Best HIPAA-Compliant Form Builders for Healthcare in 2026
A HIPAA-compliant form builder is an online form tool that meets the Health Insurance Portability and Accountability Act’s Security Rule requirements for collecting, storing, and transmitting protected health information (PHI). The compliance bar is specific: a signed BAA, AES-256 encryption at rest, TLS 1.2+ in transit, role-based access controls, and audit logging.
Google Forms does not sign a BAA. Most free-tier plans lack the infrastructure. Below, 8 form builders that provide verified HIPAA compliance for patient intake, consent collection, appointment scheduling, and clinical assessments in 2026.
What HIPAA requires from a form builder
HIPAA compliance for online forms means meeting the Security Rule’s technical safeguards and having a signed Business Associate Agreement in place. Miss any one of these requirements and the form builder cannot be used for PHI collection.
Business Associate Agreement (BAA)
A Business Associate Agreement (BAA) is a legal contract between your healthcare organization (the covered entity) and the form builder vendor (the business associate). It establishes who is responsible for protecting PHI, what happens in a breach, and how data is handled at contract termination.
Without a signed BAA, using a form builder for PHI is a HIPAA violation regardless of the tool’s security features. Many practices assume encryption equals compliance. It does not. The BAA is a separate legal requirement (HIPAA Journal, 2026).
Encryption
- At rest: AES-256 encryption for stored form submissions and uploaded files
- In transit: TLS 1.2 or higher for all data transmission between the user’s browser and the server
Both are required. A form that encrypts in transit but stores responses in plaintext does not meet the standard.
Access controls
- Multi-factor authentication for staff accounts
- Role-based permissions (front desk sees intake data; billing sees insurance data; not everyone sees everything)
- Automatic session timeouts after inactivity
- Unique user IDs for every person who accesses PHI
Audit trails
Tamper-proof logs documenting who accessed what data, when, and what actions they took. These logs must be retained and available for compliance audits.
2026 update: AI and PHI
AI-powered form features (auto-suggestions, smart field routing, AI-assisted triage) now fall under HIPAA scrutiny. If your form builder uses AI that touches PHI, that AI component must be included in your formal risk analysis and covered by the BAA. This is new territory in 2026 and applies to AI form generators that process patient data.
8 HIPAA-compliant form builders compared
1. Jotform
Best for: Practices that need templates and broad integrations
Jotform offers HIPAA compliance on its Gold plan ($39/month) and above. It signs a BAA, provides dedicated HIPAA-compliant infrastructure separate from its standard servers, and includes 10,000+ templates with healthcare-specific options for patient intake, consent, and assessment forms.
- BAA: Yes (Gold plan and above)
- Encryption: AES-256 at rest, TLS 1.2+ in transit
- Integrations: 100+ apps including EHR systems
- Templates: 10,000+ with healthcare category
- Limitation: Free and Bronze plans are not HIPAA compliant
2. Formstack
Best for: Organizations needing document workflows alongside forms
Formstack provides HIPAA compliance with a signed BAA on its healthcare plan. It combines forms with document generation and e-signatures, useful for consent forms that require patient signatures. Conditional logic supports branching intake flows.
- BAA: Yes (healthcare plan)
- Encryption: AES-256, TLS 1.2+
- Key feature: Integrated e-signatures with identity validation
- Pricing: Starts at $50/month for HIPAA plan
- Limitation: Higher price point than alternatives
3. Cognito Forms
Best for: Smaller practices on a budget
Cognito Forms offers HIPAA compliance starting at its Team plan ($24/month). It signs a BAA and provides encrypted file uploads, payment processing, and advanced calculation fields for scoring assessments like PHQ-9 or GAD-7.
- BAA: Yes (Team plan and above)
- Encryption: AES-256, TLS 1.2+
- Key feature: Calculation fields for clinical scoring
- Pricing: Starts at $24/month
- Limitation: Fewer templates than Jotform
4. FormDr
Best for: Healthcare-only practices wanting a patient portal
FormDr is built exclusively for healthcare. It includes a patient portal where patients log in to complete intake forms, view instructions, and upload documents. EHR integration maps form data directly to patient records.
- BAA: Yes (all plans)
- Encryption: AES-256, TLS 1.2+
- Key feature: Built-in patient portal with branded environments
- Pricing: Per-provider pricing
- Limitation: No non-healthcare use cases; narrower integration ecosystem
5. IntakeQ
Best for: Practices that need appointment scheduling with intake
IntakeQ combines patient intake forms with appointment booking and secure messaging. Forms auto-populate into patient records and can trigger automated appointment reminders. Popular with mental health, physical therapy, and dental practices.
- BAA: Yes (all plans)
- Encryption: AES-256, TLS 1.2+
- Key feature: Combined intake + scheduling + messaging
- Pricing: Per-practitioner pricing starting at $49.90/month
- Limitation: Designed for individual practitioners and small groups, not large hospitals
6. HIPAAtizer
Best for: Compliance-first organizations needing verification
HIPAAtizer focuses specifically on HIPAA compliance verification. It includes form encryption, two-factor authentication, DDoS protection, and detailed access logs. The compliance dashboard shows your current compliance status.
