How to Create a HIPAA Compliant Website: Building a Development Team

Many industries, healthcare included, are moving towards a more technology-centered approach. Tech companies are building web based products for healthcare providers. However, as many of these companies come to realize, compliance is a complicated hurdle to tackle. Many companies will struggle with how to proceed with the creation of a HIPAA compliant website.

But don’t fret just yet. Your goals can be accomplished by choosing the right development team.

Who do you need to build a HIPAA compliant website?

Many clients’ first reaction is to go with the smallest team possible– a team of one.

If you’re going to contract with a single developer they MUST have experience with both web development and the legal framework of HIPAA to create a HIPAA compliant website. We don’t recommend this approach, as developers with knowledge in both of these are rare.

We recommend a comprehensive approach –  to assemble a team composed of a competent developer and a HIPAA consultant who has experience working with technologists. Developers can be accustomed to solitary work, so you’ll have to be sure to find someone who is comfortable working with a specialized consultant.

Find a team that shares your security goals

Assuming that all developers can build a HIPAA compliant website is a mistake. Web security is not only a skill set, it is also a mindset.

For web products that are working towards HIPAA compliance, web application security must be the primary consideration, not an afterthought.

If you start asking questions about security and HIPAA compliance and receive responses that downplay the importance of these features, this is a red flag. HIPAA compliant websites have their own set of security considerations above and beyond the high level of security that’s taken for granted in any professional level website.

Start off with HIPAA website compliance in mind to avoid costs later

To effectively build a HIPAA compliant website, you will need a team that is well versed in web app security who can implement best practices from the beginning.

It may be tempting to accept the lowest bid on your project, but in the long run, cutting corners will likely cost you more.

If your existing site was not created with HIPAA compliance in mind, finding and hiring compliance qualified developers to reconstruct it can be incredibly challenging and costly.

Fixing an app that was designed with poor security practices can cost nearly as much as an entire rebuild because the application architecture, communication protocols, and user behavior may need to be scrapped and rebuilt.

Pay close attention to IT needs

Many organizations don’t realize that setting up a secure website requires secure administration of servers that the site is hosted on, in addition to the development of the web application itself. Someone in your organization, usually the IT team, will be responsible for managing the server administration in the short and long term.

Penalties of up to 2 million dollars have been leveled in the past for improperly configured web servers that exposed patient data. A HIPAA compliant server setup is as important as securing any other part of your web application and requires expertise many individual developers cannot provide.

It’s critical that your IT team is included in meetings with your HIPAA compliance team to ensure that their questions are answered, they understand the ongoing security requirements, and that they implement any necessary changes to your web server.


  • Choosing a web development team that builds your HIPAA compliant website securely and correctly the first time can save you time, frustration, and most importantly, money.
  • It is your responsibility to make sure any systems handling patient data are secure and that all vulnerabilities are addressed.
  • Opting for an inexpensive developer will result in holes in your security. Find a HIPAA-savvy developer or seek out a qualified HIPAA consultant to partner with.

If you need help sourcing HIPAA compliant software, check out our blog post here.

Are you looking for a team with both web development and HIPAA compliance knowledge to build your HIPAA compliant website?

Gazelle Consulting can help! Give us a call at (503)-389-5666 or email us at We’re here to answer your compliance questions.

Nav close