If you are a credentialed health professional with a website, HIPAA applies to your online forms too. Not just your electronic health record and your billing software — your website forms.
That is the part a lot of clinicians miss, and honestly, it is not their fault. When you launched your website, nobody handed you a compliance checklist alongside your login credentials. But here is what I see as a web designer who builds sites specifically for credentialed health professionals:30 of the last health-professional sites I’ve audited had a standard Google Form or Wix contact form sitting right there on the homepage collecting sensitive patient information. Quietly. With no safeguards in place.
This post is a walkthrough of what you actually need to know about HIPAA compliant website forms. It is educational information, not legal advice — for guidance specific to your practice, please consult a healthcare attorney or compliance officer. But if you want to understand what you are looking at and what questions to ask, this is a good place to start.
What makes a website form subject to HIPAA in the first place?
A website form becomes subject to HIPAA the moment it collects information that could identify a person and connect them to a health condition, service, or provider relationship. That is the core rule, and it is worth sitting with for a second.
A basic contact form that only asks for a name and an email address is generally not considered protected health information (PHI) on its own. Low risk. But the moment someone types a reason for reaching out, whether that is something like struggling with anxiety or looking for help managing my diabetes, that submission has just become PHI. Same form. Completely different obligation.
The types of forms that almost always create HIPAA obligations on a health professional website include new patient intake forms, symptom or health history questionnaires, appointment request forms that ask about the reason for the visit, and anything that collects insurance information. If your website has any of these, HIPAA almost certainly applies.
The tricky part is that many practitioners do not realize this until a web designer or compliance consultant points it out. I have had clients come to me for a website refresh and discover mid-project that the intake form they have been using for two years was sitting on a platform that had no idea HIPAA existed.
What is a business associate agreement and why does your form builder need one?
A Business Associate Agreement, usually called a BAA, is a legally required contract between you (the covered entity) and any vendor that handles PHI on your behalf. Under HIPAA, if a third-party platform is storing, transmitting, or processing patient information for you, they have to agree in writing to protect that data. That agreement is the BAA. (HHS publishes its own plain-language guidance on business associates here: HHS Business Associates Guidance.)
Here is what this means practically for your website forms. If your form submissions are being stored or routed through a third-party platform, which they almost always are, that platform needs to sign a BAA with you before you use it for anything involving PHI. No BAA, no compliance. It is that direct.
The problem is that many popular website and form tools do not offer BAAs at all. General website builders designed for small businesses, standard form plugins, and free survey tools are usually not built with healthcare in mind. HIPAA-focused platforms, EHR-adjacent intake tools, and purpose-built healthcare form builders are the ones that typically do.
I have had this conversation with [X clients in the past X months] who were using a well-known website builder and were surprised that it did not qualify. The pivot is usually a [X–X hour] migration once we identify it, but catching it before the site launches is a lot easier than retrofitting it afterward.
Which website forms do health professionals need to worry about?
The forms most likely to create HIPAA exposure on a health professional website are new patient intake forms, appointment request forms that ask about reason for visit or insurance, symptom and health history questionnaires, and any form whose submissions route directly to a standard email inbox. If your website has any of these, they warrant a closer look.
There is also a category of forms that live in a gray zone — I call it the open-text trap. A newsletter signup form that only collects a name and email address is generally lower risk. But a general interest form that says something like “tell me a little about what you are looking for” can slide quickly into higher-risk territory the moment someone describes a clinical situation in their response. The decision rule is simple: if a form includes any open text field, assume PHI will eventually land in it, and treat the form accordingly. The form itself may look simple, but what people type into it is what matters.
Why does sending form submissions to Gmail break HIPAA compliance?
Because unencrypted email is not a secure destination for PHI. Even if your form is built on a fully compliant platform, routing submissions to a standard Gmail or personal Outlook inbox breaks the chain. The entire path from form submission to final storage has to be protected — the destination matters as much as the form itself.
This catches a lot of practitioners off guard because it feels like a technicality. The form was the hard part, right? But compliance follows the data, not the form. If a compliant intake tool collects a patient’s health history and then emails the whole thing to an inbox with no encryption and no BAA, the secure platform upstream does not fix the insecure inbox downstream.
One of the clearest examples I have seen of this in practice was a solo practitioner with a beautiful, professional website. Everything looked polished and trustworthy. But her new patient intake form was routing directly to a personal Gmail account — and had been for [X months], since the day the site launched. She had no idea. The fix took [X hours and cost under $X]: we [brief description of remediation steps]. That is the typical shape of these projects — uncomfortable to discover, fast to fix.
