HIPAA Compliance Guide

Are Google Forms, Typeform, or JotForm HIPAA Compliant?

If your practice collects patient health information through online forms, you need a HIPAA-compliant form builder. Here is how the most popular platforms compare.

What Does HIPAA Require From a Form Builder?

Before a cloud-based form tool can handle protected health information (PHI), it must meet these requirements:

Signed BAA

A Business Associate Agreement between your practice and the vendor is legally required before PHI can be processed.

Encryption

Data must be encrypted in transit (TLS) and at rest (AES-256) to prevent unauthorized access.

Audit Trails

The system must log who accessed, created, or modified PHI, with timestamps and user identification.

Access Controls

Role-based access ensuring only authorized personnel can view patient data, with automatic session timeouts.

Platform-by-Platform Comparison

We reviewed seven popular form builders for HIPAA compliance. Here is what we found.

Google Forms

Conditional

Only with Google Workspace + BAA

Free consumer Google Forms: not HIPAA compliant.
Google Workspace (paid) can be configured for HIPAA. Google will sign a BAA covering Workspace services, including Forms.
However, you must disable data sharing, manage access controls, and ensure no PHI leaks into connected Sheets or Drive folders shared outside your org.
No built-in audit trail for form submissions. No encryption at the form level beyond standard Google infrastructure.

BAA

Yes (Workspace only)

Encryption

TLS in transit, Google-managed at rest

Audit Trail

Built for Healthcare

Typeform

Not Compliant

No BAA available

Typeform does not sign a Business Associate Agreement (BAA), which is a legal requirement under HIPAA before any vendor can handle PHI.
Without a BAA, using Typeform to collect patient health information violates HIPAA, regardless of what security features the platform offers.
Typeform's own documentation does not claim HIPAA compliance.

BAA

Encryption

TLS in transit, AES-256 at rest

Audit Trail

Built for Healthcare

Tally

Not Compliant

No BAA, EU-based data processing

Tally does not offer a BAA and is not designed for HIPAA-regulated use cases.
Tally is based in the EU and processes data under GDPR, but does not provide the US-specific safeguards that HIPAA requires.
Using Tally to collect patient health information would violate HIPAA.

BAA

Encryption

TLS in transit

Audit Trail

Built for Healthcare

Microsoft Forms

Conditional

Only with Microsoft 365 + BAA

Consumer Microsoft Forms (free) is not HIPAA compliant.
Microsoft 365 Business and Enterprise plans include a BAA that covers Microsoft Forms, along with other Microsoft 365 services.
Like Google, you need to configure DLP policies, disable external sharing, and manage access controls. The tool itself does not enforce healthcare-specific workflows.
No healthcare-specific form templates, screening tools, or patient intake workflows.

BAA

Yes (M365 Business/Enterprise)

Encryption

TLS in transit, BitLocker at rest

Audit Trail

Partial (via M365 compliance center)

Built for Healthcare

JotForm

Conditional

HIPAA plan available at higher cost

JotForm offers a dedicated HIPAA-compliant plan that includes a signed BAA, encrypted form submissions, and HIPAA-compliant storage.
The HIPAA plan starts at a higher price point than their standard plans. Only forms on the HIPAA plan are compliant, not regular JotForm forms.
JotForm is a general-purpose form builder. It lacks healthcare-specific features like validated screening tools (PHQ-9, GAD-7), patient record mapping, or appointment scheduling.

BAA

Yes (HIPAA plan only)

Encryption

TLS in transit, AES-256 at rest (HIPAA plan)

Audit Trail

Yes (HIPAA plan)

Built for Healthcare

Formstack

Conditional

HIPAA plan available at premium pricing

Formstack offers HIPAA-compliant plans with a signed BAA, encrypted submissions, and access controls.
HIPAA compliance requires their higher-tier plans, which are significantly more expensive than their standard offerings.
Formstack is a general-purpose form and document automation platform. Healthcare-specific features like screening tools and patient intake workflows are not included.

BAA

Yes (HIPAA tier)

Encryption

TLS in transit, AES-256 at rest

Audit Trail

Yes (HIPAA tier)

Built for Healthcare

Formisoft

HIPAA Ready

Built for healthcare, HIPAA-ready on every plan

Formisoft is purpose-built for healthcare practices. Every plan includes a signed BAA, AES-256 encryption, complete audit trails, and role-based access control.
No separate HIPAA tier or add-on. Every account is HIPAA-ready from day one.
Includes healthcare-specific features: validated screening tools (PHQ-9, GAD-7, PCL-5), patient record mapping, appointment scheduling, insurance verification, automated reminders, and 200+ medical form templates.
All data hosted and processed exclusively in the United States.

BAA

Yes (every plan)

Encryption

TLS 1.3 in transit, AES-256 at rest

Audit Trail

Yes (every plan)

Built for Healthcare

Yes

Quick Comparison

Platform	BAA	Audit Trail	Healthcare Features	HIPAA Ready
Google Forms				Conditional
Typeform				Not Compliant
Tally				Not Compliant
Microsoft Forms				Conditional
JotForm				Conditional
Formstack				Conditional
Formisoft				HIPAA Ready

Why Healthcare Practices Choose Formisoft

Unlike general-purpose form builders that bolt on HIPAA compliance as a premium add-on, Formisoft is built for healthcare from the ground up.

Signed BAA included on every plan

200+ medical form templates

Validated screening tools (PHQ-9, GAD-7, PCL-5)

Patient record mapping and auto-population

Appointment scheduling and reminders

Insurance verification forms

AES-256 encryption and complete audit trails

All data hosted in the United States

Frequently Asked Questions

Can I use Google Forms for patient intake?

Only if you have a paid Google Workspace account with a signed BAA. Free Google Forms accounts cannot be used to collect PHI. Even with Workspace, Google Forms lacks healthcare-specific features like screening tools, patient record mapping, and appointment scheduling.

Is Typeform HIPAA compliant?

No. Typeform does not offer a Business Associate Agreement (BAA), which is a legal requirement for any vendor handling protected health information under HIPAA. Using Typeform to collect patient data would be a HIPAA violation.

What makes a form builder HIPAA compliant?

HIPAA compliance for form builders requires: a signed Business Associate Agreement (BAA) with the vendor, encryption of data in transit and at rest, access controls and authentication, audit trails logging who accessed what data and when, and a breach notification process. The vendor must also store data in compliant infrastructure and follow HIPAA's administrative, physical, and technical safeguard requirements.

Are free form builders ever HIPAA compliant?

Generally, no. Free tiers of popular form builders (Google Forms, Microsoft Forms, Tally, Typeform) do not include the BAA, encryption, and audit trail features required for HIPAA compliance. Some platforms offer HIPAA compliance as a paid add-on or premium tier.

Does Formisoft sign a BAA?

Yes. Every Formisoft plan includes a signed Business Associate Agreement at no extra cost. There is no separate HIPAA tier or add-on. All accounts are HIPAA-ready from day one with encryption, audit trails, role-based access, and US-only data residency.

Can I use JotForm or Formstack for healthcare forms?

Both JotForm and Formstack offer HIPAA-compliant tiers, but only on their premium plans. You must be on the specific HIPAA plan to get a signed BAA and compliant storage. Their standard plans are not HIPAA compliant. Additionally, neither platform is purpose-built for healthcare, so you will not get features like validated clinical screening tools or patient record mapping.

Ready for a HIPAA-compliant form builder?

Start your free trial today. No credit card required. BAA included on every plan.

Start free trial View our HIPAA safeguards