Best HIPAA Compliant Form Builders for Medical Practices (2026)
TLDR
The best HIPAA compliant form builder depends on your use case: Jotform Health for feature-rich patient intake forms at $39/month; FormAssembly for enterprise healthcare data collection; Google Forms only via Google Workspace with a signed BAA and with all tracking disabled. Standard free form tools (Typeform free, SurveyMonkey free, WuFoo) are not HIPAA compliant and should not be used for any forms that collect health information.
Jotform Health
Healthcare-specific form builder with HIPAA compliance, e-signatures, and patient intake templates. Dedicated HIPAA tier separate from standard Jotform.
PROS & CONS
Jotform Health
Pros
- HIPAA compliant tier with BAA
- Healthcare-specific form templates
- E-signature support
- Integrates with healthcare platforms
Cons
- HIPAA tier ($39/month) is separate from standard Jotform plans — you cannot simply use a standard Jotform account
- Per-form-submission fees on higher-volume plans
- No task management features
Pricing: $39/month for HIPAA-compliant tier (100 forms, 1,000 submissions/month)
Verdict: Best for practices that need feature-rich patient intake forms with healthcare-specific templates and e-signature capability.
FormAssembly
Enterprise-grade data collection platform with HIPAA compliance for healthcare organizations.
PROS & CONS
FormAssembly
Pros
- HIPAA compliant with BAA
- Salesforce Health Cloud integration
- Advanced workflow automation
- Strong data governance
Cons
- Enterprise pricing ($300+/month) — significantly over-built for small practices
- Learning curve for non-technical users
- No task management
Pricing: $300+/month (enterprise plans)
Verdict: Best for health systems and large organizations that need enterprise data governance. Not cost-effective for small practices.
Google Forms (via Google Workspace)
Google Forms can be HIPAA compliant when accessed through a Google Workspace account with a signed BAA — but requires careful configuration.
PROS & CONS
Google Forms (via Google Workspace)
Pros
- Included in Google Workspace ($6-18/user/month)
- Familiar interface
- BAA available through Workspace
Cons
- Default Google Forms on free accounts is NOT HIPAA compliant
- Must have Workspace BAA signed before using for PHI
- Google Analytics and ad tracking must be disabled on the page
- No healthcare-specific form templates
- Responses stored in Google Sheets — must ensure Sheets access is restricted
Pricing: Included in Google Workspace ($6-18/user/month)
Verdict: Acceptable for practices already on Google Workspace with a signed BAA and careful configuration. Not recommended for practices without existing Workspace infrastructure.
Typeform
Popular consumer form tool. Offers a HIPAA-compliant option only on Enterprise plans.
PROS & CONS
Typeform
Pros
- Polished form UX
- Strong conditional logic
- Wide integration options
Cons
- HIPAA compliance only on Enterprise (custom pricing, typically $2,000+/year)
- Free and Business plans are not HIPAA compliant and cannot be used for PHI
- No healthcare-specific templates on lower tiers
Pricing: Enterprise only for HIPAA (custom pricing)
Verdict: Not practical for small practices — HIPAA compliance requires custom enterprise pricing.
PHIGuard
PHIGuard is not a standalone form builder, but includes HIPAA-compliant internal intake forms for task creation and patient coordination workflows — covering the administrative layer that form builders don't address.
PROS & CONS
PHIGuard
Pros
- HIPAA compliant at every tier
- BAA included at $20/month
- Task management integrated with intake workflows
- No per-submission fees
Cons
- Not a patient-facing form builder — for internal staff intake and task coordination only
- Doesn't replace a patient-facing intake form tool like Jotform Health
Pricing: $20-$99/month flat
Verdict: For internal administrative workflows and task intake — not external patient-facing forms. Pair with Jotform Health or Google Workspace Forms for patient-facing collection.
How we evaluated these tools
We assessed each tool on three questions that matter for small practices: Does the vendor offer a signed BAA? What does a practice actually pay for the HIPAA-compliant tier (not the base plan)? And what are the practical limitations that don’t appear in the feature comparison grid?
Most form builder pricing pages bury the HIPAA tier behind a “contact sales” button or list it as an Enterprise feature without publishing a price. We’ve included the real numbers where we could find them.
We are building PHIGuard, so we have an obvious stake in this comparison. PHIGuard covers internal administrative workflows, not patient-facing forms — different use case. We’ve tried to be direct about where our product fits and where it doesn’t.
What makes a form builder HIPAA compliant
Three requirements apply to any form tool used to collect patient health information.
The vendor must provide a signed Business Associate Agreement. This is a contract that makes the vendor legally accountable for protecting PHI under HIPAA. Without a BAA, using the tool for patient forms is a violation regardless of the vendor’s security practices or certifications. “They have SOC 2” is not a substitute for a BAA.
The form submission must travel encrypted in transit (TLS) and be stored encrypted at rest. Most modern SaaS tools meet this for standard data. HIPAA-specific tiers typically add additional controls around data isolation, access logging, and storage location.
PHI must not be transmitted to unauthorized third parties. This means no standard analytics tracking scripts on the form page. If a Google Analytics tag fires when a patient submits their intake form, that is a HIPAA violation regardless of whether the form service itself is compliant.
The Google Forms nuance
Google Forms is the most misunderstood option in this category. Practice managers often use it because it’s free and already in their Google Workspace account. Whether it’s compliant depends entirely on what that account is.
