Healthcare web design that survives a HIPAA audit and a Lighthouse audit

Healthcare is the industry where the gap between agency-marketing-claims and audit-defensibility is the widest. Most agencies promising 'HIPAA-compliant WordPress' have not read the BAA. The version below is the stack that actually clears the audit, with the post-cluster authority to back it.

The healthcare clients I take on tend to fit one of these three shapes:

• Health-tech startups building patient portals, intake flows, or AI-driven clinical tools
• Established clinics, dental practices, mental-health services, physiotherapy groups needing a credible brand site plus HIPAA-eligible intake
• Healthcare SaaS companies in the EHR, scheduling, telehealth, or patient-engagement category

HIPAA is not just hosting

Most 'HIPAA-compliant hosting' marketing is half the story. The BAA covers infrastructure; you are still responsible for application-layer logging, session handling, error scrubbing, and any third-party API in the request path that touches PHI. The audit fails on the application layer roughly 80% of the time, not on the host.

Vercel BAA changed the economics in 2025

Until September 2025, Next.js healthcare apps required Vercel Enterprise (~$45K/year median). The Pro BAA add-on at $350/month opened up healthcare for pre-Series-A teams. Combined with Supabase HIPAA at $350/month, the platform layer for a defensible Next.js healthcare stack is $700/month rather than $7,000/month.

JotForm Gold is the underrated path

If forms are the only PHI touchpoint, JotForm Gold at $99/month includes HIPAA at no add-on. PHI never touches your infrastructure. Most healthcare clinics over-engineer this; the right answer is often a $99/month JotForm embed plus a marketing site that does not touch PHI at all.

One senior team, no junior handoff

I am the senior on every engagement. Twelve thousand sites of practice across nine years at Seahawk Media. The kickoff conversation is with me; the build is delivered with senior engineers; the handover at the end is real code with documentation, not an agency-locked WordPress install.

Modern stack first — Next.js, Astro, Supabase, headless WordPress

Most agencies in the healthcare space ship 30-plugin WordPress builds because that is what they know. I ship Next.js, Astro, and headless WordPress for the public site, with WordPress as the editorial back end only when the team is genuinely trained on wp-admin. The result: faster pages, smaller attack surface, lower hosting costs, longer-lasting site.

SEO transport that does not lose rankings

If you are migrating from an existing site, the SEO transport is the part that decides whether the migration is a clean handover or a six-month traffic recovery. Redirect maps from Search Console plus Ahrefs, Yoast or Rank Math metadata transport, schema preservation, hreflang continuity. The boring parts that 90% of agencies skip and 100% of post-launch reports complain about.

• HIPAA-compliant apps in 2026: Next.js, WordPress, or JotForm $99 The three architectural paths for healthcare apps in 2026, with honest cost economics.
• HIPAA-compliant Supabase + Vercel: the $700/month setup Production setup for the Next.js + Supabase healthcare stack.
• HIPAA-compliant AI in Next.js apps Claude, OpenAI, Azure OpenAI BAA reality for healthcare AI features.

Book a 30-minute call. No slide deck, no qualification screen. You describe the healthcare business, the brief, the timeline. I tell you whether I am the right person, and by the end of the call you have a stack pick, a price range, and a realistic delivery window.