What does a HIPAA compliant website form look like?
A HIPAA compliant website form is one built on or integrated with a platform that signs a BAA, encrypts data in transit and at rest, and routes submissions to a secure, encrypted destination. From the patient’s perspective, it may look identical to any other contact form. The compliance lives in the infrastructure underneath it, not in how the form looks on screen.
A platform marketing itself as “HIPAA-friendly” is not the same as a platform that will actually sign a BAA. When I am evaluating a form solution for a health professional client, I am looking for a few specific things: whether a BAA is available and straightforward to obtain, how data is encrypted at rest, whether there are audit logs showing who accessed what and when, and what the platform’s data retention and deletion policies look like.
Those details are not always easy to find on a platform’s marketing page. They are usually buried in the documentation or require a direct conversation with the vendor. That is a normal part of the due diligence process.
Does HTTPS make my form HIPAA compliant?
No. Having an SSL certificate and running your site on HTTPS is a baseline requirement, but it does not make your form HIPAA compliant on its own. HTTPS protects data while it travels from the visitor’s browser to the server. What happens after that — how the data is stored, who can access it, and where it goes — is a separate question entirely.
Think of HTTPS as locking the delivery truck. It says nothing about whether the warehouse the truck delivers to is secure, who has keys to it, or whether the warehouse owner has agreed in writing to protect what is inside. A padlock icon in the browser bar is the floor, not the finish line.
A Quick Look at Four HIPAA Compliant Form Options
| JotForm | Hushmail | Spruce | Practice Better | |
|---|---|---|---|---|
| Primary Use | Standalone form builder | Encrypted email + forms | Communication platform (phone, text, fax, video, forms) | Practice management EHR with built-in client forms |
| HIPAA Compliance | Yes | Yes | Yes | Yes |
| BAA Included | Yes, on qualifying plans | Yes, all Healthcare plans | Yes, all plans | Yes |
| Starting Price (HIPAA) | $99/month (Gold, annual) | $11.99/month solo | $24/user/month | $69/month |
| Free Trial | No | 14 days | Yes | Yes |
| Forms Embeddable on Your Website | Yes | Yes | No | Yes — forms can be embedded via HTML widget or shared as a public link |
| E-Signatures | Yes | Yes | No | Yes |
| Best For | Practices needing fully customizable standalone forms on any website | Solo practitioners wanting low-cost HIPAA email and forms bundled | Practices overhauling their full communication system | Dietitians and wellness practitioners already using Practice Better as their EHR |
| Heads Up | HIPAA only at Gold tier; lower plans are not compliant | Starter plan does not include forms | Patients must create an account for messaging to be HIPAA compliant | The embedded form pulls data into your Practice Better account, so it works best if you’re already on the platform |
The bottom line: for solo practitioners, Hushmail is the lowest-cost compliant option at $11.99/month; for fully customizable standalone forms, JotForm’s Gold plan at $99/month is the most flexible; and if you are already on Practice Better, its built-in forms at $69/month mean you may not need a separate tool at all.
How much does a HIPAA compliant form cost?
HIPAA compliant form tools for solo and small practices start at $11.99/month (Hushmail) and run up to $99/month (JotForm Gold) — see the comparison table above for the full breakdown. The right fit depends on your workflow, your existing tech stack, and how much customization you need, but cost is not a reason to stay out of compliance.
The general categories of solutions available include HIPAA-focused patient intake platforms that function as standalone intake tools, EHR systems that include built-in intake and scheduling forms as part of their subscription, and standalone HIPAA-compliant form builders that integrate with your existing website.
The investment is real, especially for someone who is used to free tools. But the one-time effort of setting this up correctly is almost always less expensive than the alternative. Under the penalty schedule updated by HHS in January 2026, HIPAA civil penalties now start at $145 per violation even in the lowest tier (where the provider did not know and could not reasonably have known about the violation), can reach $73,011 per violation, and carry an annual cap of $2,190,294 for repeated violations of the same provision.
And the Office for Civil Rights does enforce against small practices, not just hospital systems. In 2023, OCR reached a $15,000 settlement with a solo psychotherapist over a records-access complaint. In 2024, a solo dental practitioner was hit with a $70,000 civil monetary penalty — and that figure was already reduced from a much larger calculated amount because OCR considered the size of the practice. You can browse OCR’s full list of resolution agreements on the HHS enforcement page.
I have worked with solo dietitians and therapists who were worried this was going to require a major overhaul. In most cases, it did not. It usually meant switching to a purpose-built intake tool or adding a compliant form layer to an existing setup, with a BAA in hand and submissions routing to a secure destination. Manageable, once you know what you are looking for.
