capture pipeline has to be built for healthcare from the start. A compliant setup captures just as many inquiries as a careless one; it simply does not expose the practice to a penalty that dwarfs any marketing gain. If you have never had someone check what happens to your contact-form data after a patient hits submit, that is the first conversation to have.
This article is general information, not legal advice — confirm your specific obligations with qualified counsel.
Common questions
Are standard contact forms HIPAA compliant? Usually not. Most default forms store and email patient details in ways that create compliance exposure the practice never agreed to.
How do you capture patient inquiries safely? With compliant intake tools, by limiting what is collected, encrypting data, and signing the right agreements so protected health information is handled correctly.
Does compliance hurt conversion? No. A well-designed compliant intake is just as smooth for the patient while removing the legal risk for the practice.