Table of Contents
- A Legal-Ish Disclaimer
- First, Do No Harm (Even Digitally)
- What’s Actually At Stake (For You And Your Clients)
- What HIPAA Actually Requires
- The A-La-Carte Route vs/ All-In-One Platforms
- Embeddable HIPAA-Compliant Form Builders
- HIPAA-Compliant Email Platforms
- HIPAA-Compliant CRMs & Practice Management Platforms
- HIPAA-Compliant Telehealth & Video Platforms
- Conclusions: Common Configurations
- Frequently Asked Questions
Let’s Start With A Legal-ish Disclaimer
HIPAA compliance is not one of those “learn as you go” situations. It’s the kind of topic that makes you want to nervously Google something just to confirm you’re not already breaking a federal law. This post is your unofficial pre-call warm-up — the “coffee chat” version of the conversation you’ll eventually want to have with your lawyer.
Please don’t take anything here as a substitute for actual legal advice (especially if your lawyer charges by the minute and wears very crisp suits). This is just to help you stop avoiding the conversation and finally get the ball rolling so you’re not caught off guard, underprepared, or explaining to a state board why your website still has an unencrypted contact form from 2011.
This is more of a “cut the marketing bullsh*t and just tell me what I need to know, but nicely” kind of conversation. I’ll walk you through the key differences between embeddable form builders, secure email options, video software, and full-blown CRMs, all with HIPAA compliance in mind, so you can stop avoiding the topic and start making confident decisions (without a federal fine breathing down your neck).
First, Do No Harm (Even Digitally)
So, you took the Hippocratic Oath. First, do no harm.
When Hippocrates penned those words (…or, more likely, dictated them to someone in a toga), I doubt he imagined a world where upholding them would involve firewalls, encryption keys, or cyber liability insurance. And yet here we are practicing in an age where “harm” can come in the form of a data breach or a leaked intake form.
The truth is: operating online carries inherent risk. And while the general public knows that on some level, the convenience of digital access often outweighs their perception of that risk. For many clients, the ability to meet their therapist through a secure portal or fill out paperwork from their phone isn’t just a modern luxury, it’s a lifeline.
So, what exactly are they (and you) at risk of?
And how do you uphold your professional and ethical oath in a world where PHI lives in inboxes, form builders, and CRM dashboards?
That’s where HIPAA compliance comes in, not just as a legal framework, but as an extension of your promise to protect the people who trust you with their most vulnerable moments.
What’s Actually at Stake (for You and Your Clients)
Let’s pause for a second and talk about the why. Not the “because it’s required” why. The human why.
When you collect sensitive information from a client (ie. mental health history, trauma disclosures, sexual orientation, medication use, even their legal name) you’re holding something far more delicate than a login ID and birthdate. You’re holding parts of a story that could carry real-world consequences if exposed.
If that information is leaked or intercepted, here’s what could be on the line for your clients:
- Immigration status: especially for clients navigating the U.S. system with fear or limited protections
- Reproductive decisions or trauma history: in a post-Roe world, even documentation of care can feel risky in certain states
- Careers and public standing: many professionals still worry about stigma, especially in high-profile or conservative industries
- Custody arrangements, insurance access, or legal safety: if private notes, diagnoses, or gender identity are revealed
Now for you:
- A single breach (even unintentional) can result in fines of up to $50,000 per violation, reputation loss, and even license risk depending on the circumstances
- Not to mention the emotional toll of realizing you couldn’t protect someone who trusted you to
HIPAA compliance isn’t just red tape — it’s a digital extension of your therapeutic relationship. You’re not just protecting data. You’re protecting dignity, privacy, and access.
What HIPAA Actually Requires (Without the Legalese)
Before we get into tools, let’s quickly define what it actually means for a form builder, email platform, or CRM to be HIPAA-compliant. It’s not just about password protection or slapping a lock icon on your contact form. HIPAA requires that any system handling Protected Health Information (PHI) has to follow a set of security and privacy rules, both on the tech side and your side as the provider.
