wiki/knowledge/website/new-dawn-therapy-hipaa-contact-forms.md · 527 words · 2026-04-05

HIPAA-Compliant Contact Forms for Therapy Practices

Overview

Standard WordPress contact forms are not HIPAA compliant. For therapy and healthcare practices, collecting client information through a generic web form creates a compliance risk unless the form provider has signed a Business Associate Agreement (BAA) with the practice. This issue surfaced during the ^[1] website build and resulted in a structural change to the site's primary call-to-action.

The Problem

WordPress's default contact form plugins (and most generic form tools) do not offer a BAA, meaning any client-identifying information submitted through those forms is not handled in a HIPAA-compliant manner. For a therapy practice, even a general inquiry form can capture protected health information (PHI) — a client's name, reason for seeking therapy, or contact details in context.

"Those contact pages are actually not HIPAA compliant... through WordPress, [they] don't have a BAA or whatever, to give me that information secure through the whole [system]."
— Katie Geiser, A New Dawn Therapy

The Solution: Route the Primary CTA to the EHR

The cleanest workaround — and often the best UX outcome — is to bypass the contact form entirely for the primary conversion action. Instead of a "Contact Us" form, the "Get Started" button links directly to the practice's EHR booking calendar (in this case, Jane App). Because the EHR is already HIPAA-compliant and holds a BAA with the practice, all client data collected through that flow is covered.

Key structural decisions made for A New Dawn Therapy:

The "Get Started" / primary CTA button links directly to the Jane App booking calendar
A dedicated "Contact Us" page was removed from the navigation
General contact information (phone, email, fax) is placed in the site footer or a static info block — not in a form
The Client Portal page simply links to the Jane App login page

Secondary Options Worth Investigating

If a practice genuinely needs a general inquiry form (e.g., for non-booking questions), there are two viable paths:

EHR-native intake/inquiry forms — If the EHR platform (Jane App, SimplePractice, TherapyNotes, etc.) offers a general contact or inquiry form, it is likely covered under the existing BAA.
HIPAA-compliant third-party form tools — Dedicated form platforms built for healthcare (e.g., Heymarket, Formstack with BAA, JotForm HIPAA) can be integrated into a WordPress site and will provide the necessary BAA.

Sebastian noted this as a follow-up action: research HIPAA-compliant contact form options and share recommendations with the client.

Design Implication: Prioritize One Conversion Action

Removing the contact form also simplifies the conversion architecture. Rather than splitting visitor attention between a form and a booking link, the site drives everyone toward a single preferred action: booking an appointment. Contact details in the footer serve as a low-friction secondary option without competing with the primary CTA.

This aligns with a general principle: on a service site, the more clearly you define the primary action, the higher the conversion rate.

^[2]
^[3]
^[4]