A Google Workspace Business account with a signed BAA from Google can use Google Forms for PHI. Google’s BAA covers Forms, Sheets, Drive, and other Workspace products when accessed through a Workspace account. The BAA is available and Google will sign it.
Standard Google Forms on a free personal account does not have a BAA and is not HIPAA compliant.
The configuration requirements matter too. Responses from a Workspace form go to a Google Sheet. That Sheet must be shared only with authorized staff members. No “anyone with the link can view” settings. If your practice’s Google Workspace account has Google Ads or Google Analytics connected, those tags must be disabled on any page hosting the form, or they will capture PHI on submission and transmit it without a BAA.
For practices already on Google Workspace with staff who manage these settings carefully, it works. For practices that just want a form tool that’s compliant out of the box without ongoing configuration management, Jotform Health at $39/month is more reliable.
What to watch for in patient intake tools
Jotform Health is the most purpose-built option at a small-practice price point. The HIPAA tier is separate from standard Jotform — you cannot use a standard Jotform account for PHI. When you sign up for the Healthcare plan at $39/month, Jotform executes a BAA and your forms route to HIPAA-compliant storage.
The submission volume limits matter at scale. The base Healthcare plan allows 1,000 submissions per month. High-volume practices with many new patient intakes monthly should confirm whether their volume fits the plan before committing.
FormAssembly is a different category. It’s enterprise software for healthcare data collection workflows, with Salesforce Health Cloud integration and granular data governance. For a 5-person practice, the $300+/month price is difficult to justify against Jotform Health at $39/month with comparable BAA coverage for standard intake forms.
Forms that are not HIPAA compliant
Free Typeform, SurveyMonkey free, WuFoo, standard Jotform (non-healthcare tier), and Microsoft Forms on standard Microsoft 365 plans do not offer BAAs. These tools are not usable for any form that collects patient names combined with health information, regardless of configuration.
Typeform’s HIPAA option exists only at Enterprise tier, which typically runs $2,000+/year. For a small practice, this makes no economic sense.
Contact forms built with generic WordPress plugins (Contact Form 7, WPForms free tier, Gravity Forms without additional configuration) route submissions to email inboxes by default. Even if the email system has a BAA, the form submission is often stored in the WordPress database, which must also be secured and covered by the BAA chain. WordPress-based practices should audit their full submission path before assuming an email BAA covers the whole flow.
The internal workflow layer
Patient-facing form compliance is only part of the picture. Once a patient submits an intake form, your staff processes that information: assigning follow-up tasks, coordinating between front desk and clinical staff, documenting contact attempts, and managing referrals.
Most practices handle this in whatever tools are at hand — Slack messages with the patient’s name and appointment type, Asana tasks with reason-for-visit in the description, sticky notes and shared spreadsheets. None of these are HIPAA compliant without BAAs, and most standard-tier versions of these tools don’t offer them.
PHIGuard covers this internal administrative layer. It’s not a replacement for Jotform Health or Google Workspace Forms for collecting patient information externally. It handles what happens after that submission lands: the staff coordination workflows, task assignments, and follow-up tracking that involve PHI but live in tools that most practices never audit for compliance.
At $20/month flat for up to 10 staff, it’s built for the small clinic that needs compliant internal task management without enterprise pricing. The two tools — Jotform Health for external collection, PHIGuard for internal coordination — cover both layers of the workflow.
| Tool | HIPAA Tier | Price | BAA | Best For |
|---|---|---|---|---|
| Jotform Health | Dedicated HIPAA tier | $39/mo | Yes | Patient intake forms |
| FormAssembly | All plans (enterprise) | $300+/mo | Yes | Enterprise data collection |
| Google Forms / Workspace | Workspace only | $6-18/user/mo | Yes (Workspace) | Practices with Workspace |
| Typeform | Enterprise only | Custom | Enterprise only | Large organizations |
| Free form tools | None | Free | No | Non-PHI use only |
Q&A
What HIPAA compliant form builder is best for small practices?
Jotform Health at $39/month is the most cost-effective option for practices that need patient-facing intake forms with healthcare-specific templates. Google Workspace Forms works for practices already paying for Workspace — the BAA is included with the Workspace agreement. Standard form tools (free Typeform, WuFoo, SurveyMonkey) are not HIPAA compliant at any price and cannot be made compliant without the vendor providing a BAA, which these tools do not offer on standard plans.
Q&A
What happens if I use a non-HIPAA form builder for patient intake?
Using a form builder without a signed BAA to collect PHI is a HIPAA violation. If the submission platform stores or processes patient data without HIPAA protections, that data lacks the required safeguards and may constitute a reportable breach. OCR enforcement actions have included fines for covered entities using non-compliant third-party tools to collect patient information.
Is Google Forms HIPAA compliant?
What form builders are NOT HIPAA compliant?
Do I need a BAA from my form builder?
Can I use DocuSign for HIPAA forms?
Keep reading
Is Google Forms HIPAA Compliant?
Personal Google Forms is not HIPAA compliant. Google Forms within Google Workspace can be — but responses are stored in Drive and Sheets, which must also be covered. Here is what small clinics need to know.
What Is a Business Associate Agreement (BAA)? HIPAA Explained
A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.
Best HIPAA Compliance Software for Small Medical Practices (2026)
We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.
Best Asana HIPAA Alternative for Medical Practices
Looking for an Asana alternative that handles HIPAA without degrading features? PHIGuard is built for small clinics — $20/mo flat, BAA included, audit-ready from day one.