Here’s a simplified version of what that includes:
- Encryption: The data must be encrypted at rest (while stored) and in transit (while being sent)
- Access Controls: Only authorized people should be able to access the data (yes, this includes your VA, web designer, or billing assistant)
- Audit Logs: There must be a way to track who accessed what and when
- Secure Storage: Data must be stored in a way that prevents unauthorized access
- Business Associate Agreement (BAA): The service provider (e.g., Jotform, Google, SimplePractice) must sign a contract stating they accept responsibility for handling PHI securely. Without a signed BAA, you’re on the hook, even if the breach happens on their end. So anytime you use a third-party tool that touches client info, the BAA is your starting line.
- User Practices: Even the most secure software won’t save you if you’re forwarding unencrypted emails or leaving client info in your downloads folder.
What Actually Needs to Be HIPAA-Compliant? (And Should You Piece It Together or Go All-In?)
If you’ve ever Googled “HIPAA-compliant software for therapists,” you probably ended up in a rabbit hole of acronyms, pricing tiers, and vague promises of encryption. So before we dive into specific tools, let’s clarify what parts of your practice actually need to meet HIPAA standards.
Any tool that touches PHI (Protected Health Information) needs to be HIPAA-compliant.
That includes:
- Online forms (intake, contact, screenings, consent)
- Email communication (especially if you’re sending appointment details, documentation, or any sensitive client info)
- Scheduling tools (especially if they include names or reasons for visits)
- Client portals or telehealth platforms
- Documentation + storage systems (SOAP notes, assessments, billing details)
Even if you’re a solo provider, if you’re collecting or transmitting any of that data digitally, you’re responsible for ensuring the tools you use are secure and backed by a signed Business Associate Agreement (BAA).
A La Carte vs. All-in-One: Which Is Better?
There’s no one-size-fits-all here, but there is a tradeoff between flexibility and simplicity:
A La Carte
You mix and match HIPAA-compliant tools for different functions (e.g., Jotform for forms, Hushmail for email, Google Workspace with a BAA for storage).
- Pros: Customizable, often cheaper month-to-month, easier to integrate with an existing site
- Cons: More moving parts, more logins, less centralized support
All-in-One Platforms
Tools like SimplePractice, TherapyNotes, or IntakeQ provide everything in one HIPAA-compliant ecosystem — forms, secure messaging, scheduling, documentation, and billing.
- Pros: Streamlined workflow, fewer tools to juggle, client-friendly portals
- Cons: Higher cost, steeper learning curve, less visual customization
If you’re not sure which route to take, a good rule of thumb is:
Start a la carte if you’re just beginning or have a strong website setup. Go all-in-one if you’re scaling, billing insurance, or want to minimize tech fatigue.
How We’re Grading These Tools
To keep this review helpful (and not just a tech comparison for compliance nerds), we’ll be evaluating each tool based on two things:
HIPAA Compliance Essentials:
- Is a BAA available and easy to obtain?
- Is the platform encrypted and secure?
- Can it safely collect, store, or transmit PHI?
Practical Features for Real-Life Practice Owners:
- Usability: Is it intuitive or going to give you a migraine?
- Price: Is it reasonable for solo providers or small practices?
- Client Experience: Can your clients navigate it without 17 help desk emails?
- Website Integration: Can you embed it? Link it? Brand it?
- Bonus points for: Customization, support, and scalability
Embeddable HIPAA-Compliant Form Builders
(For practices that already have a website and want intake forms directly on it—with no awkward redirects.)
What’s a Form Builder and Why Your Website’s Built-in Contact Form Might Not Cut It
Let’s start at square one. A form builder is the tool behind the boxes your clients fill out online whether it’s your contact page, a screening questionnaire, or a full intake packet. These forms take the info a client submits and send it somewhere: usually your inbox, CRM, or a database.
Most websites (like Squarespace, Showit, Wix, or WordPress) come with a basic form builder built in. These are usually fine for casual site visitors who just want to ask, “Are you accepting new clients?”
