HIPAA-compliant Jotform, set up by an ex-Jotform engineer.
If your forms collect protected health information, the Jotform HIPAA plan is the right starting point - and not the finish line. WorkflowKits ships the whole compliant loop: BAA, form, notifications, integrations, access control. Same engineer who worked on the HIPAA plan from inside Jotform, now on your side.
Is Jotform HIPAA compliant?
Yes - Jotform is HIPAA-compliant on the Silver plan ($39/month) and up, with a signed Business Associate Agreement (BAA). Submission data, file uploads, and account access all fall under the BAA. The HIPAA plan is a real product, not a marketing badge - but the plan alone doesn't make your workflow compliant. Your integrations, email notifications, and exports also have to be HIPAA-aware. WorkflowKits sets that whole loop up for you.
Source: WorkflowKits /hipaa - by Buri (Mustafa Burak Ilter), former Jotform engineer (2020-2025).
The kits, ready to install in your account.
Each kit deploys into your own Jotform HIPAA account. No middleware, no platform fees, no vendor lock-in. Pricing covers the build and a window of support.
Four things, all of them load-bearing.
The Jotform HIPAA plan covers the platform side. The other three pillars are on you - and they are where almost every audit finding comes from.
- BAA in place
- The signed Business Associate Agreement with Jotform - the legal foundation. Without it, you do not have HIPAA compliance no matter what features you turn on.
- Integrations audited
- Every downstream tool that touches a submission - Zapier, Google Sheets, your CRM, your email tool - has to be HIPAA-aware too. One non-compliant Zap leaks the whole setup.
- PHI out of notifications
- Default Jotform email notifications often include the submission body. On HIPAA workflows, those go in the email itself. We strip PHI from notifications and route reviewers back to authenticated Jotform views.
- Access locked down
- Individual accounts, 2FA, role-based permissions on Enterprise. Shared logins are the most common audit finding we see - they are also the easiest to fix.
The full HIPAA loop, not just a form.
- Sign the BAA correctly and document the chain (Jotform + every integration vendor)
- Audit every integration on the form for HIPAA fit, then keep, replace, or remove
- Rewrite email and Slack notifications to keep PHI off general infrastructure
- Build the intake itself - branching by condition, insurance capture, consent, e-signature
- Lock down account access (2FA, role-based permissions, audit logs on Enterprise)
- Run a pre-launch compliance review and produce the decision log an audit will ask for
The notes that go deeper.
Questions, with straight answers.
Is Jotform HIPAA compliant?
Yes - on the Silver plan ($39/month) and up, with a signed BAA from Jotform. The BAA covers Jotform's storage, encryption, account handling, and PDF generation. It does not cover what your downstream tools do with the data, so your integrations and notifications need their own audit.
Do I need the Jotform HIPAA plan, or can I use a regular plan with care?
If you collect protected health information, you need the dedicated HIPAA plan with a signed BAA. There is no compliant way to handle PHI on Starter, Bronze, or non-HIPAA Silver/Gold accounts - the BAA is the legal instrument that lets Jotform act as your business associate, and it only attaches to the HIPAA-tier accounts.
What about Zapier, Google Sheets, or Slack?
Most general-purpose integrations break HIPAA the moment a submission with PHI touches them, unless you have a separate BAA with that vendor. Zapier offers a HIPAA plan; Google Sheets is only compliant via a Google Workspace BAA; Slack is only compliant on Enterprise Grid. The integration audit is part of every WorkflowKits HIPAA setup.
What does a typical HIPAA setup look like?
A clean HIPAA Jotform setup has: the HIPAA-tier account, a signed BAA on file, every integration audited (and either confirmed compliant or removed), email notifications stripped of PHI, 2FA on every account that can read submissions, and a documented decision log. WorkflowKits delivers this end-to-end in a 2-week engagement for most practices.
Why hire a former Jotform engineer for HIPAA work?
Buri spent 2020-2025 inside Jotform as an engineer and product team lead. The HIPAA plan, the BAA flow, the integration architecture, the email infrastructure - those were the codepaths he worked on. Most generalist consultants Google their way through HIPAA Jotform setups; this one shipped them.
Ready when you are.
Free 20-minute call. Bring your current Jotform setup (or a blank account); leave with a straight answer about what compliance actually requires for your practice.