Vendor compliance profile

Is Jotform HIPAA compliant?

Jotform may support HIPAA-regulated forms only when HIPAA features are enabled, the account is on an eligible plan, and a Business Associate Agreement is in place. Review every form, notification, payment, signature, file upload, and integration before collecting PHI.

Visit vendor site

HIPAA status signal

Conditional

BAA public signal

Available with HIPAA features

SOC 2 evidence signal

Public evidence

PHI warning: Intake questions, file uploads, e-signatures, appointment fields, payment descriptions, email notifications, and integrations can all collect or transmit PHI.

HIPAA, BAA, and SOC 2 summary

HIPAAJotform publishes HIPAA-focused form materials and states that covered entity customers who enable HIPAA compliance features can receive a signed BAA. This does not make every Jotform form, plan, add-on, or integration suitable for PHI.
BAAJotform states that a BAA is available for covered entity customers that have enabled HIPAA compliance features. Verify the exact plan, account settings, and covered workflows before collecting PHI.
SOC 2Jotform's security materials reference SOC 2 compliance. Enterprise buyers should request the current SOC 2 report and confirm product scope.
CategoryHIPAA-Compliant Forms and Intake Software

What it may be used for

  • General business workflows that do not include PHI.
  • Healthcare-adjacent operations after BAA scope and configuration have been verified.
  • Vendor risk review, procurement research, and compliance planning.

What not to use it for

  • Collecting PHI through a standard form before HIPAA features and BAA coverage are confirmed.
  • Sending PHI in notification emails, autoresponders, webhooks, PDFs, or third-party integrations without covered-service review.
  • Assuming payment, calendar, storage, or signature integrations inherit Jotform's HIPAA controls.

What to verify with the vendor

  • Whether the vendor will sign a BAA for your exact product, plan, and use case.
  • Which services, add-ons, regions, and support channels are covered by the agreement.
  • Whether your intended workflow stores, transmits, or processes PHI.
  • Which admin, access control, retention, audit log, and encryption settings must be enabled.

Safer alternatives and related profiles

Wix

HIPAA: Conditional | SOC 2: Verify with vendor

Airtable

HIPAA: Conditional | SOC 2: Public evidence

Google Workspace

HIPAA: Conditional | SOC 2: Public evidence

Zapier

HIPAA: Not supported for PHI | SOC 2: Public evidence

HubSpot

HIPAA: Conditional | SOC 2: Public evidence

FAQ

Is Jotform HIPAA compliant?

Jotform may support HIPAA-regulated forms only when HIPAA features are enabled, the account is on an eligible plan, and a Business Associate Agreement is in place. Review every form, notification, payment, signature, file upload, and integration before collecting PHI.

Will Jotform sign a BAA?

Jotform states that a BAA is available for covered entity customers that have enabled HIPAA compliance features. Verify the exact plan, account settings, and covered workflows before collecting PHI.

Can Jotform be used with PHI?

Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.

Last checked and source notes

Last checked
2026-04-30
Confidence
High
Dataset rows
267 vendors
  • ComplySaaS public vendor dataset entry.
  • Vendor trust center, legal terms, BAA documentation, and covered services should be re-checked before use.
  • Jotform HIPAA forms
  • Jotform security