Sign in Start a project

— Healthcare · Clinics · Practices

PHIPA · ON HIA / PHIA / Law 25 · provincial HIPAA · US BAA included

Clinic websites & patient apps, built to pass.

Your booking form, intake, and contact page already handle patient privacy data — and on a typical Wix, Squarespace, or shared-WordPress site, you're not compliant. We design and hand-code clinic websites and patient applications that pass PHIPA and HIPAA from day one — with compliant hosting, BAA paperwork, and the controls your audit needs already included in the package.

Get a free compliance audit
Clinic websites from $1,998+ · Patient portals from $4,998+ · Most builds grant-eligible (DMAP / SR&ED / IRAP)

— The part most clinics miss

A marketing site is a compliance surface.

Every Canadian province (and HIPAA in the US) treats clinics as health-information custodians or trustees — PHIPA in Ontario, HIA in Alberta, PIPA in BC, HIPA in Saskatchewan, PHIA in Manitoba and Atlantic Canada, Law 25 in Quebec. That responsibility triggers the moment you collect patient information — not when it reaches the EMR. Every field below is PHI in the eyes of the law:

If your current site runs on Wix, Squarespace, GoDaddy, or shared WordPress, it almost certainly fails at least three basic controls: TLS on form submission, encrypted storage, a signed BAA / DPA with the host, audit logging, and access control. A single contact form going through a consumer email plugin is enough to be out of compliance.

Common PHI surfaces on a clinic site

!
Online booking formName, DOB, health card, reason for visit.
!
New-patient intake formMedical history, meds, allergies, insurance.
!
"Contact us" with condition detailsPatients describing symptoms in a textarea.
!
Secure messaging & remindersAny back-and-forth about care — including SMS.
!
Document uploadReferral letters, lab results, insurance cards, ID.

— What we build for clinics

Three packages for three clinic realities.

Every package is a finished deliverable — designed, hand-coded, deployed on a compliant region with BAA paperwork, and handed over on day one of launch. Compliant hosting, audit logging, and the technical controls your auditor will ask about are all built in. You pay for the build, not for the compliance.

Display only · no intake

Clinic marketing site

For clinics that don't collect any patient info on the site — just a marketing presence with hours, location, services, and a phone number. If you have any booking form or intake, pick the CMS package instead.

CAD$988

or from $82/mo · 12-month plan · 0% interest

  • Up to 6 custom-designed pages
  • Sub-second load times
  • Phone & static contact info only
  • PHIPA / HIPAA-compliant hosting
  • SEO + Google Business setup
  • Full source ownership
Start with this
Most chosen

Recommended · CMS + intake

Clinic website with CMS

The right fit for any clinic that collects patient info — booking, intake, secure contact forms, and a content-managed site your team can update without a developer. Built specifically to convert new patients and pass your compliance review on launch day.

CAD$1,998+

or from $166/mo · 12-month plan · 0% interest

  • Custom-designed multi-page site
  • CMS backend (your team edits, no dev calls)
  • PHIPA-safe booking, intake & contact forms
  • EMR integration (Jane, OSCAR, Accuro, athenahealth)
  • PHIPA / HIPAA-compliant hosting + BAA
  • Audit log + 6–7 year retention
  • SEO + Google Business + blog module
  • DMAP / SR&ED documentation
Start with a free audit

Advanced · custom app

Patient portal & app

A custom web or mobile application — patient sign-in, document upload, secure messaging, booking, EMR sync. Scoped and quoted per project.

CAD$4,998+

milestone billing · SR&ED / IRAP-eligible

  • Patient sign-in with MFA
  • Secure messaging & document upload
  • Booking, waitlist, reminders
  • EMR / FHIR / HL7 integrations
  • Role-based access (clinician / admin / patient)
  • PHIPA / HIPAA-compliant hosting + BAA
  • Up to 80% labour via IRAP

Already have a site on Wix / Squarespace / WordPress? We do compliant migrations in 3–4 weeks →

— Included in every package

Compliance is in the price, not on top of it.

When someone else sells you a website, "HIPAA-ready hosting" is usually an upsell on a site that wasn't built for it. Our packages include the full set of controls — because the site is built around them.

PHIPA / HIPAA-compliant hostingCompliant Canadian or US hosting region included as part of every package. No DIY, no shared WordPress boxes.
Compliance paperwork handledHIPAA requires a signed BAA between your clinic and anyone touching patient data. We sign and manage it for you — including with the hosting provider.
Encryption in transit + at restTLS 1.3 on every connection, AES-256 on stored patient data. Rotating keys.
Role-based access + MFAClinician, admin, patient roles out of the box. MFA enforced on all privileged accounts.
Access logs kept for 7 yearsHIPAA and PHIPA require clinics to keep records of who viewed patient data, and when. We log it automatically and retain it for the full 7 years — ready for any audit.
Minimum-necessary dataForms ask only for the fields the workflow actually needs. Less to leak.
Breach detection hooksAnomalous-access alerts and a runbook for your security contact. On by default.
Your code and filesEverything we build is yours to keep. No lock-in.
Grant documentationDMAP / SR&ED / IRAP-eligible scoping. Up to 50–80% of cost covered for most Canadian clinics.

Not sure if your current site is exposed?

