Compliance guide
HIPAA-compliant form builder software
Collecting protected health information (PHI) through online forms requires more than SSL encryption. Healthcare organizations need Business Associate Agreements, access controls, audit logging, and data handling policies that satisfy HIPAA Security and Privacy Rules.
Compliance summary
Formstack is the most established HIPAA form builder with native BAA and SOC 2. Jotform offers HIPAA on Gold tier and above. Cognito Forms provides HIPAA on Enterprise. Always execute a BAA before collecting PHI — "encrypted" alone is not HIPAA compliance.
| Platform | BAA available | Required tier | Encryption | Audit logs | Access controls |
|---|---|---|---|---|---|
| Formstack | ✓ | All paid plans | AES-256 at rest, TLS in transit | ✓ | Role-based |
| Jotform | ✓ | Gold ($129/mo) or Enterprise | Encrypted storage | ✓ | Role-based |
| Cognito Forms | ✓ | Enterprise (~$129/mo) | Encrypted | ✓ | Role-based |
| forms.app | Contact sales | Premium+ | TLS, GDPR controls | ✓ | Team roles |
| Typeform | ✗ | — | TLS | Limited | Basic |
| Google Forms | ✗ | — | Google Workspace | Limited | Basic |
HIPAA requirements for online forms
Before selecting HIPAA form builder software, your compliance team should verify these requirements — not all "secure" form platforms qualify:
- Business Associate Agreement (BAA). A signed BAA between your organization and the form vendor is mandatory before any PHI is collected or stored.
- Encryption. Data must be encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
- Access controls. Role-based permissions limiting who can view, edit, and export PHI-containing submissions.
- Audit logging. Immutable logs of who accessed form data and when — required for breach investigation.
- Data retention policies. Configurable retention and automatic deletion of PHI after defined periods.
- Breach notification. Vendor must notify your organization within required timeframes if a data breach occurs.
Platform recommendations by use case
Patient intake and registration
Formstack is the default choice for healthcare patient intake forms. Native HIPAA BAA, PDF generation for medical records, e-signatures for consent forms, and approval routing for multi-department workflows. Jotform Gold is a viable alternative with a larger template library for common healthcare forms.
Employee health screening
For internal HR health questionnaires and wellness surveys, Cognito Forms Enterprise or Jotform Gold both support HIPAA with conditional logic for follow-up questions based on responses. forms.app offers strong conditional logic and team collaboration for organizations that can establish appropriate data handling agreements.
Telehealth pre-visit forms
Telehealth providers need forms that integrate with scheduling systems and CRM. Formstack's Salesforce integration makes it the strongest choice when patient data must sync to a CRM. See our Salesforce integration guide.
What is NOT HIPAA compliant
These popular form tools do not offer HIPAA BAAs and should not be used for PHI collection:
- Google Forms — no BAA available, even on Google Workspace
- Typeform — no HIPAA compliance program
- Tally — no BAA or HIPAA controls
- Microsoft Forms — HIPAA only through Microsoft 365 compliance add-ons with specific configuration, not suitable for direct PHI collection via public forms
Compliance checklist before go-live
- Execute BAA with form software vendor
- Enable HIPAA mode / compliance settings in platform admin
- Configure role-based access for form administrators
- Set data retention and auto-deletion policies
- Disable third-party integrations that are not BAA-covered
- Train staff on PHI handling procedures
- Document your risk assessment per HIPAA Security Rule