But if your form starts collecting anything that even sniffs of protected health information (PHI) — like symptoms, trauma history, or insurance details — then that casual contact form suddenly becomes a legal liability.
When You Can Use a Standard Contact Form (Without HIPAA Compliance)
A basic contact form is okay without HIPAA compliance only if you’re collecting general, non-sensitive details like:
- Full name
- Email address
- Phone number
- Preferred contact method
- General reason for inquiry (e.g., “Looking for therapy for my teen”)
The moment you collect anything like date of birth, mental health concerns, gender identity, ethnicity, medications, trauma history, etc. you’re dealing with PHI and must use a HIPAA-compliant tool.
Protect Yourself With a Disclaimer
If you’re using a standard contact form for general inquiries, include a clear disclaimer like this:
This form is for general inquiries only. Please do not include personal health information, diagnoses, or sensitive details. If you are a current client, use the secure portal provided.
This helps manage risk and guides potential clients toward safer communication methods.
When It’s Time to Upgrade
When you’re ready to collect intakes, signed forms, or other sensitive materials directly through your website, you need a HIPAA-compliant embeddable form builder — one that encrypts, protects, and stores data according to federal standards.
Let’s take a look at two top options:
Jotform (Gold or Enterprise Plan)
What it is: A powerful drag‑and‑drop form builder that allows you to embed HIPAA‑compliant intake forms directly on your site via iframe, popup, or link.
HIPAA Must‑Checks:
- BAA: Available with Gold+ plan
- Encryption: Encrypted in transit and at rest
- Audit Trails: Available on HIPAA servers
Practical Benefits:
- Clean, customizable form templates for therapy-specific workflows
- Embed directly into your existing site — no redirects needed
- Accepts payments securely, integrates with cloud tools (Dropbox, Google Drive)
Limitations:
- HIPAA only enabled on Gold+ plans (~$34/mo)
- Slight learning curve to fully style or brand your forms
- Not a full CRM meaning it doesn’t include features like client scheduling, secure messaging, automated reminders, or full client record management.— strictly a form builder
Why it shines:
Total flexibility. You can match your form’s look to your website and control the experience from start to finish — while staying compliant.
Hushmail for Healthcare – Secure Web Forms
What it is: A simple, secure platform that offers encrypted email and basic form creation — all under one roof.
HIPAA Must‑Checks:
- BAA: Included with all healthcare plans
- Encryption: End-to-end secure
- Data Handling: Submissions sent to your secure inbox as PDFs
Practical Benefits:
- Fast setup with templates (PHQ-9, GAD-7, etc.)
- Embed via iframe or link
- Combines form submission + encrypted email in one platform
Limitations:
- Less visual customization than Jotform
- No payment or automation features
- Better suited for solo providers than large group practices
Why it shines:
Zero-fuss compliance with forms and email bundled together — perfect for therapists who want a lightweight solution with minimal tech setup.
Quick Decision Helper
| Platform | BAA Included? | Embeddable? | Custom Design? | Email Combo? | Cost Level? |
| Jotform | ✓ (Gold+) | ✓ Iframe & Popup | ✓ High | ✘ None | ⚠ Mid-tier |
| Hushmail | ✓ (Included) | ✓ Iframe & Link | ⚠ Moderate | ✓ Encrypted | ✓ Accessible |
HIPAA-Compliant Email Platforms
(For providers who need to send secure updates, intake follow-ups, or the occasional “Just checking in” without violating federal law.)
Why Regular Email Isn’t Safe Enough
Email seems harmless enough, but the moment you include Protected Health Information (PHI), it becomes a privacy landmine. That’s because:
- Standard email is unencrypted by default
- Most providers (e.g., Gmail, Yahoo, Outlook) won’t sign a Business Associate Agreement (BAA) on personal plans
- Even well-meaning back-and-forths about appointment types, diagnoses, or client progress can count as PHI
If a client emails you first and consents to an unencrypted reply, you’re technically in the clear, but it’s still a risk-heavy gray area that most experts recommend avoiding.
