A website becomes a HIPAA concern whenever it collects, stores, or transmits patient information, for example through intake or contact forms. Compliance comes from how it is built: secure, encrypted forms; hosting from a provider that signs a business associate agreement; access controls and audit logging; and analytics that do not quietly capture patient data. A purely informational site has a lighter footprint, but the safeguards must be ready the moment patients submit health information.