Vendor documentation review

Is Squarespace HIPAA Compliant? (2026 Verdict)

No

Squarespace's general website features are not covered by the Acuity BAA and should not be used to collect or store PHI.

Last verified:

At a glance

BAA available
No
Plan required
Not applicable
Configuration required
Keep PHI out of Squarespace website forms, member areas, commerce, and other site features.
Category
Website Builder
Official site
Visit Squarespace

What Squarespace says officially

Squarespace draws a product-level boundary in its Acuity Scheduling and HIPAA guide . It says Acuity is the only Squarespace feature designed for this use. Other Squarespace features, including contact form blocks, cannot be part of a HIPAA-enabled solution, and the Acuity BAA does not cover the general website service.

The Squarespace Terms of Service also restrict protected health information unless the relevant account is expressly designated and governed by a BAA. For the normal website builder, there is no public setup that extends Acuity’s designation to pages, forms, commerce, member areas, or other site features.

That makes the website-builder verdict “no.” It does not mean a medical practice cannot publish a brochure-style Squarespace site. It means the site service should not receive PHI.

What this means for a medical practice

A public clinic website can contain location details, physician biographies, educational articles, and general service descriptions without collecting patient data. The boundary becomes risky when a contact form asks for symptoms, a member page hosts records, a commerce note contains treatment information, or a chat widget invites a patient to describe a condition.

Even an innocent-looking field can create PHI in context. A visitor’s name and phone number submitted from a page titled “cancer second opinion” may reveal a healthcare relationship. The submission can then be copied into Squarespace storage, an email notification, or a connected marketing service.

A HIPAAconscious medical website should send clinical intake to a separately reviewed service rather than hide it inside a general contact block. That approach can coexist with good patient selfscheduling : the public site explains the next step, while the protected scheduling or intake provider handles the sensitive details.

If the practice links to Acuity, the Acuity account needs its own plan, BAA, configuration, and integration review. The website should avoid copying appointment reasons into Squarespace analytics, form storage, or marketing scripts.

Review staff habits as well as page components. A team member may paste a patient message into a website support ticket, add a testimonial without authorization, or upload a document to a general file area. Written rules should define what the website account may contain, who can edit it, and how accidental submissions are escalated. Periodic test submissions can confirm that a public contact channel still asks only for non-clinical information and routes it to the intended team.

Compliant alternatives

Wix offers a documented PHI-protection mode and BAA on supported site plans, although incompatible apps must be removed or disabled. Jotform offers a more focused protected-form path on Gold and Enterprise when the practice only needs patient intake rather than an entire protected website environment.

The cleanest choice may be a public Squarespace site paired with a separate approved patient system. In that architecture, the public side must remain free of PHI and the handoff must be tested carefully.

Bottom line

Do not collect or store PHI in Squarespace’s general website features. Squarespace reserves its documented healthcare path for Acuity Scheduling, and Acuity’s BAA does not cover contact blocks or the rest of a Squarespace site. Keep the site informational or route sensitive intake to a separately contracted service.

Frequently asked questions

Does Squarespace offer a BAA for its website builder?

Squarespace's public guidance limits its healthcare BAA path to Acuity Scheduling and says other Squarespace website features are not designed for HIPAA-enabled use.

Can a Squarespace contact form collect patient details?

No. Squarespace specifically says contact form blocks and other website features cannot be part of a HIPAA-enabled solution.

Does an Acuity BAA cover a connected Squarespace website?

No. The Acuity agreement applies to the Acuity account and does not extend to other Squarespace features or third-party integrations.

HIPAA-friendly alternatives

A practical second look

Not sure what your website and tools are doing with patient data?

Request a done-for-you review.

Request a review