Skip to main content

Website Compliance for Medical Device Companies: HIPAA, FDA, and ADA

By Rome Thorndike

The Three Compliance Layers

Medical device company websites operate under three overlapping compliance frameworks. Getting any one wrong exposes the company to regulatory action, lawsuits, or both.

FDA: Governs what you can say about your devices. Marketing claims must align with cleared or approved indications. Off-label promotion is prohibited. Comparative claims need substantiation. Every product page is a regulatory document.

HIPAA: If your website collects any protected health information (PHI) — patient names, conditions, treatment history — through forms, portals, or chat, you need HIPAA-compliant infrastructure. This means encrypted transmission, BAA-covered hosting, and access controls.

ADA: The Americans with Disabilities Act requires websites to be accessible to people with disabilities. Courts have consistently ruled that websites are "places of public accommodation." WCAG 2.1 Level AA is the standard courts reference.

FDA Compliance for Device Websites

Your product pages are marketing materials. The FDA treats them the same as brochures and advertisements.

  • Stay on-label. Describe your device only for its cleared or approved indications. Do not imply broader uses.
  • Include required information. Device classification, intended use, and any required warnings or contraindications should be accessible from product pages.
  • Comparative claims need evidence. Saying your device is "better" or "faster" than competitors requires substantiation. Vague superiority claims trigger FDA attention.
  • Testimonials and case studies. Patient or physician testimonials about device performance can constitute promotion. Review them through regulatory before publishing.

ADA Accessibility Checklist

WCAG 2.1 Level AA compliance means:

  • All images have descriptive alt text
  • All forms have labeled inputs
  • Color contrast meets 4.5:1 ratio for text
  • The site is fully navigable by keyboard
  • Video content has captions
  • Page structure uses proper heading hierarchy (H1, H2, H3)
  • Interactive elements are accessible to screen readers

ADA lawsuits against healthcare companies have increased year over year. A compliant website is cheaper than a lawsuit. Accessibility also improves SEO — many accessibility best practices overlap with SEO best practices (proper headings, alt text, semantic HTML).

Build a Compliant Site

We build websites for medical device companies with compliance built into the architecture. Static HTML sites have security advantages for HIPAA — no database to breach, no CMS vulnerabilities. Forms that collect PHI route through HIPAA-compliant services.

Our web design service includes ADA-compliant markup (WCAG 2.1 AA), proper heading hierarchy, and semantic HTML as standard deliverables. Contact us to discuss your compliance requirements.

Frequently Asked Questions

Does my medical device website need to be HIPAA compliant?

Only if it collects protected health information (PHI). A marketing site with no patient data collection does not need HIPAA compliance. A site with patient portals, appointment scheduling, or intake forms that capture health information does.

What happens if my website is not ADA compliant?

You risk an ADA lawsuit. Settlements typically range from $5,000 to $50,000 plus remediation costs and attorney fees. Demand letters from accessibility law firms have become a significant risk, particularly for healthcare companies.

Can a static site be HIPAA compliant?

The site itself does not process PHI — it is static HTML files. Forms that collect PHI submit to HIPAA-compliant services (like JotForm HIPAA or Formstack with BAA). The architecture is inherently more secure because there is no database or server-side code to compromise.

Ready to Fill Your Next Event?

We build the page, set up the pixels, and run the ads. You run the event.

Book a Call