Get up to 50% off your Jotform plan through my partner linkClaim discount
GuideApril 19, 20267 min read

Jotform HIPAA: A Practical Setup Guide (From a Former Engineer)

If you handle protected health information, Jotform's HIPAA plan is the right starting point — but the plan alone doesn't make your workflow compliant. Here's what the plan covers, what it doesn't, and what most teams still get wrong.

TL;DR
  • The Jotform HIPAA plan includes a signed BAA, at-rest and in-transit encryption, and HIPAA-compliant data handling on Jotform's side.
  • What the plan does NOT cover: your integrations. A Zap that pushes submission data to a non-HIPAA tool breaks compliance.
  • Email notifications that contain PHI are the most common leak — Jotform sends those via standard email unless you configure them carefully.
  • HIPAA compliance is a workflow decision, not a plan decision. The plan is table stakes; the setup is what keeps you compliant.

If your form collects protected health information — names tied to medical conditions, patient intake, mental health intake, insurance details — you need HIPAA-compliant handling. Jotform offers a dedicated HIPAA plan that covers the platform side. But signing up for the plan doesn't automatically make your workflow compliant. Most of the HIPAA mistakes I've seen come from the part outside Jotform.

I was on the Jotform product team for five years. I've seen the shape of HIPAA misuse across thousands of accounts. This guide covers what the plan actually includes, what it doesn't, and the setup decisions that keep you compliant in practice.

What the Jotform HIPAA plan includes

When you sign up for Jotform's HIPAA-compliant plan, you get four things:

  • A signed Business Associate Agreement (BAA) — the legal instrument that makes Jotform your compliant data processor.
  • At-rest encryption of submission data (AES-256 on Jotform's servers).
  • In-transit encryption on every request (TLS on form load and submission).
  • HIPAA-compliant account settings: the PDF attachments, uploads, and storage locations are all routed through compliant infrastructure.

Pricing sits at the Gold-tier level with compliance-specific handling. Current pricing lives on Jotform's pricing page — the partner link on this site passes through a partner discount.

What the plan does NOT cover

This is where most teams miss compliance. The HIPAA plan covers Jotform. It does not cover what happens to the data after it leaves Jotform.

1. Your integrations

If a Zap pushes a submission containing PHI to a CRM that isn't HIPAA-compliant (or doesn't have a BAA with Zapier), you've just leaked PHI. Every downstream tool that touches PHI needs its own BAA and its own compliant handling. Zapier has a HIPAA plan; most common CRMs have HIPAA tiers; email tools like Mailchimp generally don't.

2. Your email notifications

By default, Jotform sends email notifications on submission. If that email contains the submitted data (and most default templates do), it's flowing over standard SMTP. Even with the HIPAA plan, the email itself isn't always encrypted end-to-end. The fix: strip PHI from the notification template and only include a link back to Jotform where the full submission can be viewed under authenticated access.

3. Your team's access

The BAA covers Jotform's handling, but access control is your responsibility. Shared logins, weak passwords, or staff viewing PHI on unsecured devices all break the practical side of HIPAA regardless of what plan you're on. Use individual accounts, 2FA, and role-based permissions if you're on Enterprise.

4. Your exports

A CSV export of submissions is just a file on your laptop. The moment you download it, Jotform's compliance stops being relevant for that copy. If you need offline PHI, encrypt the device, don't email the CSV, and delete after use.

The practical HIPAA setup checklist

If you're standing up a HIPAA workflow on Jotform, this is the order I'd follow:

  1. Upgrade to the HIPAA plan and sign the BAA from within your Jotform account settings.
  2. Audit every integration on the form. For each one, either confirm a BAA is in place with that vendor or remove the integration.
  3. Rewrite email notifications to exclude PHI. Use placeholders like '{First Name}' for identity but omit clinical details; link back to Jotform for the full record.
  4. Enable 2FA on every Jotform account that can access the form.
  5. Set up access logging — Jotform Enterprise has audit logs; otherwise rely on Jotform's built-in activity timeline.
  6. Run a test submission with fake PHI, then walk the full data path (form → submission → email → integration → downstream tool) and confirm each hop is compliant.
  7. Keep a record of your BAA, your integration BAAs, and your decision log. If audited, the paper trail matters as much as the technical setup.

When Jotform isn't the right HIPAA choice

Jotform HIPAA is a strong fit for clinics, therapists, small health practices, nonprofits handling health outreach, and anyone who needs compliant intake without a dedicated healthcare platform. It's less of a fit when:

  • You need EHR integration beyond simple data push — look at healthcare-native tools like SimplePractice, Kareo, or Jane.
  • You need signed consent forms with full audit trails of who signed when and where — Jotform can do this but DocuSign or SignNow are more specialized.
  • You're processing PHI at a scale that triggers enterprise compliance programs (SOC 2 + HIPAA + HITRUST). Jotform Enterprise is a better fit there than the standard HIPAA plan.

Next step

If you're deciding whether Jotform's HIPAA plan fits your setup, the plan calculator on this site asks five questions and routes you there automatically if PHI is involved. Or if you want the whole compliant workflow (form + notifications + integrations) wired for you, book a free 20-minute call.

Related

Pages that go deeper on this.

Integrations

Kits

Frequently asked

Questions on this topic.

  • Does Jotform's free plan support HIPAA?

    No. HIPAA compliance requires a signed BAA, which is only available on Jotform's dedicated HIPAA plan. The free Starter plan, and the Bronze/Silver/Gold tiers, do not include a BAA.

  • How much does Jotform HIPAA cost?

    The HIPAA plan is typically priced at Gold-tier level with HIPAA-specific handling. Current pricing is on Jotform's pricing page — the partner link on this site passes a partner discount of up to 50%.

  • Can I upgrade an existing Jotform form to HIPAA?

    Yes. Upgrade the account to the HIPAA plan, then the forms inherit HIPAA handling. You'll still need to audit your integrations and notifications — plan upgrade alone doesn't fix a Zap that points to a non-compliant tool.

  • Do I need HIPAA if I'm just collecting names and emails?

    Not on its own. HIPAA applies when the data you collect constitutes protected health information — identifying details combined with health status, treatment, or payment for care. A name + email in isolation isn't PHI; a name + email + medical condition is.

  • What happens if I downgrade from the HIPAA plan?

    Jotform stops extending HIPAA handling and the BAA is no longer in effect for new data. Existing submissions in your account are still stored — you'd want to delete them or export and delete, depending on your retention obligations.

  • Are Jotform email notifications HIPAA-compliant?

    Jotform's email infrastructure is covered under the BAA on the HIPAA plan, but standard email is not end-to-end encrypted. Best practice: strip PHI from the notification body and use a link back to Jotform for the full record, viewed under authenticated access.

Want this wired for your setup?

Free 20-minute call. I'll tell you if a kit fits, what a custom build would take, or help you decide whether to stick with Jotform for this case.

Book a callBack to all notes