If your site collects, stores, or transmits patient information through forms, portals, or integrations, then yes, you need hosting from a provider that signs a business associate agreement and supports the required safeguards. If your site is purely informational and collects no health data, the requirements are lighter, but it is easy to cross that line the moment you add an intake form. [Link: HIPAA Cybersecurity page]