So what’s the solution? Either switch to a fully encrypted email service or take a few critical steps to upgrade your existing email platform.
Option 1: Hushmail for Healthcare
What it is: A secure email platform built specifically for healthcare professionals. You get encrypted email, custom domain support (e.g., yourname@yourpractice.com), and secure web forms, all HIPAA-compliant out of the box.
HIPAA Must‑Checks:
- BAA: Included with all healthcare plans
- Encryption: End-to-end, and the client doesn’t need a password unless you want to require one
- Secure Forms: Can be bundled with email service for all-in-one simplicity
Why it shines:
It’s everything you want Gmail to be, without the legal gray area.
Fast to set up, easy to use, and no encryption plug-ins or tech headaches required. This makes it great for solo providers or those looking for a plug-and-play solution with minimal tech stress.
Limitations:
- Slightly less slick interface than Gmail or Outlook
- Attachments max out at 20MB
- Clients may have to click a secure link to view messages instead of getting full messages in their inbox
Option 2: Gmail with Google Workspace (The Right Way)
If you’re deeply attached to your Gmail interface (fair), you can make it HIPAA-compliant, but only under very specific conditions:
You must:
- Upgrade to Google Workspace (formerly G Suite, not a free @gmail.com account)
- Sign a Business Associate Agreement (BAA) through your admin console
- Avoid sending PHI unless you have an added encryption tool (like Paubox or Virtru)
Limitations:
- Google won’t encrypt email end-to-end unless you use third-party add-ons
- If you use Google Drive or Calendar for client info, those tools also need to be configured securely under your Workspace settings
- You’re still responsible for access control, staff permissions, and training
Why it shines:
You keep the familiarity of Gmail while checking the HIPAA boxes if you’re willing to do the setup right and add the right tools.
Great for larger practices with an IT-savvy team or those already operating inside the Google ecosystem.
Other Tools to Explore
If Gmail and Hushmail aren’t your vibe, these also offer HIPAA-compliant email (often as part of a larger system):
- Paubox – Encrypted email that looks like regular email to the client — no portals or passwords
- MD OfficeMail – Budget option with a dated interface but solid compliance
- TherapyNotes, SimplePractice, or IntakeQ – Include secure client messaging portals that eliminate the need for email in many cases
Summary: Choose What Works for Your Workflow
| Platform | BAA Included? | End-to-End Encryption? | Portal Required? | Ease of Setup |
| Hushmail | ✓ (Included) | ✓ (Included) | Optional | ✓ Easy |
| Gmail (Workspace) | ✓ (W/ Setup) | ✘ (Without Add-On) | ✘ | ⚠ Medium |
| Paubox | ✓ (Included) | ✓ (Included) | ✘ | ✓ Easy |
HIPAA-Compliant CRMs & Practice Management Platforms
For providers ready to bring everything including forms, scheduling, documentation, billing, and client communication into one secure place.
Why You Might Be Ready for an All-in-One Platform
You can absolutely run a lean, secure practice with a combo of separate tools: a form builder here, encrypted email there, maybe a scheduling link thrown in for good measure. But at a certain point, it starts to feel like digital whack-a-mole — more logins, more tech glitches, more chances to let something fall through the cracks.
That’s when a HIPAA-compliant CRM (Client Relationship Management system) or Practice Management Platform starts to shine. It brings everything into one centralized dashboard: forms, scheduling, notes, billing, client messaging, and sometimes even telehealth — with security built in.
Not sure what “not a full CRM” means? It’s anything that doesn’t include core features like secure messaging, automated scheduling, client records, and documentation tools all under one roof.
Here are three of the most trusted HIPAA-compliant CRMs used by therapists and mental health pros:
SimplePractice
What it is: One of the most popular all-in-one platforms for private practices. It handles scheduling, intake forms, progress notes, billing, secure messaging, and telehealth — all wrapped in a clean, intuitive client portal.
