Vendor compliance profile

Is Jotform HIPAA compliant?

Jotform may support HIPAA-regulated forms only when HIPAA features are enabled, the account is on an eligible plan, and a Business Associate Agreement is in place. Review every form, notification, payment, signature, file upload, and integration before collecting PHI.

Visit vendor site

HIPAA status signal

Conditional

BAA public signal

Available with HIPAA features

SOC 2 evidence signal

Public evidence

PHI warning: Intake questions, file uploads, e-signatures, appointment fields, payment descriptions, email notifications, and integrations can all collect or transmit PHI.

Search query answers

Is Jotform HIPAA compliant?

Jotform may support HIPAA-regulated forms only when HIPAA features are enabled, an eligible account is used, a BAA is in place, and every notification, upload, payment, signature, and integration path is reviewed for PHI.

Does Jotform offer a BAA?

Jotform's public HIPAA materials state that covered entity customers who enable HIPAA compliance features can receive a signed BAA. Buyers should verify the current plan, account settings, form features, and integrations before collecting PHI.

Can Jotform forms collect PHI?

Potentially, but only inside a verified HIPAA-enabled setup with BAA coverage and careful configuration. Form questions, file uploads, notifications, PDFs, payment fields, e-signatures, and integrations can expose PHI if they are outside covered scope.

HIPAA, BAA, and SOC 2 summary

HIPAAJotform publishes HIPAA-focused form materials and states that covered entity customers who enable HIPAA compliance features can receive a signed BAA. This does not make every Jotform form, plan, add-on, or integration suitable for PHI.
BAAJotform states that a BAA is available for covered entity customers that have enabled HIPAA compliance features. Verify the exact plan, account settings, and covered workflows before collecting PHI.
SOC 2Jotform's security materials reference SOC 2 compliance. Enterprise buyers should request the current SOC 2 report and confirm product scope.
PHI riskIntake questions, file uploads, e-signatures, appointment fields, payment descriptions, email notifications, and integrations can all collect or transmit PHI.
CategoryHIPAA-Compliant Forms and Intake Software
Last checked2026-06-15
ConfidenceHigh

Public evidence and open questions

What public sources say

  • Jotform publishes HIPAA-enabled form materials for covered entity customers.
  • Jotform states that HIPAA compliance features and a signed BAA are part of its HIPAA workflow.
  • Jotform security materials reference SOC 2 compliance signals that buyers should scope to the exact service.

What remains unconfirmed

  • Whether the buyer's exact plan, form features, upload storage, e-signature, payments, notifications, and integrations are covered.
  • Whether PHI appears in email notifications, PDFs, webhooks, third-party storage, payment descriptions, or support records.

What it may be used for

  • HIPAA-enabled intake forms after BAA coverage, account settings, notifications, storage, and integrations are verified.
  • PHI-minimized screening forms that avoid unnecessary clinical detail and route data only to covered systems.
  • Vendor comparison for healthcare forms, intake, consent, upload, and signature workflows.

What not to use it for

  • Collecting PHI through a standard form before HIPAA features and BAA coverage are confirmed.
  • Sending PHI in notification emails, autoresponders, webhooks, PDFs, or third-party integrations without covered-service review.
  • Assuming payment, calendar, storage, or signature integrations inherit Jotform's HIPAA controls.

What to verify with the vendor

  • Whether HIPAA compliance features are enabled and a current BAA is signed for the exact Jotform account.
  • Whether form fields, uploads, signatures, payments, emails, autoresponders, PDFs, webhooks, and storage destinations are covered.
  • Whether third-party integrations, calendar sync, CRM sync, payment processors, and cloud storage have separate BAA coverage where needed.
  • Whether access controls, retention, deletion, audit trails, exports, and support access match the intended PHI workflow.

Safer alternatives and related profiles

Safer alternatives to consider

  • A healthcare-specific intake platform when PHI-heavy forms, consent, file uploads, and patient communication must be covered end to end.
  • Google Forms only if used inside eligible Google Workspace BAA scope and configured appropriately.
  • A covered EHR, patient portal, or practice-management intake workflow for clinical data collection.

Wix

HIPAA: Conditional | SOC 2: Verify with vendor

Airtable

HIPAA: Conditional | SOC 2: Public evidence

Google Workspace

HIPAA: Conditional | SOC 2: Public evidence

Zapier

HIPAA: Not supported for PHI | SOC 2: Public evidence

HubSpot

HIPAA: Conditional | SOC 2: Public evidence

FAQ

Is Jotform HIPAA compliant?

Jotform may support HIPAA-regulated forms only when HIPAA features are enabled, an eligible account is used, a BAA is in place, and every notification, upload, payment, signature, and integration path is reviewed for PHI.

Does Jotform offer a BAA?

Jotform's public HIPAA materials state that covered entity customers who enable HIPAA compliance features can receive a signed BAA. Buyers should verify the current plan, account settings, form features, and integrations before collecting PHI.

Can Jotform forms collect PHI?

Potentially, but only inside a verified HIPAA-enabled setup with BAA coverage and careful configuration. Form questions, file uploads, notifications, PDFs, payment fields, e-signatures, and integrations can expose PHI if they are outside covered scope.

Will Jotform sign a BAA?

Jotform states that a BAA is available for covered entity customers that have enabled HIPAA compliance features. Verify the exact plan, account settings, and covered workflows before collecting PHI.

Can Jotform be used with PHI?

Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.

Does SOC 2 mean Jotform is HIPAA compliant?

No. SOC 2 evidence can support security diligence, but it does not prove HIPAA compliance, confirm BAA coverage, or approve PHI use. Review HIPAA terms, BAA scope, covered services, configuration, and intended workflow separately.

What should buyers verify before using Jotform with PHI?

Whether HIPAA compliance features are enabled and a current BAA is signed for the exact Jotform account. Whether form fields, uploads, signatures, payments, emails, autoresponders, PDFs, webhooks, and storage destinations are covered. Whether third-party integrations, calendar sync, CRM sync, payment processors, and cloud storage have separate BAA coverage where needed. Whether access controls, retention, deletion, audit trails, exports, and support access match the intended PHI workflow.

Last checked and source notes

Last checked
2026-06-15
Confidence
High
Dataset rows
268 vendors
  • Reviewed Jotform HIPAA and security materials for BAA, HIPAA-enabled form, and SOC evidence signals on 2026-06-15.
  • Jotform suitability depends on plan, HIPAA feature activation, BAA scope, form configuration, notifications, storage, payments, signatures, and integrations.
  • ComplySaaS did not verify a private Jotform contract or account-specific BAA scope.
  • Jotform HIPAA forms
  • Jotform security