We're Moving! Check us out at Pint Sized Sites

Collecting client information online – are you HIPAA compliant?

As many of you know, I do website design for massage therapists and other health care people. One thing I’ve noticed that concerns me is that many of you do not understand HIPAA and are collecting client information that could be exposed to hackers and the general public.

Online Intake Forms – not the best idea

Some of you have built a form in your website that serves as an online intake form. You’re collecting clients

  • Name
  • Address
  • Phone Numbers
  • Social Security Numbers
  • Medical History
  • other

the client fills that in, clicks submit, and you have all their information handy when they show up for their first appointment. Easy peasy, right?


You are collecting data that is considered Protected Health Information. And you’re doing it all wrong. And it’s going to cost you. Big.

HIPAA covers all Protected Health Information held or transmitted

If you are storing client PHI (Protected Health Information) on a computer, you must comply with HIPAA.

If you are collecting sensitive information that could be used by identity thieves, such as social security numbers, dates of birth and the like, you could be liable if that information is compromised.

What constitutes PHI?

From the U.S. Department of Health & Human Services website:

Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

You might want to tighten up your seat belts, kiddies, because Aunt Kelli is about to go on a big ole rant!

Why in blue blazes are your collecting someone’s protected health information online? Would you be willing to submit your information online using your form? Would you trust that information to just anyone? Are you willing to be liable should that information get into the wrong hands? Are you insured for that kind of event?

For all that’s holy, people, quit being so fucking cheap and trying to do this on your own!

There are companies that specialize in this sort of thing and they aren’t that damn expensive. They know what they are doing. They are paying for the extra encryption. They will provide safe, secure, HIPAA compliant data collection and storage.

If you don’t want to pay for that service, then put a pdf of your intake forms on the web and have your clients bring them in with them.

Use some common sense, people. Seriously. You’re professionals; start acting like it. Either pony up the money for a professional, secure service, or go old school with paper. Either way, protect your clients’ information like it was your own. They will love you for it!

The fines for violating HIPAA are substantial

$100 to $50,000 or more per violation, with a calendar yearly cap of $1,500,000. That’s $1.5 MILLION dollars. Hope you’ve got some savings.

Every month, it seems, we see a story in the news about how one service or another is compromised and user data is exposed. I’ve seen massage therapists get up in arms about those “evil corporations” who don’t care about their customers. Some of them are doing worse.

Some therapists won’t even provide a name when they want to get a freebie from Allissa or me, but they have no problems asking their new clients for sensitive data over the internet. That’s being hypocritical.

Protect your clients. Protect your practice.

Know what you are doing when using online intake forms. Either know and use the technology, pay a service for their knowledge and skills, or skip it and use paper.

Rant over. Thanks for indulging me. Now be safe on the internet and stay in practice for many years to come.

5 Responses to Collecting client information online – are you HIPAA compliant?

  1. SO TRUE! Thanks for saying this. i happen to have a background in health insurance data analytics so my history with HIPAA is pretty decent, but I don’t always see it stressed for LMTs. We can’t expect to be treated as health professionals if we won’t follow the rules of one. It’s also just plain good practice.

      • For electronic transmission of data via website, looks great. I know there were regulations way back when (originally) regarding what was permitted via cell phones…but I would admittedly need to review those (and likely will). For those that keep client information on their computers/laptops or review client lists via online programs, the computer used to view them should be password protected and locked when not in use. I’ll give this more thought, too…

  2. I agree very much. We need to be professionals and understand the laws and rules that govern not just massage therapy but the medical profession as a whole. I love you website. The only annoying thing is the floating share button! It gets in the way of reading your blog…

    • Ah, the floating share button. I’m probably going to change plugins soon to one I like a bit better.

      You’re right, the laws that affect us include most of those for the medical profession as a whole. We should be aware of them. HHS has ever gone as far as posted easy to understand summaries of HIPAA and the like so that there is no excuse not to read and understand them. Thanks for the comment, Jamin!

"Dream large, laddie!" - Local Hero, 1983