HIPAA Must-Checks:
- BAA: Included with all plans
- Encrypted: At rest and in transit
- Access Logs: Built-in for audit compliance
Why it shines:
All-in-one functionality that feels modern and easy to use.
It’s especially strong for client-facing experience, with a beautiful, intuitive portal for scheduling and paperwork.
Limitations:
- Forms must be completed in the client portal — you can’t embed them directly on your external website
- Limited customization for form design or branding
- Pricier than piecemeal tools — starts around $39/month
Best for: Solo or group practices who want to streamline everything in one place and reduce tech juggling.
TherapyNotes
What it is: A robust EHR (Electronic Health Records) platform built specifically for mental health clinicians. It’s packed with features for insurance billing, documentation, and compliance tracking.
HIPAA Must-Checks:
- BAA: Automatically included
- Encryption: HIPAA-grade encryption for all data
- Audit Trails: Comprehensive access logs and documentation controls
Why it shines:
Industry gold standard for documentation and insurance workflows.
If you need clinical notes, treatment plans, and billing to all live in harmony — this is your tool.
Limitations:
- Forms are uploaded as PDFs, not customizable web forms
- Interface feels a little clunkier than newer platforms
- Not built for those who want a visually branded or embedded website experience
Best for: Providers who bill insurance, need detailed clinical documentation, or prioritize compliance over aesthetics.
IntakeQ
What it is: A hybrid platform that sits between a form builder and a full practice management system. It’s known for its advanced form logic, automations, and smooth intake process.
HIPAA Must-Checks:
- BAA: Included in all healthcare plans
- Encrypted: End-to-end for all data storage and communication
- Messaging + Logs: Secure messaging and access control built in
Why it shines:
Unmatched intake experience with automated workflows.
Clients can complete complex forms, get reminders, sign documents, and even schedule—all without leaving your system.
Limitations:
- Not a full EHR; note-taking and billing are more limited than TherapyNotes or SimplePractice
- Smaller company with less name recognition
- Design isn’t as slick as newer tools
Best for: Practices that want to deeply streamline onboarding and aren’t tied to insurance billing.
Quick Comparison Chart
| Platform | Forms? | Scheduling? | Messaging? | Billing? | Notes? | Embeddable? | Best For? |
| SimplePractice | ✓ Client Portal | ✓ | ✓ | ✓ | ✓ | ✘ | All-in-one simplicity |
| TherapyNotes | ⚠ PDFs Only | ✓ | ✓ | ✓ | ✓ | ✘ | Insurance & Documentation |
| IntakeQ | ✓ Advanced | ✓ | ✓ | ⚠ Basic | ⚠ Limited | ⚠ iFrame only | Automating intake flow |
When All-in-One is Worth It
Choose a full practice platform if:
- You’re scaling your practice or managing a team
- You need to bill insurance or track progress notes
- You want fewer tools, fewer logins, and less risk
- You’re tired of cobbling things together and just want it done right
Otherwise, a piecemeal setup might still work, especially if you’re just getting started or prefer to build around your existing website and workflows.
HIPAA-Compliant Telehealth & Video Platforms
For when you’re not in the room, but still on the hook.
Why Your Video Tool Matters More Than You Think
You might assume video platforms are “close enough” and let’s be honest, FaceTime is convenient. But if you’re providing therapy, prescribing medication, or discussing anything remotely sensitive, your video tool has to be HIPAA-compliant. No exceptions.
Here’s what HIPAA-compliant video requires:
- End-to-end encryption
- A signed BAA from the video platform
- Secure storage settings (if sessions are recorded, but most shouldn’t be)
- Private access links that aren’t easily shared or reused
It doesn’t matter if you’re running a trauma-informed therapy session or a 15-minute med check. If PHI is shared, the platform must be secure.
SimplePractice (Telehealth Add-On)
What it is: Fully integrated video platform built into the same portal clients use for forms, billing, and messaging.
