Loading…
Loading…
Google Forms is HIPAA-eligible under the Workspace BAA, but with caveats most practices miss. Jotform is HIPAA-built. Here's the difference.
Google Forms can be HIPAA-eligible under a Google Workspace BAA, but it is not designed for PHI and several common configurations leak. Jotform's HIPAA plan is built for compliant forms and is the safer default.
Google Forms can be used in a HIPAA-eligible way, but only under a Google Workspace BAA, only on certain Workspace tiers, and only if you stay inside the small set of Google services explicitly covered. Most practices using a free Gmail account or basic Workspace plan are not HIPAA-compliant even if they think they are.
Jotform's HIPAA plan is the opposite story: a single product designed for PHI handling, with a signed BAA, encrypted attachments, and HIPAA-aware account settings. Pricing starts at $99/month billed annually on the Gold plan: a fraction of an enterprise Workspace upgrade.
The real divider: if your practice already runs on Google Workspace Business Plus or Enterprise with a signed BAA, Google Forms can work for very simple intake. The moment the form needs file upload, branching by condition, payment, e-signature, or anything that looks like a real intake. Jotform is the right tool.
| Dimension | Jotform | Google Forms | Winner |
|---|---|---|---|
| HIPAA BAA availability | Available on Gold plan and up ($99/month billed annually). Standalone, no other subscription required. | Available only on Google Workspace Business Plus, Enterprise, and Education. Not on free Gmail or Workspace Starter. | Jotform |
| HIPAA scope of the BAA | Covers form submissions, file uploads, PDFs, attachments, account access, and email notifications routed via Jotform. | Covers a limited set of 'core' Google services. Add-ons, Apps Script integrations, and many third-party Workspace Marketplace apps are NOT covered by the BAA. | Jotform |
| Intake form design | Conditional logic, branching, calculations, multi-page intake, custom CSS, e-signature, encrypted file upload. | Section branching only. No field-level logic, no calculations, no e-signature. UI is uniform Google Material. | Jotform |
| File upload (insurance card, ID, photos) | Encrypted upload covered by the HIPAA BAA. Standard intake feature. | Files go to Google Drive. Drive is HIPAA-eligible under Workspace BAA, but you must verify the destination Drive is in the BAA-covered tier and configure sharing carefully. | Jotform |
| E-signature and consent | Built-in e-signature field, legally-binding, timestamp captured. Jotform Sign for full e-signature workflows. | Not built in. You collect a typed name and rely on intake-form-as-proof, which is weaker than a true e-signature. | Jotform |
| Email notifications with PHI | HIPAA-aware notifications: you can strip PHI, link back to authenticated Jotform views, control delivery. | Default notifications email submitted data to your inbox. Whether that email itself is HIPAA-compliant depends on your Workspace tier and the BAA scope. Default Forms notifications are a common audit failure. | Jotform |
| Cost | $99/month billed annually on the Gold plan. Includes the BAA. | Workspace Business Plus is $18/user/month: so a 5-person practice pays $90/month minimum for the HIPAA-eligible tier. Plus the BAA must be requested and signed separately. | Jotform |
| Audit trail and access control | Submission logs, account audit logs (Enterprise), 2FA. Built for HIPAA access control. | Workspace audit logs are strong on the BAA-covered tiers, but Forms-level granular permissions are basic. | Jotform |
| Integrations on PHI | Native HIPAA-aware integrations. Each integration vendor's BAA is a known item we audit during setup. | Apps Script and Marketplace add-ons are NOT under the Workspace BAA by default. Connecting Forms to Slack, Mailchimp, or a non-Google CRM frequently breaks HIPAA without the team realizing. | Jotform |
| Setup complexity for HIPAA | Sign up for the HIPAA plan, sign the BAA, build the form. The platform enforces HIPAA-aware defaults. | Upgrade Workspace to a BAA-eligible tier, request and sign the BAA, lock down add-ons, audit every Apps Script, train staff on which Google services are in scope. Easy to do wrong. | Jotform |
I set up Jotform for teams choosing between these tools every week. A 20-minute call tells you which one fits your workflow, or whether you need both.
The single most common HIPAA mistake I see: a practice on free Gmail builds a Google Form for patient intake, gets a few hundred submissions in, then learns that without a Workspace BAA, none of it was HIPAA-compliant. The fix is not a Google upgrade. It is rebuilding the form on a tool designed for PHI.
The second most common mistake: a practice with a real Workspace BAA assumes it covers everything. It covers core Google services. The Apps Script you wrote to pipe responses to Slack is not in scope. The Mailchimp add-on you installed last quarter is not in scope. The third-party calendar plugin is not in scope.
If you have a Workspace Enterprise BAA and you are technical enough to audit every Marketplace add-on against the covered-services list every quarter. Google Forms can work. For everyone else, Jotform's HIPAA plan removes about 90% of the failure modes by being built for PHI.
Patient intake that moves: HIPAA-aware, insurance-ready, EHR-compatible
View kithealthcareTherapy intake that respects the work: HIPAA-clean, sliding-scale-ready, telehealth-aware
View kithealthcareTelehealth pre-visit that prevents the no-show: HIPAA-clean, identity-verified, tech-tested
View kithealthcareInsurance verification that does not leak PHI: HIPAA-clean capture, billing-ready handoff
View kithealthcareWellness intake that takes HIPAA seriously: chiro, massage, PT, with consent and photo release done right
View kitOnly if you use it inside a Google Workspace tier that includes the HIPAA BAA (Business Plus, Enterprise, or Education) AND you have actively requested and signed that BAA AND you stay inside the BAA's covered services. Free Gmail, Workspace Starter, and Workspace Business Standard do not support HIPAA. Even on covered tiers, add-ons and many integrations fall outside the BAA.
Sign in to the Google Admin console as an admin, go to Account → Account Settings → Legal and Compliance, find the BAA, and accept it. You must be on Business Plus, Enterprise, or Education. The BAA covers 'Google Workspace Core Services' which includes Forms, Drive, Gmail, Calendar, Meet, and Docs.
They go to Google Drive. Drive is in the Workspace BAA on covered tiers, so the upload itself is HIPAA-eligible. But the destination Drive folder's sharing settings are your responsibility: default sharing-with-anyone-at-the-domain settings can leak PHI internally. Configure access carefully.
Cautiously. Apps Script as a Google service is in the BAA, but anywhere your script sends data outside Google Workspace (an HTTP webhook to a non-HIPAA tool, an email to a non-Workspace address, a third-party API) breaks HIPAA. Audit every script.
Stronger by default, yes. Jotform's HIPAA plan is built for PHI: HIPAA-aware notifications, encrypted attachments, e-signature, conditional logic for medical intake. Google Forms is a general-purpose survey tool that happens to be HIPAA-eligible on enterprise Workspace plans. For practices that handle real PHI, Jotform's HIPAA plan removes most of the configuration risk.
Free 20-minute call. Describe what you're trying to do and I'll tell you straight which tool is the right choice, even when it isn't Jotform.