HIPAA Hosting for Therapists and Counselors

If your website collects, transmits, or stores protected health information (PHI) and you are a HIPAA covered entity, you generally need a Business Associate Agreement with any vendor that touches that PHI, including your web host. Ultra does not currently offer a BAA. Most solo therapists work with a compliance consultant or healthcare attorney to determine which of their vendors need BAAs and to draft the agreements. We focus on providing the secure infrastructure layer; the BAA itself is a separate legal arrangement, and most therapists land it with their EHR rather than their web host because that's where PHI actually lives.

You can host the form on Ultra's hosting with SSL/TLS encryption protecting data in transit. For HIPAA-compliant intake forms that store PHI, most therapists either keep the public-website form simple (basic contact info only) and direct sensitive intake to a HIPAA-compliant practice management system like SimplePractice, TherapyNotes, Jane App, or Counsol that already has BAAs in place, OR work with a compliance consultant to ensure the full intake workflow including the BAA chain is covered. The hosting infrastructure supports it; the workflow design is a separate decision based on your practice setup.

For the marketing, scheduling-link, and informational pages of a telehealth therapy practice, yes. The actual video session platform is typically a separate HIPAA-compliant service like Doxy.me, SimplePractice Telehealth, Zoom for Healthcare, or VSee, each of which provides its own BAA. Ultra hosts your practice website that links out to the video platform; we do not provide the video conferencing layer itself.

Yes. Ultra's hosting plays well alongside any practice management or EHR platform. Your website lives on Ultra and links to your scheduling page, client portal, or intake form hosted on your EHR vendor's domain. The two systems integrate at the link/redirect level. Most therapists run their public-facing website on Ultra and route confidential workflows (notes, billing, secure messaging) through their EHR provider, which is a clean separation of responsibilities and the workflow most compliance consultants recommend.

Standard shared hosting plans run as cPanel accounts on multi-tenant servers (with CloudLinux CageFS separating accounts at the filesystem level), share IP addresses with potentially dozens or hundreds of other websites, and are often hosted on cloud infrastructure where the provider has no physical control over the hardware. For a therapy practice handling client information, that is a poor fit. This plan is a dedicated virtual machine (VPS): your own VM with its own dedicated CPU, RAM, storage allocation, kernel, and IP address. The hypervisor enforces hardware-level separation between VMs, and we physically own and operate the underlying server in our own facility. Our staff are the only people with access.

No. Ultra does not currently offer a BAA. We are transparent about this because we believe it is important for therapists to understand exactly what they are getting. Our plan provides the server-level infrastructure and physical safeguards that support compliance, but a BAA is a separate legal agreement. Most therapists work with a compliance consultant or healthcare attorney to establish BAAs with the vendors that actually handle PHI in their practice, which is typically the EHR rather than the public-facing website.

Yes. Ultra offers free website migration with annual or longer plans. Our migration team handles cPanel transfers, WordPress sites, database moves, and email setup with extra care taken on credentials and data handling during the transfer. Just submit a support ticket after signing up with your current host's login details inside the ticket system (not email).

For appointment scheduling that involves PHI, route clients to your EHR's scheduling page (SimplePractice, TherapyNotes, Jane App, etc.) which carries its own BAA. For general contact forms on your hosted website, encrypted form submission over HTTPS is included by default via the free SSL certificate. If a prospective client sends sensitive information through a basic contact form, your standard practice should be to respond by directing them to a secure intake method through your EHR rather than continuing the conversation by email.

Ultra's HIPAA hosting for therapists starts at $49.95 per month when billed annually. That includes a dedicated IP address, 25 GB of SSD storage, unlimited @yourpractice.com email accounts, free SSL certificate, VPS-level isolation (dedicated virtual machine), on-site hardware with drive chain-of-custody, cPanel control panel, and 24/7 on-site support. The regular month-to-month price is $79.95. Use coupon code HIPAA20 for 20% off your first order.

When a solo practice scales into a group or you start running multiple sites (a main practice site plus a specialty-area landing page or two), our VPS plans (root access, guaranteed CPU/RAM) and dedicated server plans (full hardware control) are the upgrade path. Our support team handles the migration with no downtime, and the same on-site physical safeguards apply at every tier.