HIPAA-compliant Jotform for wellness practices that handle PHI.
Chiropractors, massage therapists, and PTs collect protected health information the same way doctors do - even if the rest of the practice feels less clinical. The standards are the same. WorkflowKits sets up Jotform with the BAA in place, the consent forms tightened, and the intake fitted to how a body-work practice actually runs.
Do chiropractors, massage therapists, and PTs need HIPAA?
If you collect health history, treatment plans, or insurance information that ties to identity, you handle protected health information and HIPAA applies. Most wellness practices that bill insurance, write SOAP notes, or share records with referring providers are covered entities. The Jotform HIPAA plan ($39/month and up with a signed BAA) is the right tool; WorkflowKits builds the compliant intake, consent, and treatment-tracking forms on top.
Source: WorkflowKits /hipaa/wellness - by Buri (Mustafa Burak Ilter), former Jotform engineer (2020-2025).
The kits, ready to install in your account.
Each kit deploys into your own Jotform HIPAA account. No middleware, no platform fees, no vendor lock-in. Pricing covers the build and a window of support.
Four things, all of them load-bearing.
The Jotform HIPAA plan covers the platform side. The other three pillars are on you - and they are where almost every audit finding comes from.
- BAA in place
- The signed Business Associate Agreement with Jotform - the legal foundation. Without it, you do not have HIPAA compliance no matter what features you turn on.
- Integrations audited
- Every downstream tool that touches a submission - Zapier, Google Sheets, your CRM, your email tool - has to be HIPAA-aware too. One non-compliant Zap leaks the whole setup.
- PHI out of notifications
- Default Jotform email notifications often include the submission body. On HIPAA workflows, those go in the email itself. We strip PHI from notifications and route reviewers back to authenticated Jotform views.
- Access locked down
- Individual accounts, 2FA, role-based permissions on Enterprise. Shared logins are the most common audit finding we see - they are also the easiest to fix.
The full HIPAA loop, not just a form.
- Health history with branching by chief complaint and condition
- Treatment consent with timestamped e-signature (manual therapy, dry needling, photo)
- Insurance card capture and verification routing for in-network practices
- SOAP note intake from the patient before each session
- Reminders, rebooking flows, and follow-up surveys without PHI in the body
- Decision log you can hand to a HIPAA auditor or business associate
The notes that go deeper.
Questions, with straight answers.
Do chiropractors and massage therapists actually need HIPAA?
If you bill insurance, write clinical notes, or share records with other providers, yes. Cash-pay-only single-modality practices that never write notes might be in a gray area, but the safe answer is to operate as if HIPAA applies. The cost difference between a HIPAA Jotform plan and a non-HIPAA one is small, and the audit difference is enormous.
Can the consent form handle photo and video release for treatment progress shots?
Yes - photo and video release is a standard conditional block in the wellness consent kit. It captures explicit, separate consent (not bundled into the general intake consent) and stores the signature with timestamp.
How does this work for a multi-modality practice (chiro + massage + acupuncture)?
We split the intake into a shared core (identity, history, insurance, consent) plus modality-specific branches that fire based on the service the patient booked. The patient fills out one form; the office sees the modality-specific answers in one place.
What about practices that do not bill insurance?
Same answer on HIPAA, lighter integration footprint. Cash-pay practices skip the insurance verification kit but still need the intake, consent, and PHI-safe notification setup. The Jotform HIPAA plan is still the right plan.
Will this work with my scheduling tool?
Most scheduling tools have webhook or Zapier integrations. We audit the scheduling tool's HIPAA posture (Jane App, Mindbody, Acuity all have HIPAA tiers; some require enterprise). If it cannot be made compliant, we recommend a swap as part of the engagement.
Ready when you are.
Free 20-minute call. Bring your current Jotform setup (or a blank account); leave with a straight answer about what compliance actually requires for your practice.