HIPAA Must‑Checks:
- BAA: Included automatically
- Encryption: End-to-end encrypted video
- Client Access: Private link via client portal
Why it shines:
It’s already built into your workflow so no switching tabs or third-party tools needed.
Limitations:
- No recording features (by design as there are fewer compliance risks)
- Requires clients to log in through the portal (which some love, others don’t)
Best for: Private practices already using SimplePractice who want everything under one secure roof.
Doxy.me (Pro or Clinic Plan)
What it is: A browser-based video tool made for healthcare. No downloads, no logins, just a secure link.
HIPAA Must‑Checks:
- BAA: Included with Pro or Clinic plan
- Encryption: End-to-end
- Client Access: Custom room links, no account required
Why it shines:
Simplicity. Clients just click a link. No logins, and no tech support emails.
Limitations:
- Free plan is not HIPAA-compliant
- No built-in scheduling, billing, or notes
- Limited branding/customization
Best for: Solo providers who want a reliable, standalone telehealth solution with zero friction.
Zoom for Healthcare
What it is: The HIPAA-compliant version of Zoom, with stricter privacy controls and a BAA included (when purchased through the healthcare plan).
HIPAA Must‑Checks:
- BAA: Only included with Zoom for Healthcare plan
- Encryption: Configurable end-to-end encryption
- Access Controls: Advanced settings to restrict access and disable recordings
Why it shines:
Familiarity and scalability. Everyone knows Zoom, and it’s built to handle groups, breakouts, and webinars if needed.
Limitations:
- Expensive (~$200+/year)
- Requires careful setup to stay HIPAA-compliant
- Not built specifically for therapy — no client management tools included
Best for: Practices needing flexibility for groups, webinars, or multi-provider scheduling.
TherapyNotes (Telehealth Built-In)
What it is: A fully integrated platform for therapy and psychiatry, with built-in telehealth features tied to your calendar and documentation.
HIPAA Must‑Checks:
- BAA: Included with all plans
- Encryption: Secure, private, and integrated
- Access: Clients receive private links from within the portal
Why it shines:
It’s built for therapists, not just video calls. Telehealth links, documentation, and billing all work together seamlessly.
Limitations:
- Like SimplePractice, clients must use the portal
- Less flexibility if you want separate tools for each part of your workflow
Best for: Providers doing medication management, detailed documentation, or insurance-based therapy.
Quick Comparison Chart
| Platform | BAA Included? | Client Login? | Recording? | Built-In to EHR? | Best For |
| SimplePractice | ✓ Yes | ✓ Yes | ✘ No | ✓ Yes | Full-service therapy practices |
| Doxy.me Pro | ✓ Yes | ✘ No | ⚠ With Setup | ✘ No | Quick-start solo practices |
| Zoom Healthcare | ✓ Yes | ✘ No | ✓Optional | ✘ No | Group sessions or workshops |
| TherapyNotes | ✓ Yes | ✓ Yes | ✘ No | ✓ Yes | Psychiatry, insurance billing |
Want to keep your video platform separate from your practice system? Go with Doxy.me Pro.
Want everything in one place? SimplePractice or TherapyNotes is probably your best bet.
Need more flexibility or breakout room features? Zoom for Healthcare may be worth the price.
In Conclusion: The Final Rundown
Still not sure where you land? Here’s a quick cheat sheet to match your practice type or priority with the right tool(s):
| Scenario | Suggested Solution |
| Just starting a solo practice on a shoestring budget | Jotform (Gold) for forms + Hushmail for email |
| Managing a growing caseload and need to streamline intake | IntakeQ or SimplePractice |
| Seeing clients 100% virtually | SimplePractice or Doxy.me Pro |
| Overseeing medication management or prescriptive services | TherapyNotes or Zoom for Healthcare |
| Already using Google Workspace | Add BAA + Paubox or Virtru for email encryption |
| Need branded forms directly on your website | Jotform Gold (HIPAA-enabled) |
| Want email + secure forms in one tool | Hushmail for Healthcare |
| Working across multiple states or clinicians | TherapyNotes (great for teams) |
| Doing short-term work and don’t want a client portal | Jotform + Hushmail = lightweight and secure |
| Billing insurance and need SOAP note templates | TherapyNotes or SimplePractice |
| Prefer minimal tech stack and low learning curve | Hushmail or Doxy.me |
| Running a group practice with admin staff | SimplePractice with team logins and permissions |
| Want fully customizable form logic + workflows | IntakeQ (best form builder with automation) |
| You’ve been ignoring this topic for months and now feel slightly panicked | Start with your contact form. Then fix your email. Then take a breath. You’ve got this. |
It’s not about being perfect. It’s about being proactive and building a practice that’s not just helpful, but safe.
