If you build or run websites for health-related businesses, the word “HIPAA” pops up fast. The U.S. Health Insurance Portability and Accountability Act sets strict rules for how protected health information (PHI) is collected, stored, and shared online. Webflow’s design flexibility makes it a favourite for marketers and developers, but the platform itself does not claim HIPAA compliance and explicitly warns users not to collect Protected Health Information (PHI) in its Terms of Service.
But if you want to build a HIPAA-compliant website and collect PHI on your website forms, there are workarounds that you can do, and this guide is made to show you exactly how
We’ve written this guide for two groups:
- Webflow developers who need clear, code-level steps to prevent PHI from being compromised.
- Companies and founders that need to collect sensitive patient data and are required to be HIPAA compliant.
Let’s get started.
Legal note: This article is for educational purposes and does not constitute legal advice. Always consult qualified counsel for compliance decisions.
TL;DR (skim this in 20 seconds)
- HIPAA protects PHI, or any data that ties a person to a health detail.
- Compliance kicks in the moment your Webflow site touches PHI (forms, chat, file uploads, analytics, even server logs).
- Everyone who handles PHI must follow the rules, including the healthcare company and any developers, freelancers, or SaaS vendors (who become Business Associates and require Business Associate Agreements, or BAAs).
- Webflow by itself isn’t enough, its ToS forbids PHI, and it offers no BAA.
- Stay safe by keeping PHI off Webflow altogether: embed or proxy HIPAA-ready services (such as Paubox, Formstack HIPAA, or Aptible).
What “HIPAA-Compliant” Really Means
HIPAA protects any data that can identify an individual and tie them to health information, such as names, contact details, lab results, and IP addresses logged alongside a medical page.
To handle PHI on the web, you must follow two core rules:
- Privacy Rule: Defines who may use or share PHI and under what conditions.
- You must obtain valid patient authorizations before collecting PHI.
- You need a clear, publicly available privacy notice explaining how data is used.
- Security Rule: Requires reasonable and appropriate safeguards for electronic PHI (ePHI).
- Administrative controls: written policies, workforce training, and signed BAAs with every vendor that touches PHI
- Physical safeguards: secure data centers, device encryption, and screen-lock policies
- Technical measures: end-to-end encryption, role-based access controls, and immutable audit logs
In January 2025 HHS proposed an update that would mandate annual inventories of all ePHI systems, universal multi-factor authentication, and 24-hour breach notifications from vendors, which shows enforcement is only getting stricter.
What does this mean for Webflow users?
You cannot store any PHI in Webflow’s CMS, form storage, or logs. Funnel every byte of sensitive data through HIPAA-ready services that (1) sign a BAA and (2) satisfy the Security Rule, then connect them to your Webflow site via embeds, APIs, or proxies.
Where Does HIPAA Compliance Come Into Play on a Webflow Site?
HIPAA is triggered anywhere your site creates, receives, maintains, or transmits protected health information (PHI). The table below maps the usual hot zones in a Webflow build, why each one matters, and the concrete fix you’ll need:
| Touch-point |
Why it’s Covered |
Typical Webflow Scenario |
Action You Need |
| Forms & survey widgets |
The moment a visitor types a name, email, or symptom, you’re handling PHI. |
Native Webflow form block “Book an appointment.” |
Swap in an iframe from a provider that signs a Business Associate Agreement (BAA) —
Paubox Forms,
Formstack HIPAA,
HIPAAtizer,
JotForm
|
| Live chat / chatbots |
Chats often mix identifiers with health questions. |
Intercom script pasted in Project Settings → Custom Code. |
Use a HIPAA-ready chat (e.g.
Klara,
Paubox Chat)
or route users to a secure portal.
|
| File uploads |
Lab results, insurance cards, X-rays are ePHI. |
Upload field in CMS Collection or third-party widget. |
Store files on HIPAA-compliant storage (AWS S3 under BAA, Google Cloud Storage)
and never pass them through Webflow.
|
| Analytics & ad trackers |
IP addresses + URLs tied to health topics count as PHI under HHS’s 2024
“Online Tracking Technologies” bulletin.
(HHS.gov)
|
Google Analytics 4, Meta Pixel, Hotjar snippets in global <head> or GTM. |
Disable trackers on PHI pages, switch to a self-hosted or BAA-backed analytics tool,
or run them behind a compliant proxy.
|
| Server / CDN logs |
Logs store IPs & URLs; linked to health context they become PHI. |
Automatic Webflow hosting logs (not user-configurable). |
Keep PHI out of URLs & query strings; off-load sensitive flows to HIPAA hosting
that gives you log control.
|
| Transactional email |
Appointment reminders or test results contain PHI. |
Webflow’s default “Form Submission” email. |
Turn off Webflow notifications; send through a BAA-backed service
(Paubox Email API, Mailgun HIPAA).
|
Key takeaway: If any visitor interaction could reveal a person’s health information, assume HIPAA applies and route that data outside Webflow to a service that signs a BAA.
Who Needs to Comply?
HIPAA liability doesn’t stop with hospitals. Anyone in the data-flow chain can become a “regulated entity.”
| Role |
Plain-English Definition |
Real-world Example |
| Covered Entity |
Provides or pays for health services. |
Telehealth startup, dental chain, health-insurance broker. |
| Business Associate |
Handles PHI for a Covered Entity and must sign a BAA. |
Freelance Webflow dev embedding a HIPAA form; Paubox sending secure email.
