If you are a credentialed health professional with a website, HIPAA applies to your online forms too. Not just your electronic health record and your billing software, but your website forms.
That is the part a lot of clinicians miss, and honestly, it is not their fault. When you launched your website, nobody handed you a compliance checklist alongside your login credentials. You picked a template, added your services page, dropped in a contact form, and called it done. Which is completely understandable.
But here is what I see regularly as a web designer who builds sites specifically for credentialed health professionals: practitioners who have put real thought into HIPAA compliance in their clinical systems, and then have a standard Google Form or Wix contact form sitting right there on their homepage collecting sensitive patient information. Quietly. With no safeguards in place.
This post is a plain-language walkthrough of what you actually need to know about HIPAA compliant website forms. It is educational information, not legal advice. For guidance specific to your practice, please consult a healthcare attorney or compliance officer. But if you want to understand what you are looking at and what questions to ask, this is a good place to start.
What makes a website form subject to HIPAA in the first place?
A website form becomes subject to HIPAA the moment it collects information that could identify a person and connect them to a health condition, service, or provider relationship. That is the core rule, and it is worth sitting with for a second.
A basic contact form that only asks for a name and an email address is generally not considered protected health information (PHI) on its own. Low risk. But the moment someone types a reason for reaching out, whether that is something like struggling with anxiety or looking for help managing my diabetes, that submission has just become PHI. Same form. Completely different obligation.
The types of forms that almost always create HIPAA obligations on a health professional website include new patient intake forms, symptom or health history questionnaires, appointment request forms that ask about the reason for the visit, and anything that collects insurance information. If your website has any of these, HIPAA almost certainly applies.
The tricky part is that many practitioners do not realize this until a web designer or compliance consultant points it out. I have had clients come to me for a website refresh and discover mid-project that the intake form they have been using for two years was sitting on a platform that had no idea HIPAA existed.
What is a business associate agreement and why does your form builder need one?
A Business Associate Agreement, usually called a BAA, is a legally required contract between you (the covered entity) and any vendor that handles PHI on your behalf. Under HIPAA, if a third-party platform is storing, transmitting, or processing patient information for you, they have to agree in writing to protect that data. That agreement is the BAA.
Here is what this means practically for your website forms. If your form submissions are being stored or routed through a third-party platform, which they almost always are, that platform needs to sign a BAA with you before you use it for anything involving PHI. No BAA, no compliance. It is that direct.
The problem is that many popular website and form tools do not offer BAAs at all. General website builders designed for small businesses, standard form plugins, and free survey tools are usually not built with healthcare in mind. They are not covered entities, they do not have the infrastructure for it, and they are not going to sign a BAA. HIPAA-focused platforms, EHR-adjacent intake tools, and purpose-built healthcare form builders are the ones that typically do.
I have had this conversation with more than a few clients who were using a well-known website builder and were surprised that it did not qualify. The pivot is usually straightforward once we identify it, but catching it before the site launches is a lot easier than retrofitting it afterward.
Which website forms do health professionals need to worry about?
The forms most likely to create HIPAA exposure on a health professional website are new patient intake forms, appointment request forms that ask about reason for visit or insurance, symptom and health history questionnaires, and any form whose submissions route directly to a standard email inbox. If your website has any of these, they warrant a closer look.
There is also a category of forms that live in a gray zone. A newsletter signup form that only collects a name and email address is generally lower risk. A general interest form that says something like tell me a little about what you are looking for can slide quickly into higher-risk territory if someone describes a clinical situation in their response. The form itself may look simple, but what people type into it is what matters.
The email routing issue deserves its own mention because it catches a lot of practitioners off guard. Even if your form is built on a compliant platform, if the submission then gets forwarded to a standard Gmail or personal Outlook inbox, the chain breaks. Unencrypted email is not a secure destination for PHI. The entire path from form submission to final storage has to be protected.
One of the clearest examples I have seen of this in practice was a solo practitioner with a beautiful, professional website. Everything looked polished and trustworthy. But her new patient intake form was routing directly to a personal Gmail account. She had no idea. It had been set up that way from day one.
What does a HIPAA compliant website form look like?