Free compliance audit — we scan your public site and flag the PHIPA / HIPAA gaps in plain English.

Get my free audit

— Client voice

Shipped for clients we care about.

Marc Trifocal Global Foundation

Our primary goal was to create a reliable hub that could seamlessly connect our foundation with our stakeholders, especially for our upcoming events and bookings. Artificial Perfection delivered a highly professional, stable platform. The event registration flow is intuitive, and the backend management gives us exactly the control we need. A very solid and dependable technical partner.

Jasmine GE Investments

As an investment firm, we needed a corporate website that was clean, fast, and projected absolute professionalism. AP handled our brand refresh seamlessly. They built a highly polished, standard corporate platform without overcomplicating the process. The 1/3-to-2/3 grid layout and the high-end visuals they integrated give us a very premium digital footprint.

Tianna MedigoRX

Honestly, the AP team completely blew us away! We didn't need a marketing site; we needed a beast of a logistics engine. They built us a massive tri-domain platform connecting our warehouses, delivery drivers, and customers in real-time. It handles complex routing logic effortlessly. If you need a team that can build serious, heavy-lifting custom infrastructure without the crazy enterprise timelines, look no further!

— Common questions

What clinics usually ask.

My clinic just has a basic website with a booking form — do I actually need to care about PHIPA?

Yes — and the same applies in every Canadian province under its own statute: PHIPA in Ontario, HIA in Alberta and the territories, PIPA in BC, HIPA in Saskatchewan, PHIA in Manitoba and the Atlantic provinces, and Law 25 in Quebec. The moment a patient enters their name, date of birth, health card, or reason for visit on your site, you become a health-information custodian / trustee under whichever law governs your province. Ontario's IPC has published breach findings involving clinics whose booking forms sent PHI over plain email — the same enforcement happens through the privacy commissioners in BC, AB, QC, and Atlantic Canada. Most small-clinic sites on Wix, Squarespace, or shared WordPress fail at least three basic controls. We build replacements that pass — end-to-end.

We're in the US — same situation?

Under HIPAA, appointment requests, intake forms, and contact forms that ask about symptoms all count. If the infrastructure isn't covered by a Business Associate Agreement, you're already non-compliant. Every package we ship includes a signed BAA / DPA as part of the deliverable.

We're a Canadian clinic outside Ontario — does PHIPA-grade build still cover us?

Yes — every province has its own health-information law and they all impose the same custodian / trustee duty when a clinic collects patient data: Alberta — Health Information Act (HIA) + PIPA; British Columbia — PIPA + PIPEDA fallback; Saskatchewan — Health Information Protection Act (HIPA); Manitoba — Personal Health Information Act (PHIA); Quebec — Law 25 (the strictest Canadian regime — explicit consent, data residency in Canada, mandatory breach notification, right to erasure); New Brunswick — PHIPAA; Nova Scotia, Newfoundland & Labrador, PEI — PHIA / HIA; Yukon & Northwest Territories — HIPMA / HIA. The technical controls in every package — TLS in transit, encryption at rest, role-based access, audit logs, signed BAA / DPA, breach-notification readiness, vendor offboarding — clear all of these. We pick a hosting region that matches your provincial requirements (Quebec data stays in QC / Canada, Atlantic and BC data stays in Canada, etc.) and the paperwork is named to the right statute.

Which package should a clinic actually pick?

If your site is purely a marketing page (hours, location, services) and does not collect any patient info at all, the Display-only package is fine. The moment you have a booking form, intake form, or contact form asking about symptoms, you need the Clinic CMS package — which is what most clinics end up on. If you also need a patient portal with sign-in and messaging, you're looking at the Patient Portal app.

What's included in the clinic website package?

Design, hand-coded build (fast and accessible), PHIPA-safe booking and intake forms, secure contact flow, PHIPA / HIPAA-compliant hosting, BAA / DPA paperwork, encryption in transit and at rest, role-based access, audit log, and handover of everything (your GitHub, your DNS, your domain). No per-seat tax on your team. From $1,998+.

What about a patient portal or custom app?

We build them as full applications — secure sign-in, document upload, messaging, booking, EMR integration (Jane, OSCAR, Accuro, athenahealth, Epic via FHIR where supported), reminders. Scoped per project, priced from $4,998+. Most qualify for SR&ED (up to 35% back) and IRAP (up to 80% of labour).

How long does it take?

Clinic marketing site: 2–6 weeks. Patient portal / custom app: 6–12 weeks. Migration from a non-compliant Wix / Squarespace / shared WordPress site: typically 3–4 weeks. Weekly demos, Friday deploys, no month-long silences.

Do we own everything afterward?

Yes. Your GitHub, your database, your BAA, your domain. If you ever stop working with us, the next compliance-aware dev team picks it up the same afternoon. No lock-in.

What about grants?

Most clinic builds qualify for DMAP (up to $15K for digital adoption), SR&ED (refundable tax credit on technical R&D), and IRAP (covers up to 80% of labour for innovative work). We document the project so your accountant can claim every dollar available.

— Next step

Build on a compliant foundation — from week one.

Free compliance audit of your current site, or a written quote on a new build. Plain-English summary of your PHIPA / HIPAA exposure, a recommended hosting region, and a fixed-scope timeline inside 24 hours.

Start with a free audit