HIPAA software category hub

HIPAA-Compliant Forms and Intake Software

Forms and intake tools are high-risk because they intentionally collect sensitive information. Before using any form builder for PHI, verify BAA coverage, storage location, email notifications, file uploads, integrations, access controls, and deletion workflows.

Quick answer

Compare forms, surveys, app builders, and intake tools for PHI collection risk, BAA availability, and safer alternatives.

Last updated: 2026-04-30

hipaa compliant survey softwareonline hipaa compliant formshippa compliant form builder

How to choose forms and intake tools

Best for

  • Patient intake or request forms where the form product, storage, notifications, and exports are covered by a BAA.
  • Low-PHI contact forms that avoid collecting diagnosis, treatment, insurance, or patient identifier details.
  • Structured intake workflows with clear ownership, retention, deletion, and access-control rules.

BAA requirements

  • Confirm whether forms, file uploads, signatures, payments, email notifications, APIs, and integrations are covered.
  • Verify whether submitted data is stored in a HIPAA-eligible environment and who can access support logs.
  • Review whether third-party add-ons or automation tools break the covered workflow.

PHI risk areas

  • Free-text answers, file uploads, signatures, hidden fields, URL parameters, payment notes, and confirmation emails.
  • Notification emails, webhooks, spreadsheet exports, CRM syncs, analytics scripts, and embedded forms.
  • Admin comments, support tickets, form revision history, and downloaded CSV files.

Recommended review order

Start with vendors that show clearer BAA signals

JotformAvailable with HIPAA features | Public evidenceWixAvailable after PHI protection | Verify with vendorAirtableEnterprise Scale only | Public evidenceGoogle WorkspaceGoogle Workspace BAA | Public evidence

Treat these as higher-risk until verified

ZapierNot supported for PHI | Unable to confirm

Vendor comparison table

VendorHIPAA signalBAA signalSOC 2 signalBest for
JotformConditionalAvailable with HIPAA featuresPublic evidenceBAA-scoped workflow review
WixConditionalAvailable after PHI protectionVerify with vendorBAA-scoped workflow review
AirtableConditionalEnterprise Scale onlyPublic evidenceVendor-specific workflow review
Google WorkspaceConditionalGoogle Workspace BAAPublic evidenceBAA-scoped workflow review
ZapierNot supported for PHIUnable to confirmPublic evidenceAvoid PHI; compare alternatives

Avoid if

  • The form sends PHI in notification emails or webhooks.
  • File uploads, signatures, or payments are processed by unsupported add-ons.
  • The vendor cannot define which services are covered by a BAA.

Methodology

  • Review collection, storage, notification, export, and integration paths.
  • Treat surveys, waitlists, and contact forms as PHI-capable until proven otherwise.
  • Prefer tools with explicit healthcare workflows and clear BAA scope.

Verification checklist

  • Does the vendor sign a BAA for the exact form, survey, upload, signature, and storage workflow?
  • Can notifications be configured so PHI is not sent through ordinary email or unsupported webhooks?
  • Are access controls, audit logs, deletion, exports, and retention policies enforceable?
  • Are embedded scripts, analytics tools, and connected apps excluded from PHI collection?

Related guides

What Is a Business Associate Agreement (BAA)?

A Business Associate Agreement is a HIPAA contract between a covered entity and a vendor that may create, receive, maintain, or transmit PHI. A BAA do...

Can You Store PHI in SaaS Tools?

You should only store PHI in a SaaS tool after verifying that the vendor, product, plan, agreement, configuration, and connected systems support that ...

How to Evaluate a HIPAA-Compliant App Builder

A no-code app builder may support HIPAA-regulated workflows only if the vendor covers the exact product, database, file storage, automations, integrat...

FAQ

What is the biggest HIPAA risk with online forms?

The biggest risk is not only the form database. PHI can leak through notification emails, webhooks, file uploads, hidden fields, analytics scripts, exports, and connected tools that are outside the BAA scope.

Can a general form builder collect PHI?

A general form builder should collect PHI only if the vendor confirms BAA coverage for the exact form product, storage, upload, notification, export, and integration path used by the organization.

What should buyers verify for forms and intake tools?

Verify BAA availability, covered services, product plan, data flows, admin controls, integrations, support access, retention, audit logs, and whether PHI appears in fields, messages, files, or notifications.

Does SOC 2 prove HIPAA readiness?

No. SOC 2 can provide useful security evidence, but HIPAA-regulated workflows also require BAA scope, PHI handling review, configuration, policies, and qualified legal or compliance guidance.