A HIPAA compliant website form is one built on or integrated with a platform that signs a BAA, encrypts data in transit and at rest, and routes submissions to a secure, encrypted destination. From the patient’s perspective, it may look identical to any other contact form. The compliance lives in the infrastructure underneath it, not in how the form looks on screen.
Two things are worth clarifying here. First, having an SSL certificate and running your site on HTTPS is a baseline requirement, but it does not make your form HIPAA compliant on its own. HTTPS protects data while it travels from the visitor’s browser to the server. What happens after that, how the data is stored, who can access it, and where it goes, is a separate question entirely.
Second, a platform marketing itself as HIPAA-friendly is not the same as a platform that will actually sign a BAA. When I am evaluating a form solution for a health professional client, I am looking for a few specific things: whether a BAA is available and straightforward to obtain, how data is encrypted at rest, whether there are audit logs showing who accessed what and when, and what the platform’s data retention and deletion policies look like.
Those details are not always easy to find on a platform’s marketing page. They are usually buried in the documentation or require a direct conversation with the vendor. That is a normal part of the due diligence process.
A Quick Look at Four HIPAA Compliant Form Options
| JotForm | Hushmail | Spruce | Practice Better | |
|---|---|---|---|---|
| Primary Use | Standalone form builder | Encrypted email + forms | Communication platform (phone, text, fax, video, forms) | Practice management EHR with built-in client forms |
| HIPAA Compliance | Yes | Yes | Yes | Yes |
| BAA Included | Yes, on qualifying plans | Yes, all Healthcare plans | Yes, all plans | Yes |
| Starting Price (HIPAA) | $99/month (Gold, annual) | $11.99/month solo | $24/user/month | $69/month |
| Free Trial | No | 14 days | Yes | Yes |
| Forms Embeddable on Your Website | Yes | Yes | No | Yes — forms can be embedded via HTML widget or shared as a public link |
| E-Signatures | Yes | Yes | No | Yes |
| Best For | Practices needing fully customizable standalone forms on any website | Solo practitioners wanting low-cost HIPAA email and forms bundled | Practices overhauling their full communication system | Dietitians and wellness practitioners already using Practice Better as their EHR |
| Heads Up | HIPAA only at Gold tier; lower plans are not compliant | Starter plan does not include forms | Patients must create an account for messaging to be HIPAA compliant | The embedded form pulls data into your Practice Better account, so it works best if you’re already on the platform |
How should a health professional set up their website forms to stay compliant?
Getting your website forms into compliance involves three layers: choosing a HIPAA-eligible form tool that will sign a BAA with you, configuring your submission routing so that PHI lands in a secure and encrypted destination, and making sure your website’s privacy documentation reflects how you actually handle patient data.
The first layer is the foundation. Before anything else, you need a form platform that offers a BAA and has the technical infrastructure to back it up. Once that is in place, you need to look at where your form submissions go. A compliant intake form that emails results to an unencrypted inbox is not a compliant system. The destination matters as much as the form itself.
The privacy documentation piece trips up a lot of practitioners because there are actually two separate documents at play here. Your website privacy policy explains how you handle visitor data in general, things like cookies, analytics, and contact information. Your HIPAA Notice of Privacy Practices explains how you handle protected health information as a covered entity. They serve different purposes and most health professional websites need both. They are not interchangeable.
One pattern I see regularly during website audits is practitioners who handled compliance thoroughly inside their EHR, got their BAA signed with their telehealth platform, and then never thought to apply the same lens to their website. The website feels different because it is public-facing and not clinical. But if patients are submitting health information through it, the obligation is the same.
Are there affordable HIPAA compliant form options?
Yes, there are accessible and affordable options designed with small and solo practices in mind, and cost is not a reason to stay out of compliance. The landscape of HIPAA-focused tools has grown meaningfully over the past few years as more clinicians have moved into private practice.
The general categories of solutions available to solo practitioners include HIPAA-focused patient intake platforms that function as standalone intake tools, EHR systems that include built-in intake and scheduling forms as part of their subscription, and standalone HIPAA-compliant form builders that integrate with your existing website. The right fit depends on your workflow, your existing tech stack, and how much customization you need.