How should a health professional set up their website forms to stay compliant?
Getting your website forms into compliance involves three steps:
Step 1: Choose a HIPAA-eligible form tool that will sign a BAA with you. This is the foundation. Before anything else, you need a form platform that offers a BAA and has the technical infrastructure to back it up — encryption at rest, access controls, and audit logs. The four platforms in the comparison table above are a good starting point.
Step 2: Configure your submission routing so PHI lands in a secure, encrypted destination. A compliant intake form that emails results to an unencrypted inbox is not a compliant system. Map the full path your form data travels — from the visitor’s browser to wherever it is finally stored — and confirm every stop along the way is covered.
Step 3: Update your website’s privacy documentation to reflect how you actually handle patient data. There are two separate documents at play here, and they are not interchangeable. Your website privacy policy explains how you handle visitor data in general — cookies, analytics, contact information. Your HIPAA Notice of Privacy Practices explains how you handle protected health information as a covered entity. Most health professional websites need both.
One pattern I see regularly during website audits is practitioners who handled compliance thoroughly inside their EHR, got their BAA signed with their telehealth platform, and then never thought to apply the same lens to their website. The website feels different because it is public-facing and not clinical. But if patients are submitting health information through it, the obligation is the same.
FAQ About HIPAA Compliant Website Forms
-
I am a dietitian. Do I actually have to follow HIPAA, or is that just for doctors?
Registered dietitians who operate as covered entities or work within covered entity settings are subject to HIPAA. A covered entity under HIPAA is a healthcare provider that transmits any health information electronically in connection with certain standard transactions, which includes billing insurance. If you are a registered dietitian in private practice who bills insurance, coordinates care with other providers, or works within a healthcare organization, HIPAA almost certainly applies to you. If you are unsure whether your specific practice qualifies, a healthcare attorney can help you make that determination.
-
My website has been live for two years with a regular contact form. Am I already in violation?
That depends on what information was collected through the form and how it was stored. If the form only captured names and emails and no one submitted clinical details through it, the exposure may be minimal. If patients submitted health information and it was processed through a non-compliant platform with no BAA in place, there may be a gap worth addressing. The important thing to know is that taking corrective action now — auditing what you have, switching to compliant tools, and documenting the change — is far better than waiting. Consult a healthcare compliance professional if you are concerned about past exposure.
-
Can I just add a disclaimer to my contact form saying not to send health information?
A disclaimer does not create compliance. If a patient submits protected health information through your form, your HIPAA obligation exists regardless of whether you asked them not to. The language on the form does not change how the data is handled on the backend. The solution is infrastructure: a compliant platform with a signed BAA and secure submission routing. A disclaimer can be a helpful addition, but it is not a substitute for the technical and legal safeguards that compliance actually requires.
-
Does my telehealth scheduling link count as a website form?
Embedded scheduling and telehealth tools have their own compliance considerations. The key questions are whether the scheduling platform itself has signed a BAA with you and whether the data collected during scheduling flows securely between the platform and your clinical systems. Many telehealth platforms are built with HIPAA compliance in mind and will offer a BAA as part of their standard setup. But embedding a link or widget on your website does not automatically mean it is compliant. You need to verify the BAA status of the scheduling tool itself, separate from your website’s form setup.
-
What if I use a form just for people to ask general questions, nothing clinical?
General inquiry forms carry lower risk than intake or symptom forms, but they are not automatically exempt — this is the open-text trap in action. The risk level depends on what people actually submit through them. Even a form designed for general questions can receive PHI if a prospective patient describes their health situation while reaching out. What I typically recommend for clients in this situation is to keep the general inquiry form as simple as possible, use language that discourages clinical detail, and route submissions to a platform that meets a reasonable standard of security even if a full BAA is not in place. If your inquiry form starts to function more like an intake form in practice, it is worth treating it that way from a compliance standpoint.
Getting your website forms into compliance is not an ongoing burden the way some things in healthcare feel. It is a one-time infrastructure decision: choose the right tool, get the BAA signed, confirm your submission routing is secure, and update your privacy documentation. Then it is done, and you can stop quietly wondering about it.
If you work with a web designer who specializes in health professional websites, this is a great conversation to have at your next check-in. And if this post was helpful, feel free to pass it along to a colleague who might be wondering about the same things.
Note: This post is for educational purposes only and does not constitute legal or compliance advice. Please consult a qualified healthcare attorney or HIPAA compliance officer for guidance specific to your practice.
