All Posts

Building a HIPAA-Compliant Website: What I Learned from StratosMedical

Regulated industries need more than a template. Here's what I learned building a medical courier website with 33 automated tests for accessibility, security, and compliance.

case-studyaccessibilitytestingcompliancephp

When Stratos Medical Holdings asked me to build their website, the first question wasn't about design or features. It was about trust.

A medical courier service handles specimens, pharmaceuticals, and patient records. Their website is often the first impression for hospital procurement managers and lab directors. It needs to communicate competence, compliance, and reliability — not just look nice.

The Template Trap

The easy path would have been a WordPress template. Medical industry templates exist. They're cheap, they're fast, and they look... fine.

But "fine" isn't the same as "right." Templates can't demonstrate HIPAA awareness in their structure. They don't come with automated accessibility testing. They don't verify their own security. And when a hospital IT department evaluates your site, "it's a WordPress template" isn't the answer you want to give.

Why 33 Tests for a 5-Page Website?

This might sound like overkill. It's not. Here's why:

Accessibility isn't optional in healthcare. Hospitals and medical facilities often have accessibility requirements for their vendors. We ran 13 axe-core tests to verify WCAG compliance — proper heading hierarchy, ARIA landmarks, color contrast, form labels, alt text. These aren't nice-to-haves; they're baseline requirements.

Form security matters. The contact form accepts company names, email addresses, and service inquiries. We wrote 9 tests to verify server-side validation, injection prevention, and proper error handling. A medical business's contact form shouldn't be a security liability.

Mobile has to work perfectly. Medical professionals check vendor websites on their phones between rounds. We tested hamburger menu behavior across viewport sizes to ensure navigation never breaks.

SEO needs verification. The 4 SEO tests check meta tags, Open Graph data, JSON-LD structured data, and sitemap generation. These aren't vanity metrics — they're how a new medical courier service gets found by hospitals searching for local providers.

The Stack Decision

We built it with PHP, Tailwind CSS, and vanilla JavaScript. No framework, no database, no build step.

This wasn't a compromise — it was the right call. A medical courier website is fundamentally a brochure site with a contact form. Using React or Next.js would have added complexity with zero benefit. The entire site is five PHP files with shared includes for the header and footer.

The Tailwind CSS brand colors, the compliance badge section, the structured data — all of it works without a build pipeline. Deploy the PHP files and you're done.

What I'd Tell Other Developers

If you're building for a regulated industry:

  1. Test the things that matter to the regulator. Accessibility compliance, form security, and data handling are more important than animation smoothness.
  2. Match the stack to the problem. A simple site deserves a simple stack. Complexity should be earned, not assumed.
  3. Compliance badges aren't decoration. HIPAA, OSHA, DOT — each one means something specific. Display them accurately and be prepared to explain what they mean.
  4. Automated tests are documentation. The test suite proves that specific requirements are met. When someone asks "is this accessible?", you can point to 13 passing tests instead of saying "I think so."

The site launched on time, passed all automated audits, and has been the cornerstone of Stratos Medical's client acquisition process.