HIPAA-compliant Jotform for therapy practices.
Solo therapists and group practices buy software on trust, not features. WorkflowKits sets up Jotform - the friendliest compliant form tool in the market - the way it should have been set up in the first place. BAA in place, intake that actually fits how you work, no PHI bleeding into Zapier or your email inbox.
Is Jotform HIPAA compliant for therapy practices?
Yes. Jotform is HIPAA-compliant on the Silver plan ($39/month) and up with a signed BAA, which makes it one of the most affordable HIPAA-grade form tools for solo and small group therapy practices. The BAA covers intake submissions, consent forms, file uploads, and PDF generation. Every other tool that touches a submission - your scheduling app, EHR, or Zapier flows - needs its own BAA. WorkflowKits sets the full loop up for you.
Source: WorkflowKits /hipaa/therapy - by Buri (Mustafa Burak Ilter), former Jotform engineer (2020-2025).
The kits, ready to install in your account.
Each kit deploys into your own Jotform HIPAA account. No middleware, no platform fees, no vendor lock-in. Pricing covers the build and a window of support.
Four things, all of them load-bearing.
The Jotform HIPAA plan covers the platform side. The other three pillars are on you - and they are where almost every audit finding comes from.
- BAA in place
- The signed Business Associate Agreement with Jotform - the legal foundation. Without it, you do not have HIPAA compliance no matter what features you turn on.
- Integrations audited
- Every downstream tool that touches a submission - Zapier, Google Sheets, your CRM, your email tool - has to be HIPAA-aware too. One non-compliant Zap leaks the whole setup.
- PHI out of notifications
- Default Jotform email notifications often include the submission body. On HIPAA workflows, those go in the email itself. We strip PHI from notifications and route reviewers back to authenticated Jotform views.
- Access locked down
- Individual accounts, 2FA, role-based permissions on Enterprise. Shared logins are the most common audit finding we see - they are also the easiest to fix.
The full HIPAA loop, not just a form.
- Therapist-specific intake (presenting concern, history, medication, prior providers)
- Sliding-scale fee disclosure and insurance routing without exposing PHI to billing tools
- Telehealth e-consent and platform compatibility check before the first session
- PHQ-9, GAD-7, and other validated screening assessments built into the intake
- No-show policy acknowledgement with timestamped e-signature
- EHR-ready export to SimplePractice, TherapyNotes, or your custom system
The notes that go deeper.
Questions, with straight answers.
Can a solo therapist afford the Jotform HIPAA plan?
Yes. The HIPAA plan starts at the Silver tier - $39/month at list price, often less with a partner discount. That is dramatically cheaper than full EHR platforms like SimplePractice or TherapyNotes if all you need is intake, consent, and a few forms. Many solo practices use Jotform for the form layer and a lightweight EHR for clinical notes.
Will this work alongside my EHR (SimplePractice, TherapyNotes, etc.)?
Yes. Jotform handles intake and consent at a friendlier UX and lower cost than EHR-native intake forms; the data exports to your EHR via CSV, JSON, or direct API where the EHR supports it. We design the integration so PHI never touches a non-compliant tool in transit.
Can the intake handle telehealth-specific questions?
Yes - identity verification, technology check, telehealth e-consent, platform preference, and screening (PHQ-9, GAD-7) are all native to the telehealth pre-visit kit. They run as conditional sections on the main intake or as a dedicated pre-session form.
What about group practices with multiple therapists?
We route by therapist, by location, or by service type. Each therapist gets their own intake link with the right consent and policy attached, while submissions land in a single back-office view your office manager can triage.
Is this HIPAA-safe for a real practice with real clients?
Yes - that is the whole point. The setup includes the signed BAA, audited integrations, PHI-stripped notifications, 2FA, and a decision log you can hand to an auditor. We do not ship a setup we would not run our own family's data through.
Ready when you are.
Free 20-minute call. Bring your current Jotform setup (or a blank account); leave with a straight answer about what compliance actually requires for your practice.