If you’re part of the growing number of therapy group practices using Squarespace, you’re not alone. Its sleek templates and ease of use make it appealing, but what many don’t realize is that it is not built for HIPAA compliance.
The short answer: No. Squarespace is not HIPAA compliant because it does not sign a Business Associate Agreement (BAA) and should not be used to collect, transmit, or store PHI. Therapy practices can keep their marketing site on Squarespace, but must use HIPAA‑compliant form tools (e.g., Hushmail, Jotform HIPAA, IntakeQ, SimplePractice) or avoid collecting PHI on the site altogether.
2026 Update: Squarespace has partnered with Acuity to easily embed their HIPAA compliant scheduler to your website. In order to embed a HIPAA compliant Acuity scheduler to your Squarespace website, you will need to subscribe to Acuity’s Premium plan (around $49/month). This is a separate subscription from your Squarespace account.
In this article, I’m breaking down why Squarespace falls short, the real risks to your practice, and what safer, compliant alternatives look like. As a designer who partners closely with private therapeutic practices, I want to help you make the best, safest choice for your online presence.
Your Website Is an Extension of Your Clinical Ethics
As you already know, HIPAA is not just red tape. It is about protecting the privacy and dignity of your clients. For therapy practices, especially growing group practices, storing or collecting Protected Health Information (PHI) online means you are legally required to meet HIPAA’s security standards.
That includes how your website handles data, from contact forms to appointment requests. Even a seemingly harmless contact form can become a HIPAA violation if it collects sensitive information without the right safeguards in place.
Squarespace does offer basic security features like SSL encryption, password protection, and privacy tools. But here is the issue:
- Squarespace does not sign a Business Associate Agreement (BAA), which is a must-have for HIPAA-compliant platforms
- There is no guarantee that your contact forms or stored submissions are encrypted in a HIPAA-compliant way
- Common mistakes, such as collecting PHI through a built-in form, can lead to unintentional violations
If your site uses a “Request an Appointment” form without the proper protections, it could leave you vulnerable to fines and legal exposure, even if the form is built with good intentions.
Fines, Lawsuits, and Lost Trust: Real Costs of Non-Compliance
Non-compliance is not just theoretical. Real-world outcomes can include:
- Fines from $100 to thousands of dollars per violation
- Legal expenses and increased insurance premiums
- Potential lawsuits or class-action payouts
- Damage to your practice’s reputation and community trust
These risks can be significant and long-lasting, especially for small to mid-sized group practices.
How to Make Your Therapy Website Feel Personal—Without PHI
The good news is that you do not have to sacrifice good design for good compliance. Just make sure the platforms you use do not store form data by default (platforms like Squarespace do, which can be a compliance risk).
Look for platforms and tools that:
- Sign BAAs
- Offer advanced encryption
- Provide secure intake and contact forms
Many practices pair their site with HIPAA-compliant tools such as:
- Hushmail
- SimplePractice
- Jotform HIPAA
- IntakeQ
- Google Forms (HIPAA edition via Workspace and BAA)
HIPAA‑Safe Alternatives to Squarespace Forms
You can also avoid collecting PHI altogether by designing a custom “get started” experience. This allows site visitors to filter available providers based on criteria like insurance, availability, and specialty without submitting personal health information. Bright Spot Therapy and Kendal Clinic are two real-world examples of practices that prioritize accessibility and user privacy. Both have implemented thoughtful onboarding processes that help connect clients with the right providers, without requiring sensitive information upfront.
Squarespace may feel like the easy option, but convenience should never come at the cost of client privacy. Without proper safeguards in place, your website could be putting your practice at legal and ethical risk.
Your clients trust you with their most personal information, and that trust should extend to every part of their experience with your practice, including your website.
It’s time to take a closer look.
Get insight on where your site stands with a Website Review & Roadmap. I’ll help you identify potential risks, uncover opportunities, and guide you toward a website that is not only beautiful and aligned with your brand, but also compliant, secure, and ready to support your growth.
Sign up for your audit today and take the first step toward a more trustworthy and professional online presence.
