HIPAA Compliance Guide
Which form builders are
actually HIPAA compliant?
If your practice collects patient health information online, you need a vendor with a signed BAA, encryption, and audit trails. Here is how the most popular platforms compare.
What HIPAA requires
Before a cloud form tool can handle protected health information (PHI), it must meet these requirements.
Signed BAA
A Business Associate Agreement between your practice and the vendor is legally required before PHI can be processed.
Encryption
Data must be encrypted in transit (TLS) and at rest (AES-256) to prevent unauthorized access.
Audit trails
The system must log who accessed, created, or modified PHI, with timestamps and user identification.
Access controls
Role-based access ensuring only authorized personnel can view patient data, with automatic session timeouts.
At a glance
| Platform | BAA | Audit | Healthcare | Verdict |
|---|---|---|---|---|
| Google Forms | Conditional | |||
| Typeform | Not Compliant | |||
| Tally | Not Compliant | |||
| Microsoft Forms | Conditional | |||
| JotForm | Conditional | |||
| Formstack | Conditional | |||
| Formisoft | HIPAA Ready |
Platform breakdown
Seven popular form builders reviewed for BAA, encryption, audit trails, and healthcare fit.
Google Forms
ConditionalOnly with Google Workspace + BAA
- Free consumer Google Forms: not HIPAA compliant.
- Google Workspace (paid) can be configured for HIPAA. Google will sign a BAA covering Workspace services, including Forms.
- However, you must disable data sharing, manage access controls, and ensure no PHI leaks into connected Sheets or Drive folders shared outside your org.
- No built-in audit trail for form submissions. No encryption at the form level beyond standard Google infrastructure.
BAA
Yes (Workspace only)Encryption
TLS in transit, Google-managed at rest
Audit trail
NoHealthcare
NoTypeform
Not CompliantNo BAA available
- Typeform does not sign a Business Associate Agreement (BAA), which is a legal requirement under HIPAA before any vendor can handle PHI.
- Without a BAA, using Typeform to collect patient health information violates HIPAA, regardless of what security features the platform offers.
- Typeform's own documentation does not claim HIPAA compliance.
BAA
NoEncryption
TLS in transit, AES-256 at rest
Audit trail
NoHealthcare
NoTally
Not CompliantNo BAA, EU-based data processing
- Tally does not offer a BAA and is not designed for HIPAA-regulated use cases.
- Tally is based in the EU and processes data under GDPR, but does not provide the US-specific safeguards that HIPAA requires.
- Using Tally to collect patient health information would violate HIPAA.
BAA
NoEncryption
TLS in transit
Audit trail
NoHealthcare
NoMicrosoft Forms
ConditionalOnly with Microsoft 365 + BAA
- Consumer Microsoft Forms (free) is not HIPAA compliant.
- Microsoft 365 Business and Enterprise plans include a BAA that covers Microsoft Forms, along with other Microsoft 365 services.
- Like Google, you need to configure DLP policies, disable external sharing, and manage access controls. The tool itself does not enforce healthcare-specific workflows.
- No healthcare-specific form templates, screening tools, or patient intake workflows.
BAA
Yes (M365 Business/Enterprise)Encryption
TLS in transit, BitLocker at rest
Audit trail
Partial (via M365 compliance center)Healthcare
NoJotForm
ConditionalHIPAA plan available at higher cost
- JotForm offers a dedicated HIPAA-compliant plan that includes a signed BAA, encrypted form submissions, and HIPAA-compliant storage.
- The HIPAA plan starts at a higher price point than their standard plans. Only forms on the HIPAA plan are compliant, not regular JotForm forms.
- JotForm is a general-purpose form builder. It lacks healthcare-specific features like validated screening tools (PHQ-9, GAD-7), patient record mapping, or appointment scheduling.
BAA
Yes (HIPAA plan only)Encryption
TLS in transit, AES-256 at rest (HIPAA plan)
Audit trail
Yes (HIPAA plan)Healthcare
NoFormstack
ConditionalHIPAA plan available at premium pricing
- Formstack offers HIPAA-compliant plans with a signed BAA, encrypted submissions, and access controls.
- HIPAA compliance requires their higher-tier plans, which are significantly more expensive than their standard offerings.
- Formstack is a general-purpose form and document automation platform. Healthcare-specific features like screening tools and patient intake workflows are not included.
BAA
Yes (HIPAA tier)Encryption
TLS in transit, AES-256 at rest
Audit trail
Yes (HIPAA tier)Healthcare
NoFormisoft
HIPAA ReadyBuilt for healthcare, HIPAA-ready on every plan
- Formisoft is purpose-built for healthcare practices. Every plan includes a signed BAA, AES-256 encryption, complete audit trails, and role-based access control.
- No separate HIPAA tier or add-on. Every account is HIPAA-ready from day one.
- Includes healthcare-specific features: validated screening tools (PHQ-9, GAD-7, PCL-5), patient record mapping, appointment scheduling, insurance verification, automated reminders, and 200+ medical form templates.
- All data hosted and processed exclusively in the United States.
BAA
Yes (every plan)Encryption
TLS 1.3 in transit, AES-256 at rest
Audit trail
Yes (every plan)Healthcare
YesWhy practices choose Formisoft
Healthcare-first intake, not a consumer form tool with a HIPAA upsell.
Signed BAA included on every plan
200+ medical form templates
Validated screening tools (PHQ-9, GAD-7, PCL-5)
Patient record mapping and auto-population
Appointment scheduling and reminders
Insurance verification forms
AES-256 encryption and complete audit trails
All data hosted in the United States
Frequently asked questions
Only if you have a paid Google Workspace account with a signed BAA. Free Google Forms accounts cannot be used to collect PHI. Even with Workspace, Google Forms lacks healthcare-specific features like screening tools, patient record mapping, and appointment scheduling.
No. Typeform does not offer a Business Associate Agreement (BAA), which is a legal requirement for any vendor handling protected health information under HIPAA. Using Typeform to collect patient data would be a HIPAA violation.
HIPAA compliance for form builders requires: a signed Business Associate Agreement (BAA) with the vendor, encryption of data in transit and at rest, access controls and authentication, audit trails logging who accessed what data and when, and a breach notification process. The vendor must also store data in compliant infrastructure and follow HIPAA's administrative, physical, and technical safeguard requirements.
Generally, no. Free tiers of popular form builders (Google Forms, Microsoft Forms, Tally, Typeform) do not include the BAA, encryption, and audit trail features required for HIPAA compliance. Some platforms offer HIPAA compliance as a paid add-on or premium tier.
Yes. Every Formisoft plan includes a signed Business Associate Agreement at no extra cost. There is no separate HIPAA tier or add-on. All accounts are HIPAA-ready from day one with encryption, audit trails, role-based access, and US-only data residency.
Both JotForm and Formstack offer HIPAA-compliant tiers, but only on their premium plans. You must be on the specific HIPAA plan to get a signed BAA and compliant storage. Their standard plans are not HIPAA compliant. Additionally, neither platform is purpose-built for healthcare, so you will not get features like validated clinical screening tools or patient record mapping.
Ready for a HIPAA-compliant form builder?
Start your trial today. BAA included on every plan. No separate HIPAA tier.