The investment is real, especially for someone who is used to free tools. But the one-time effort of setting this up correctly is almost always less stressful and less expensive than the alternative. HIPAA violations carry civil penalties that start at $100 per violation and can escalate significantly depending on the circumstances. The Office for Civil Rights has issued fines to solo practitioners, not just large health systems.
I have worked with solo dietitians and therapists who were worried this was going to require a major overhaul. In most cases, it did not. It usually meant switching to a purpose-built intake tool or adding a compliant form layer to an existing setup, with a BAA in hand and submissions routing to a secure destination. Manageable, once you know what you are looking for.
Frequently Asked Questions About HIPAA Compliant Website Forms
Q: I am a dietitian. Do I actually have to follow HIPAA, or is that just for doctors?
A: Registered dietitians who operate as covered entities or work within covered entity settings are subject to HIPAA. A covered entity under HIPAA is a healthcare provider that transmits any health information electronically in connection with certain standard transactions, which includes billing insurance. If you are a registered dietitian in private practice who bills insurance, coordinates care with other providers, or works within a healthcare organization, HIPAA almost certainly applies to you. If you are unsure whether your specific practice qualifies, a healthcare attorney can help you make that determination.
Q: My website has been live for two years with a regular contact form. Am I already in violation?
A: That depends on what information was collected through the form and how it was stored. If the form only captured names and emails and no one submitted clinical details through it, the exposure may be minimal. If patients submitted health information and it was processed through a non-compliant platform with no BAA in place, there may be a gap worth addressing. The important thing to know is that taking corrective action now, auditing what you have, switching to compliant tools, and documenting the change, is far better than waiting. Consult a healthcare compliance professional if you are concerned about past exposure.
Q: Can I just add a disclaimer to my contact form saying not to send health information?
A: A disclaimer does not create compliance. If a patient submits protected health information through your form, your HIPAA obligation exists regardless of whether you asked them not to. The language on the form does not change how the data is handled on the backend. The solution is infrastructure: a compliant platform with a signed BAA and secure submission routing. A disclaimer can be a helpful addition, but it is not a substitute for the technical and legal safeguards that compliance actually requires.
Q: Does my telehealth scheduling link count as a website form?
A: Embedded scheduling and telehealth tools have their own compliance considerations. The key questions are whether the scheduling platform itself has signed a BAA with you and whether the data collected during scheduling flows securely between the platform and your clinical systems. Many telehealth platforms are built with HIPAA compliance in mind and will offer a BAA as part of their standard setup. But embedding a link or widget on your website does not automatically mean it is compliant. You need to verify the BAA status of the scheduling tool itself, separate from your website’s form setup.
Q: What if I use a form just for people to ask general questions, nothing clinical?
A: General inquiry forms carry lower risk than intake or symptom forms, but they are not automatically exempt. The risk level depends on what people actually submit through them. Even a form designed for general questions can receive PHI if a prospective patient describes their health situation while reaching out. What I typically recommend for clients in this situation is to keep the general inquiry form as simple as possible, use language that discourages clinical detail, and route submissions to a platform that meets a reasonable standard of security even if a full BAA is not in place. If your inquiry form starts to function more like an intake form in practice, it is worth treating it that way from a compliance standpoint.
Your website is part of your practice, protect it accordingly.
Getting your website forms into compliance is not about being perfect. It is about being intentional with the information people trust you with before they ever walk through your door. That trust starts online now, and the systems behind your website are part of how you honor it.
The good news is that this is a solvable problem. It is not an ongoing compliance burden the way some things in healthcare feel. It is a one-time infrastructure decision: choose the right tools, get the BAA signed, confirm your submission routing is secure, and update your privacy documentation. Then it is done, and you can stop quietly wondering about it.
If you have been putting this off because it felt too technical or too expensive or just too much to figure out on top of everything else you manage, I get it. Auditing your own systems takes a certain kind of courage. You have to be willing to find something that needs fixing. But finding it and addressing it is exactly what a serious, credentialed professional does.
If you work with a web designer who specializes in health professional websites, this is a great conversation to have at your next check-in. And if this post was helpful, feel free to pass it along to a colleague who might be wondering about the same things.
Note: This post is for educational purposes only and does not constitute legal or compliance advice. Please consult a qualified healthcare attorney or HIPAA compliance officer for guidance specific to your practice.
