Functional medicine doctors, private practices, telehealth clinics, and wellness practitioners that operate a website know that one of the most requested features is a new patient intake form.
But here’s where many doctors or practices get it wrong:
They focus on design.
They focus on ease of use.
They focus on conversion.
And they forget about HIPAA compliance.
A new patient intake form isn’t just another web form. It collects Protected Health Information (PHI). That means it is legally regulated under:
Health Insurance Portability and Accountability Act
If your intake system is not properly configured, your client could face:
Data breaches
Fines
Legal liability
Reputational damage
Loss of patient trust
In this guide, we’ll walk through how to properly create a HIPAA-compliant new patient intake form — from infrastructure to implementation — specifically for WordPress-based healthcare websites.
HIPAA applies when a covered entity (like a healthcare provider) collects or stores Protected Health Information (PHI).
PHI includes:
Name + health condition
Email + diagnosis
Phone + treatment plan
Insurance information
Date of birth
Medical history
Lab results
Symptoms
Prescriptions
Even a simple “Tell us about your symptoms” field becomes HIPAA-regulated the moment identifiable information is included.
If your website collects this data — compliance is mandatory.
This is where many agencies make a critical mistake.
They assume:
“If I use a secure form plugin, I’m compliant.”
Not necessarily.
HIPAA compliance requires:
Secure hosting
Encryption in transit
Encryption at rest
Access controls
Audit logs
Business Associate Agreements (BAAs)
Let’s break these down.
Your client’s hosting must:
Use HTTPS (SSL certificate)
Use secure server configurations
Provide encryption at rest
Offer access control
Ideally be managed in a HIPAA-capable environment
Shared hosting environments without proper safeguards are risky.
If you specialize in functional medicine or private practice websites (as many agencies do), you should strongly consider HIPAA-ready hosting infrastructure.
All intake forms must be served over HTTPS.
SSL ensures that data transmitted between the patient and the server is encrypted.
Without SSL:
Data can be intercepted.
You are not compliant.
You expose clients to breach risk.
Fortunately, modern WordPress environments make SSL standard — but always verify.
Encryption at rest means stored data in the database is encrypted.
This is where many common WordPress setups fail.
If form entries are stored directly inside the WordPress database without encryption:
They are vulnerable.
They are not truly secure.
A breach exposes raw PHI.
Better approaches include:
Encrypted database layers
Secure form platforms designed for healthcare
External HIPAA-compliant form providers
Under HIPAA, any third-party service handling PHI must sign a Business Associate Agreement (BAA).
This includes:
Hosting providers
Form processors
Cloud storage
Email platforms
CRM systems
If you use:
Form plugins
Cloud-based intake software
External patient portals
You must verify whether they offer a signed BAA.
If they do not — they should not handle PHI.
One of the most common compliance failures:
Sending intake forms via regular email.
Standard email platforms (like Gmail or typical SMTP setups) are not HIPAA compliant by default.
If your intake form sends:
Full medical history
Insurance details
Symptom descriptions
directly into inboxes — you have a compliance issue.
Safer approaches:
Store securely in encrypted dashboard
Use HIPAA-compliant email platforms
Notify via email that “A new intake form was submitted” (without PHI)
Never include PHI in unsecured email notifications.
If you build healthcare websites on WordPress (which many agencies do), consider these structural decisions:
Instead of storing data inside WordPress:
Use a secure intake system
Embed it via iframe
Redirect patients to a secure portal
Benefits:
Reduces WordPress database exposure
Simplifies compliance management
Transfers liability to compliant vendor
If storing locally:
Use encrypted form storage
Restrict admin access
Disable database export permissions
Harden WordPress security
Use two-factor authentication
WordPress can be HIPAA-capable — but it must be architected intentionally.
From a compliance standpoint:
Collect only what you need.
Do not:
Add unnecessary medical questions
Request irrelevant identifiers
Over-collect insurance data if not needed
Data minimization reduces risk exposure.
Who can access intake submissions?
Only authorized staff.
This means:
Unique login credentials
Role-based permissions
No shared admin logins
Two-factor authentication
Secure password policies
The more users with access — the higher the risk.
HIPAA requires logging of:
Access attempts
File downloads
Modifications
Administrative changes
If you cannot track who accessed patient data — you are exposed.
This is why secure intake platforms are often preferable to DIY storage solutions.
Intake forms must align with:
State retention laws
Federal requirements
Practice policies
You must determine:
How long submissions are stored
When they are archived
How they are deleted
How backups are managed
Backups must also be encrypted.
If your client operates telehealth:
Intake forms may include consent for telemedicine
Digital signatures must be secure
Identity verification may be required
Digital consent must be properly documented and stored securely.
Beyond HIPAA, intake forms should also meet accessibility standards.
Forms should:
Be screen-reader compatible
Include proper labels
Allow keyboard navigation
Avoid inaccessible CAPTCHA systems
Accessibility builds trust and avoids additional liability.
HIPAA compliance does not mean poor design.
Best practices:
Multi-step forms
Progress indicators
Save-and-return functionality
Clear instructions
Mobile optimization
Patients often complete intake forms on their phones.
A poor mobile experience reduces completion rates.
Include:
Notice of Privacy Practices
HIPAA acknowledgment checkbox
Secure messaging explanations
Clear disclaimers
Transparency builds patient trust.
Important distinction:
A contact form asking:
“Interested in scheduling?”
is not the same as:
“List your current medications.”
Contact forms can avoid PHI.
Intake forms collect PHI.
Design these separately.
Many practices mistakenly combine both — creating unnecessary compliance risk.
Before launch:
Test submission encryption
Review server configurations
Confirm BAA documentation
Verify admin access roles
Confirm SSL across all subdomains
Ongoing audits are equally important.
Avoid:
Storing intake PDFs in unsecured media libraries
Allowing staff to download PHI to personal laptops
Sending intake forms via Google Forms (without HIPAA BAA)
Using standard marketing CRMs for medical data
Sharing intake responses over Slack or text message
These mistakes are common — and dangerous.
If your agency specializes in healthcare websites, your intake form strategy should include:
Secure encrypted forms
BAA verification
Role-based admin controls
Separation of marketing and medical data
Secure patient portal integration
Documentation procedures
Healthcare providers rely on agencies to guide them safely.
If you design beautiful websites but ignore compliance — you create risk.
If you design secure, compliant, conversion-optimized systems — you create long-term trust and authority.
Most healthcare practices don’t fully understand HIPAA technical requirements.
Agencies that do become strategic partners — not just website vendors.
A properly designed, HIPAA-compliant new patient intake form:
Protects patient privacy
Protects the practice
Reduces liability
Builds credibility
Improves onboarding efficiency
Enhances trust
In healthcare, trust is everything.
And compliance is not optional.
Pressed Solutions offers 100% Done For You Website Designs that include HIPAA-compliant forms.
