HIPAA software category hub
HIPAA-Compliant Forms and Intake Software
Forms and intake tools are high-risk because they intentionally collect sensitive information. Before using any form builder for PHI, verify BAA coverage, storage location, email notifications, file uploads, integrations, access controls, and deletion workflows.
Quick answer
Compare forms, surveys, app builders, and intake tools for PHI collection risk, BAA availability, and safer alternatives.
Last updated: 2026-04-30
How to choose forms and intake tools
Best for
- Patient intake or request forms where the form product, storage, notifications, and exports are covered by a BAA.
- Low-PHI contact forms that avoid collecting diagnosis, treatment, insurance, or patient identifier details.
- Structured intake workflows with clear ownership, retention, deletion, and access-control rules.
BAA requirements
- Confirm whether forms, file uploads, signatures, payments, email notifications, APIs, and integrations are covered.
- Verify whether submitted data is stored in a HIPAA-eligible environment and who can access support logs.
- Review whether third-party add-ons or automation tools break the covered workflow.
PHI risk areas
- Free-text answers, file uploads, signatures, hidden fields, URL parameters, payment notes, and confirmation emails.
- Notification emails, webhooks, spreadsheet exports, CRM syncs, analytics scripts, and embedded forms.
- Admin comments, support tickets, form revision history, and downloaded CSV files.
Recommended review order
Start with vendors that show clearer BAA signals
Treat these as higher-risk until verified
Vendor comparison table
| Vendor | HIPAA signal | BAA signal | SOC 2 signal | Best for |
|---|---|---|---|---|
| Jotform | Conditional | Available with HIPAA features | Public evidence | BAA-scoped workflow review |
| Wix | Conditional | Available after PHI protection | Verify with vendor | BAA-scoped workflow review |
| Airtable | Conditional | Enterprise Scale only | Public evidence | Vendor-specific workflow review |
| Google Workspace | Conditional | Google Workspace BAA | Public evidence | BAA-scoped workflow review |
| Zapier | Not supported for PHI | Unable to confirm | Public evidence | Avoid PHI; compare alternatives |
Avoid if
- The form sends PHI in notification emails or webhooks.
- File uploads, signatures, or payments are processed by unsupported add-ons.
- The vendor cannot define which services are covered by a BAA.
Methodology
- Review collection, storage, notification, export, and integration paths.
- Treat surveys, waitlists, and contact forms as PHI-capable until proven otherwise.
- Prefer tools with explicit healthcare workflows and clear BAA scope.
Verification checklist
- Does the vendor sign a BAA for the exact form, survey, upload, signature, and storage workflow?
- Can notifications be configured so PHI is not sent through ordinary email or unsupported webhooks?
- Are access controls, audit logs, deletion, exports, and retention policies enforceable?
- Are embedded scripts, analytics tools, and connected apps excluded from PHI collection?
Related guides
What Is a Business Associate Agreement (BAA)?
A Business Associate Agreement is a HIPAA contract between a covered entity and a vendor that may create, receive, maintain, or transmit PHI. A BAA do...
Can You Store PHI in SaaS Tools?
You should only store PHI in a SaaS tool after verifying that the vendor, product, plan, agreement, configuration, and connected systems support that ...
How to Evaluate a HIPAA-Compliant App Builder
A no-code app builder may support HIPAA-regulated workflows only if the vendor covers the exact product, database, file storage, automations, integrat...
SOC 2 vs HIPAA for SaaS Vendor Review
SOC 2 and HIPAA answer different questions. SOC 2 is independent security-control evidence for a service organization, while HIPAA governs protected h...
FAQ
What is the biggest HIPAA risk with online forms?
The biggest risk is not only the form database. PHI can leak through notification emails, webhooks, file uploads, hidden fields, analytics scripts, exports, and connected tools that are outside the BAA scope.
What should HIPAA-compliant survey tools support?
Survey tools used with PHI should support a BAA, covered storage, controlled notifications, access controls, audit logging, export governance, deletion workflows, and clear limits on third-party integrations or analytics scripts.
How should buyers compare HIPAA-compliant telehealth platforms?
Start with BAA scope, video and messaging coverage, intake forms, file uploads, scheduling, payments, consent capture, notifications, audit logs, retention, and integrations. Do not choose a telehealth platform from a feature list alone; map where PHI enters and leaves the workflow.
Are HIPAA-compliant survey tools enough for patient intake?
Not by themselves. A survey tool may cover form submission storage, but patient intake also involves identity, consent, file uploads, routing, notifications, exports, EHR or CRM syncs, retention, deletion, and staff access.
Can patient intake forms send email notifications?
Only if the notification workflow is covered and configured so PHI is not exposed through ordinary email, previews, attachments, autoresponders, or downstream systems outside the BAA scope.
Can a general form builder collect PHI?
A general form builder should collect PHI only if the vendor confirms BAA coverage for the exact form product, storage, upload, notification, export, and integration path used by the organization.
What should buyers verify for forms and intake tools?
Verify BAA availability, covered services, product plan, data flows, admin controls, integrations, support access, retention, audit logs, and whether PHI appears in fields, messages, files, or notifications.
Does SOC 2 prove HIPAA readiness?
No. SOC 2 can provide useful security evidence, but HIPAA-regulated workflows also require BAA scope, PHI handling review, configuration, policies, and qualified legal or compliance guidance.