FAQs: The Questions You’ve Probably Googled at 1:00 AM
Can I just use the contact form that came with my website?
Technically? Yes — but only if you keep it high level. That means:
- Name
- Phone
- Something vague like “Interested in therapy”
Once you start asking about symptoms, trauma history, diagnoses, medications, or even preferred session times (which could imply treatment status)… you’ve crossed into HIPAA territory.
Use a disclaimer like this to protect yourself:
This form is for general inquiries only. Please don’t include personal health information here. If you’re a current client, use the secure portal instead.
What’s a BAA again, and do I need one?
A Business Associate Agreement (BAA) is a legally required contract between you and any tool or service that handles protected health information (PHI) on your behalf.
It’s the paper trail that proves:
“We both agree to keep this data safe, encrypted, and legally compliant.”
No BAA? Then it’s not HIPAA-compliant. Doesn’t matter how “secure” the software says it is.
I’m using Gmail. Is that okay?
Only if you’ve done it the right way:
- You’re using Google Workspace (not @gmail.com)
- You’ve signed a BAA in your admin settings
- You’ve added email encryption (e.g., Paubox, Virtru)
Otherwise, no, Gmail is not HIPAA-compliant out of the box. If this sounds like too many moving parts, Hushmail is a much simpler alternative.
What’s the difference between a form builder and a full CRM?
- A form builder is like a secure clipboard: it collects client info
- A CRM or practice management platform is like a front desk, file cabinet, billing system, and calendar all rolled into one
If you’re only gathering intake forms, a form builder might be enough.
If you’re managing scheduling, notes, payments, and messages — it’s time to upgrade to an all-in-one platform.
Do I need HIPAA-compliant video if I don’t record sessions?
Yes. Even if you don’t hit “record,” video sessions count as transmitting PHI.
You still need:
- A BAA from the platform
- End-to-end encryption
- Private, secure access links
Free tools like FaceTime or regular Zoom don’t cut it. Use Doxy.me Pro, SimplePractice, or TherapyNotes instead since they’re designed for specifically for this.
What’s the first thing I should fix if I’ve been avoiding this?
Start here:
- Swap your website contact form (or add a disclaimer if it’s general-use only)
- Use a secure form builder for anything client-specific (like Jotform or IntakeQ)
- Clean up your email: use Hushmail or encrypt Gmail properly
- Don’t panic! Just prioritize based on risk, not perfection
Final Thoughts: This Isn’t About Paranoia It’s About Integrity
Let’s be clear: you’re not expected to be a cybersecurity expert. You’re trying to run a practice that protects the people who’ve trusted you with their stories and their inboxes.
HIPAA compliance isn’t here to make your life harder (even if it sometimes feels like it is). It’s here to create boundaries–boundaries that keep information safe, expectations clear, and everyone better protected on the other side of the screen.And no, you don’t need to overhaul your systems overnight. Whether you’re piecing things together or ready to go all-in on a practice platform, there’s a path that works for your size, your style, and your season.
If you’re looking to launch or expand your digital presence this year, Amanda Doherty Press specializes in services specifically to help private practice owners like you ensure you’re positioned to grow. We’d love to extend a complimentary website audit or short 15-20 minute consult to discuss your pain points and identify ways to streamline your digital marketing efforts. Book a call today, I look forward to chatting with you!
- Hide Comments