CounselingWise: Position on HIPAA & Business Associate Agreements (BAAs)
Disclaimer
The information provided here is for general informational purposes only and does not constitute legal advice. Every practice is unique, and HIPAA compliance requirements can vary based on your specific circumstances. We strongly encourage all therapists to consult with a qualified HIPAA compliance attorney to ensure their practice meets all applicable legal obligations.
Official Statement
CounselingWise does not provide healthcare services and is not a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA). We do not collect or store Protected Health Information (PHI) in the course of our work, and therefore we are not able to enter into Business Associate Agreements (BAAs) with clients.
We understand that therapists have important compliance obligations under HIPAA, and we are committed to building and configuring websites in ways that support your compliance. The following addresses the most common areas where HIPAA considerations intersect with your website and digital presence.
Website-Related HIPAA Concerns and How CounselingWise Handles Them
1. Contact Forms
A contact form is one of the most common places where PHI could inadvertently be submitted by a prospective client. We strongly recommend using a HIPAA-compliant contact form on your website. Our preferred solution is HIPAAtizer, a dedicated form tool that works across all website platforms and is designed specifically for HIPAA compliance. You would sign a BAA directly with HIPAAtizer.
Other options include Jotform (though it is significantly more expensive) and Paubox. Google Forms can also be HIPAA-compliant but it generally does not present as professionally on a therapy website.
Please note that whichever form solution you select—including the options mentioned here—you are responsible for signing a Business Associate Agreement (BAA) directly with that provider and following their terms of service and guidelines to maintain HIPAA compliance. CounselingWise does not assume responsibility for ensuring that all compliance requirements have been met on your behalf.
2. Google Analytics
CounselingWise configures Google Analytics on your website in a way that avoids the collection of any personal health information. This approach aligns with Google’s own Terms of Service and eliminates liability for both Google and CounselingWise—and by extension, reduces risk for you as the therapist.
Google Analytics measures high-level, aggregate data only, including: number of visitors, visit duration, pages where visitors enter and exit the site, and general geographic region of origin. No PHI and no personal identifying information is collected through these measurements.
3. Google Ads
CounselingWise provides Google Ads management services for therapists. We structure Google Ads campaigns to measure performance without capturing PHI in conversion events. Additionally, we do not engage in retargeting of any kind, which removes the risk of behavioral data being associated with a person’s visit to a mental health website.
4. Email
HIPAA-compliant email is an area of frequent concern for therapists. There are two approaches we recommend:
- Google Workspace with a BAA: If you use Google Workspace for your business email, you can sign a BAA directly with Google, making your email HIPAA-compliant. This is a cost-effective option for many therapists already using Google’s suite of tools.
- Hushmail: A dedicated HIPAA-compliant email service designed for healthcare providers, if you prefer a solution outside of Google. This service, however, makes it more difficult to communicate with people who don’t have a Hushmail login.
5. Website Privacy Policy vs. HIPAA Notice of Privacy Practices (NPP)
In the course of building and managing your website, CounselingWise adds a website privacy policy that discloses how your website collects and uses data—including analytics, cookies, and contact form submissions. This is a standard requirement for any website.
This is distinct from a HIPAA Notice of Privacy Practices (NPP), which is a separate legal document required of all HIPAA covered entities. The NPP informs patients of their rights under HIPAA and explains how their Protected Health Information may be used and disclosed. If you are a covered entity, you are required to maintain a current NPP and make it available on your website.
As of February 16, 2026, covered entities are also required to update their NPP to reflect new protections for Substance Use Disorder (SUD) records under 42 CFR Part 2. If your practice treats clients with substance use disorders, your NPP must include specific language regarding how SUD records are used and disclosed, patient rights related to those records, and other related requirements. We encourage you to consult with a HIPAA compliance attorney to ensure your NPP is current and complete.
You can learn more about the HIPAA Notice of Privacy Practices (NPP) here:
- The actual regulation: 45 CFR 164.520 (eCFR)—the primary federal rule
- HHS official guidance: HHS Notice of Privacy Practices for Protected Health Information—plain-language explanation from HHS
The website requirement on the office HHS site above says:
“A covered entity must prominently post and make available its notice on any web site it maintains that provides information about its customer services or benefits.”
Outside the Scope of CounselingWise Services
The following are areas where therapists may have HIPAA-related questions that fall outside the services CounselingWise provides. We include guidance here because these topics frequently arise in the context of online marketing and your broader digital presence.
Electronic Health Records (EHR)
For client scheduling, session notes, billing, and clinical records, therapists should use a dedicated HIPAA-compliant EHR or practice management platform. Popular options used by therapists include SimplePractice and TherapyNotes, both of which offer BAAs and are built for mental health practices. CounselingWise does not work directly with EHR systems; however, if you would like a link to your client portal or scheduling tool added to your website, we are happy to include that as part of your site.
Online Reviews
Online reviews can be a valuable part of building your practice’s reputation, but they require careful handling under HIPAA. We do not recommend proactively soliciting reviews from current or former clients, as doing so could implicate HIPAA by initiating a communication that identifies someone as a patient.
If a client independently leaves a review on Google or another platform, be cautious in how you respond. Even a well-meaning reply such as, “Thank you, it was wonderful working with you!” could constitute a HIPAA violation by confirming the reviewer’s status as your patient. When responding to reviews, keep your reply general and avoid acknowledging the individual as a client in any way.
Facebook, Instagram, and Meta Advertising
CounselingWise does not place Meta Pixels or manage Facebook or Instagram advertising for clients. The Meta Pixel raises significant HIPAA concerns due to its potential to capture behavioral data that, when combined with other identifiers, may constitute PHI being transmitted to Meta without a BAA. Meta does not offer BAAs. Therapists considering Meta advertising should consult with a HIPAA compliance attorney before proceeding.
Social Media Marketing
CounselingWise does not provide social media marketing services for therapists. If you use social media for your practice, avoid sharing any information that could identify a client, even without using names, as HIPAA’s protections extend to any information that could reasonably be used to identify an individual.
Telehealth Platforms
If you conduct sessions via telehealth, the platform you use must be HIPAA-compliant and a BAA must be in place. This is part of the operational side of your practice and is your responsibility to manage. We encourage you to verify compliance with your telehealth provider directly.
AI Tools in Clinical Practice
CounselingWise does not install or utilize AI tools on therapist websites. Any use of AI tools within your practice—such as transcription or note-taking tools—is outside the scope of what we manage. If you use AI tools in your practice, ensure that a BAA is in place and that those tools do not use patient PHI to train their general models, which would constitute an impermissible disclosure under HIPAA.