Intake forms
Best HIPAA-Compliant Intake Form Software
A comparison of intake form platforms clinics evaluate for patient forms under a BAA: JotForm HIPAA, Formstack Healthcare, HIPAAtizer, plus why Typeform and Google Forms do not qualify.
Decision summary
Patient intake forms collect PHI on the first interaction. The form vendor needs a BAA, encryption at rest, and ideally an EHR handoff. Two mainstream form builders that clinics try to reuse do not qualify.
Intake is the first PHI moment, not a minor form
The patient intake form usually collects name, date of birth, insurance information, reason for visit, and often symptoms or clinical history. That is PHI from the first keystroke. A form vendor that processes or stores it is a business associate and needs a signed BAA. Mainstream form builders popular with marketing teams do not qualify.
The three BAA-covered platforms to shortlist
JotForm HIPAA. JotForm’s HIPAA-friendly plans include a BAA and configuration settings that route data only through their HIPAA-qualifying infrastructure. Broad template library. Works for clinics that want flexible forms without a custom build.
Formstack Healthcare. Healthcare-oriented form builder with a BAA on qualifying plans. Stronger workflow and integration features than the consumer end of the market. Used by clinics that want forms plus routing plus approvals under one vendor.
HIPAAtizer. Smaller vendor, purpose-built for HIPAA intake forms. Leans toward independent and small-group practices. BAA is part of the product by default.
The two platforms clinics try to reuse and should not
Typeform. Popular with marketing teams. Typeform’s own help center says the consumer product should not be used for PHI. There is no general public BAA offering. Do not use it for patient intake.
Google Forms. Even clinics on Google Workspace with a signed BAA often assume Forms is covered. It is not. Google’s list of HIPAA-covered services includes Gmail, Calendar, Drive, Docs, and Meet among others, but not Forms. Do not use it for PHI.
The comparison that actually matters
| Vendor | BAA | Encryption at rest | EHR handoff | Pricing model |
|---|---|---|---|---|
| JotForm HIPAA | Included on HIPAA plans | Yes | Via integrations/API | Per-user or per-form |
| Formstack Healthcare | Included on qualifying plans | Yes | Native and API | Per-user |
| HIPAAtizer | Included on paid plans | Yes | API | Per-form or per-seat |
| Typeform (consumer) | Not available | N/A for PHI | N/A | Do not use for PHI |
| Google Forms | Not available | N/A for PHI | N/A | Do not use for PHI |
Specific prices change; verify with the vendor and confirm the plan includes the BAA before purchase.
What to check before you sign
- The BAA is on the plan you are buying, not only the enterprise tier.
- Encryption at rest is on the form submissions, not only the transport layer.
- Form data has a documented retention policy and a deletion path.
- Integration to your EHR or intake system does not route PHI through an uncovered intermediary like a generic automation platform without a BAA.
- Your marketing site forms (lead magnets, contact forms) are on a separate platform from your patient intake forms so that PHI and non-PHI flows are not blurred.
What intake forms do not cover
The form vendor captures data. The rest of the compliance program remains your responsibility: policy library, workforce training, incident log, BAA register, and access reviews. For the operating layer see PHIGuard pricing or the full HIPAA software comparison. For the BAA rules behind all of this, see HIPAA basics. Clinics also shopping for patient messaging should read our best HIPAA-compliant secure messaging roundup.
Intake is the moment where a patient’s trust gets tested. Do not run it through a tool that cannot sign a BAA.
Sources
- JotForm HIPAA | JotForm
- Formstack Healthcare | Formstack
- HIPAAtizer | HIPAAtizer