Jotform vs Google Forms for HIPAA
Google Forms is HIPAA-eligible under the Workspace BAA - but with caveats most practices miss. Jotform is HIPAA-built. Here's the difference.
Google Forms can be HIPAA-eligible under a Google Workspace BAA, but it is not designed for PHI and several common configurations leak. Jotform's HIPAA plan is purpose-built for compliant forms and is the safer default.
Google Forms can be used in a HIPAA-eligible way - but only under a Google Workspace BAA, only on certain Workspace tiers, and only if you stay inside the small set of Google services explicitly covered. Most practices using a free Gmail account or basic Workspace plan are not HIPAA-compliant even if they think they are.
Jotform's HIPAA plan is the opposite story: a single product designed for PHI handling, with a signed BAA, encrypted attachments, and HIPAA-aware account settings. Pricing starts at $39/month for the Silver tier - a fraction of an enterprise Workspace upgrade.
The honest split: if your practice already runs on Google Workspace Business Plus or Enterprise with a signed BAA, Google Forms can work for very simple intake. The moment the form needs file upload, branching by condition, payment, e-signature, or anything that looks like a real intake - Jotform is the right tool.
Jotform vs Google Forms, dimension by dimension.
| Dimension | Jotform | Google Forms | Winner |
|---|---|---|---|
| HIPAA BAA availability | Available on Silver plan and up ($39/month). Standalone, no other subscription required. | Available only on Google Workspace Business Plus, Enterprise, and Education. Not on free Gmail or Workspace Starter. | Jotform |
| HIPAA scope of the BAA | Covers form submissions, file uploads, PDFs, attachments, account access, and email notifications routed via Jotform. | Covers a limited set of 'core' Google services. Add-ons, Apps Script integrations, and many third-party Workspace Marketplace apps are NOT covered by the BAA. | Jotform |
| Intake form design | Conditional logic, branching, calculations, multi-page intake, custom CSS, e-signature, encrypted file upload. | Section branching only. No field-level logic, no calculations, no e-signature. UI is uniform Google Material. | Jotform |
| File upload (insurance card, ID, photos) | Encrypted upload covered by the HIPAA BAA. Standard intake feature. | Files go to Google Drive. Drive is HIPAA-eligible under Workspace BAA, but you must verify the destination Drive is in the BAA-covered tier and configure sharing carefully. | Jotform |
| E-signature and consent | Built-in e-signature field, legally-binding, timestamp captured. Jotform Sign for full e-signature workflows. | Not built in. You collect a typed name and rely on intake-form-as-proof, which is weaker than a true e-signature. | Jotform |
| Email notifications with PHI | HIPAA-aware notifications - you can strip PHI, link back to authenticated Jotform views, control delivery. | Default notifications email submitted data to your inbox. Whether that email itself is HIPAA-compliant depends on your Workspace tier and the BAA scope. Default Forms notifications are a common audit failure. | Jotform |
| Cost | $39/month flat at HIPAA tier (Silver). Includes the BAA. | Workspace Business Plus is $18/user/month - so a 5-person practice pays $90/month minimum for the HIPAA-eligible tier. Plus the BAA must be requested and signed separately. | Jotform |
| Audit trail and access control | Submission logs, account audit logs (Enterprise), 2FA. Built for HIPAA access control. | Workspace audit logs are strong on the BAA-covered tiers, but Forms-level granular permissions are basic. | Jotform |
| Integrations on PHI | Native HIPAA-aware integrations. Each integration vendor's BAA is a known item we audit during setup. | Apps Script and Marketplace add-ons are NOT under the Workspace BAA by default. Connecting Forms to Slack, Mailchimp, or a non-Google CRM frequently breaks HIPAA without the team realizing. | Jotform |
| Setup complexity for HIPAA | Sign up for the HIPAA plan, sign the BAA, build the form. The platform enforces HIPAA-aware defaults. | Upgrade Workspace to a BAA-eligible tier, request and sign the BAA, lock down add-ons, audit every Apps Script, train staff on which Google services are in scope. Easy to do wrong. | Jotform |
Pick Jotform if...
- You collect any real PHI: medical history, insurance, treatment, mental health screening.
- Your form needs file upload, e-signature, conditional logic, or anything beyond simple Q&A.
- Your practice does not already run on Google Workspace Business Plus or Enterprise.
- You want a HIPAA setup you can hand to an auditor without explaining a dozen Google scope caveats.
- You want to take a payment, route a lead, or trigger a workflow from the form.
Pick Google Forms if...
- You already pay for Google Workspace Business Plus / Enterprise with a signed BAA.
- The form is genuinely simple: a one-page screening with no PHI beyond name + a few yes/no questions.
- Internal-only forms where the audience is your own staff (under your BAA) and PHI is incidental.
- You need free, and you genuinely understand and audit every BAA scope boundary.
What I tell people who ask me privately.
The single most common HIPAA mistake I see: a practice on free Gmail builds a Google Form for patient intake, gets a few hundred submissions in, then learns that without a Workspace BAA, none of it was HIPAA-compliant. The fix is not a Google upgrade - it is rebuilding the form on a tool designed for PHI.
The second most common mistake: a practice with a real Workspace BAA assumes it covers everything. It covers core Google services. The Apps Script you wrote to pipe responses to Slack is not in scope. The Mailchimp add-on you installed last quarter is not in scope. The third-party calendar plugin is not in scope.
If you have a Workspace Enterprise BAA and you are technical enough to audit every Marketplace add-on against the covered-services list every quarter - Google Forms can work. For everyone else, Jotform's HIPAA plan removes about 90% of the failure modes by being purpose-built.
If Jotform is the right call, here's where to start.
Jotform vs Google Forms - common questions.
Is Google Forms HIPAA compliant?
Only if you use it inside a Google Workspace tier that includes the HIPAA BAA (Business Plus, Enterprise, or Education) AND you have actively requested and signed that BAA AND you stay inside the BAA's covered services. Free Gmail, Workspace Starter, and Workspace Business Standard do not support HIPAA. Even on covered tiers, add-ons and many integrations fall outside the BAA.
How do I get a Google Workspace BAA for Forms?
Sign in to the Google Admin console as an admin, go to Account → Account Settings → Legal and Compliance, find the BAA, and accept it. You must be on Business Plus, Enterprise, or Education. The BAA covers 'Google Workspace Core Services' which includes Forms, Drive, Gmail, Calendar, Meet, and Docs.
Are Google Forms file uploads HIPAA compliant?
They go to Google Drive. Drive is in the Workspace BAA on covered tiers, so the upload itself is HIPAA-eligible. But the destination Drive folder's sharing settings are your responsibility - default sharing-with-anyone-at-the-domain settings can leak PHI internally. Configure access carefully.
Can I use Apps Script with HIPAA Google Forms?
Cautiously. Apps Script as a Google service is in the BAA, but anywhere your script sends data outside Google Workspace (an HTTP webhook to a non-HIPAA tool, an email to a non-Workspace address, a third-party API) breaks HIPAA. Audit every script.
Is Jotform's HIPAA plan stronger than Google Forms under Workspace BAA?
Stronger by default, yes. Jotform's HIPAA plan is purpose-built for PHI - HIPAA-aware notifications, encrypted attachments, e-signature, conditional logic for medical intake. Google Forms is a general-purpose survey tool that happens to be HIPAA-eligible on enterprise Workspace plans. For practices that handle real PHI, Jotform's HIPAA plan removes most of the configuration risk.
Still not sure which one fits?
Free 20-minute call. Describe what you're trying to do and I'll tell you straight which tool is the right choice - even when it isn't Jotform.