(HHS.gov)
|
| Sub-contractor |
A vendor to a Business Associate that still touches PHI. |
AWS hosting the secure API your agency built. |
Quick check: Do you see PHI in your dev tools, logs, or staging DB? If yes, you’re a Business Associate under HIPAA and must follow the Security Rule safeguards.
Those safeguards include access controls, audit logs, and encryption standards spelled out in the HIPAA Security Rule.
Why Webflow Alone Falls Short
Webflow is great for front-end speed and design freedom, but it was never built to store or process protected health information, and it says so in black-and-white.
1. The “No-PHI” clause you can’t ignore
Webflow’s Terms of Service spell it out:
“You agree not to provide or enable End Users to provide Protected Health Information … in connection with your use of the Platform.” (Section 3.6 HIPAA Non-Compliance)
That single sentence means four things:
- No Business Associate Agreement (BAA). HIPAA requires a signed BAA before any vendor can handle PHI. Webflow offers a GDPR-style Data Processing Addendum for privacy laws, but nothing resembling a BAA.
- No safe place for PHI. Native form storage, CMS items, backups, and server/CDN logs all reside on Webflow’s infrastructure, outside HIPAA scope.
- Limited server-side controls. You can’t access log-level encryption settings, rotate keys, or configure audit trails—the technical safeguards HIPAA’s Security Rule demands.
- You carry the liability. If PHI lands on a Webflow server, you (and your client) own the compliance failure, not Webflow. Even third-party observers flag this as a deal-breaker for healthcare sites. (blaze.tech)
2. Developer vs. Company takeaways
| Audience |
What this really means |
Immediate action |
| Webflow developers |
Any PHI that touches your local dev tools, staging links, or Webflow‐hosted forms makes you a Business Associate. |
Keep PHI out of your build pipeline; route sensitive data straight to HIPAA-ready services. |
| Founders / ops leads |
A Webflow site alone cannot satisfy HIPAA—even if you pay for an Enterprise plan. |
Budget for external HIPAA vendors (forms, chat, hosting, email) or switch to a fully HIPAA-certified stack if PHI is central to the product. |
3. So what can you do?
You have two practical paths:
- Stay on Webflow and off-load every byte of PHI to tools that will sign a BAA (Paubox Forms, Formstack HIPAA, Aptible, etc.).
- Migrate the whole project to a platform that natively meets HIPAA (Aptible, AWS under BAA, or a specialized PaaS).
Since our aim is to build a HIPAA compliant Weflow website, let’s look at how we can off-load PHI from Webflow to a compliant service.
How to Off-load Protected Data from Webflow: A Simple 5‑Step Process
1. Pick your BAA‑signing form provider
- Look for a vendor that:
- Signs a HIPAA Business Associate Agreement
- Encrypts data at rest and in transit
- Has audit logs you can review
- Examples: JotForm (HIPAA plan), Formstack, Paubox Forms
2. Grab and embed their form code
- In your form provider’s dashboard, find the “Embed” snippet (usually an HTML block).
- In Webflow Designer:
- Drag in an Embed element where you want the form
- Paste the snippet
- Publish your site
3. Verify PHI never lands on Webflow
- Submit a test entry with fake PHI (like “Test Patient”).
- In Webflow Site Settings → Forms, confirm no submissions appear there.
- Log into your form provider to see the test entry instead.
4. Secure your site and tools
- Webflow gives you SSL by default, so your pages load over HTTPS.
- In your form provider and any admin panels, turn on strong passwords and multi‑factor authentication.
5. Audit and monitor regularly
- At least once a month, log into your form service and:
- Check access logs (who viewed or exported data)
- Review submission logs for any red flags
- If you use any other tool that touches PHI (email, storage), do the same.
That’s it for 90% of use cases. If you later need custom data checks or a patient portal beyond a form, you can add a lightweight proxy or reverse‑proxy. But for most intake/contact workflows, these five steps get you HIPAA‑safe on Webflow in under 10 minutes.
And for those who do need to set up Proxy or reverse proxy, here’s how you can do it -
Adding a lightweight proxy or reverse‑proxy for custom needs
Only do this if you need to: validate data yourself, run custom code before sending, or host a patient portal offsite.
Option 1: Lightweight proxy
- Deploy a small serverless function (AWS Lambda, Vercel, Netlify Functions).
- In Webflow, set your form’s action URL to that function.
- In the function:
- Validate or transform incoming data
- Forward it to your HIPAA form API
- Return a success or error message back to the user
Resources that will help you:
Option 2: Reverse‑proxy routing
- Stand up a simple Nginx (or Caddy) server on any host you control.
- Configure it so requests to /secure/* on your custom domain go to a HIPAA‑safe backend.
- Keep your public pages on Webflow and your secure app sections on that other server.
- Test by loading /secure/login (or your chosen path) and confirm PHI never touches Webflow logs.
Resources that will help you:
Only follow these if you need custom data checks, transformations, or a mini patient portal offsite.
Wrapping Up
By embedding a BAA‑backed form, verifying that PHI never lands on Webflow, securing your site with HTTPS and MFA, and running regular audits, you cover about 90% of HIPAA requirements in under ten minutes. Proxy and reverse‑proxy setups will help you deal with complex requirements that may come.
And If you need help migrating your site to Webflow or setting up a fully HIPAA compliant Webflow build, we can help. Book a call today, and we’ll get started.