- BAA: Yes (all plans)
- Encryption: AES-256, TLS 1.2+
- Key feature: Compliance verification dashboard
- Limitation: Smaller template library than Jotform or Formstack
7. MakeForms
Best for: Multi-regulation compliance (GDPR + HIPAA + TCPA)
MakeForms covers GDPR, HIPAA, TCPA, and CPA compliance in a single platform. For practices that serve patients across jurisdictions or handle marketing communications alongside patient data, this breadth reduces the need for multiple tools.
- BAA: Yes
- Encryption: AES-256, TLS 1.2+
- Key feature: Multi-regulation compliance (GDPR, HIPAA, TCPA, CPA)
- Limitation: Less specialized for healthcare than FormDr or IntakeQ
8. Formsite
Best for: Organizations needing HIPAA forms embedded on existing websites
Formsite provides embeddable HIPAA-compliant forms with mobile-responsive templates. It works well for practices that want to add patient intake forms to their existing WordPress or Squarespace websites without migrating to a new platform.
- BAA: Yes
- Encryption: AES-256, TLS 1.2+
- Key feature: Clean embeds for existing websites
- Templates: Mobile-friendly healthcare templates
- Limitation: Fewer advanced features than Formstack or IntakeQ
Comparison table
| Builder | BAA | Starting Price | Best For | E-Signatures | Patient Portal |
|---|---|---|---|---|---|
| Jotform | Gold+ | $39/mo | Templates, integrations | Yes | No |
| Formstack | Healthcare plan | $50/mo | Document workflows | Yes | No |
| Cognito Forms | Team+ | $24/mo | Budget-conscious practices | No | No |
| FormDr | All plans | Per-provider | Healthcare-only | Yes | Yes |
| IntakeQ | All plans | $49.90/mo | Scheduling + intake | Yes | Yes |
| HIPAAtizer | All plans | Contact sales | Compliance verification | No | No |
| MakeForms | Yes | Contact sales | Multi-regulation | No | No |
| Formsite | Yes | $24.95/mo | Website embeds | No | No |
Common compliance mistakes
We reviewed public OCR enforcement actions and talked to healthcare customers about the gaps they found during audits. Five violations trigger fines most often.
No signed BAA. A practice finds a form builder with good encryption and starts collecting patient data without signing a BAA. Violation on day one.
Collecting unnecessary PHI. Only collect what you need for the specific clinical purpose. A general appointment request form should not ask for Social Security numbers or detailed medical history. Use conditional logic to collect additional PHI only when the response path requires it.
Using non-compliant hosting. Some form builders offer HIPAA compliance only on specific plans with dedicated infrastructure. If you create forms on a non-HIPAA plan and collect PHI, the data lives on non-compliant servers.
Ignoring AI tools. In 2026, if you use AI-assisted intake or AI form generation that processes patient data, those tools must be in your risk analysis and BAA. This includes AI auto-fill, AI-generated follow-up questions, and chatbot-style form interactions.
No access controls for staff. Every staff member should have their own login with role-based permissions. Shared accounts make audit logging meaningless and violate the Security Rule.
How to choose the right HIPAA form builder
Match the tool to your practice type:
- Solo practitioner or small group: Cognito Forms ($24/month) or IntakeQ (per-practitioner) give you HIPAA compliance without enterprise pricing.
- Multi-location practice: Jotform or Formstack for template libraries and broad integrations that work across locations.
- Healthcare-only, patient portal needed: FormDr or IntakeQ for integrated patient-facing portals.
- Multi-regulation (GDPR + HIPAA): MakeForms for practices serving patients across jurisdictions.
- Existing website integration: Formsite for embeddable HIPAA forms on your current site.
Before signing up, verify: Does the vendor sign a BAA on your plan tier? Where are servers located? What happens to your data if you cancel? Does the BAA cover all features you plan to use, including AI features?
Where AntForms fits
We built AntForms for teams that need conditional logic, unlimited responses, and webhook integrations without per-submission pricing. For non-PHI healthcare forms (appointment requests, general feedback, satisfaction surveys, event registration), AntForms handles the workflow. For forms that collect PHI (diagnosis, treatment history, insurance data), use a HIPAA-certified builder from the list above and connect it to your workflow via webhooks or Zapier.
For non-regulated form use cases, see our form builder comparison and data privacy guide.
Limitations to know
This comparison is based on vendor-published compliance claims and publicly available documentation as of April 2026. HIPAA compliance is a shared responsibility between the vendor and the covered entity; using a compliant tool does not make your organization compliant by itself. You must also implement proper policies, staff training, risk assessments, and incident response procedures. Pricing and plan features change frequently; verify current pricing directly with each vendor. This guide covers the Security Rule’s technical requirements but does not constitute legal advice. Consult a HIPAA compliance officer or healthcare attorney for your specific situation.
Key takeaways
- A signed BAA is the first requirement. Without it, encryption alone does not make a form builder HIPAA compliant.
- Encryption standard: AES-256 at rest, TLS 1.2+ in transit. Both are required.
- Access controls (MFA, role-based permissions, session timeouts) and audit trails are non-negotiable.
- In 2026, AI tools that touch PHI must be included in your risk analysis and BAA.
- Prices range from $24/month (Cognito Forms) to $50+/month (Formstack). Healthcare-specific tools like FormDr and IntakeQ use per-provider pricing.
- Only collect PHI that is necessary for the clinical purpose. Use conditional logic to reduce unnecessary data collection.
- For non-PHI healthcare forms, AntForms provides conditional logic and unlimited responses at no cost.