HIPAA-Compliant No-Code Automation: Where It Works and Where It Doesn't

No-code automation is how modern practices move data between their form builder, EHR, calendar, and communication tools without writing code. It is also how modern practices accidentally violate HIPAA. I spent five years inside Jotform, and I have reviewed enough healthcare automation workflows to know the pattern: the form is compliant, the EHR is compliant, the two Zapier steps between them are not.

This guide covers the three major no-code automation platforms and their HIPAA status, the specific violations I see most often, and a decision framework for evaluating each tool in your workflow chain.

The core principle: every tool that touches PHI needs a BAA

I will keep saying this because it keeps being the thing people misunderstand. Under HIPAA, a business associate is any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. The word 'transmits' is the important one. A tool that passes PHI from point A to point B without storing it is still a business associate.

This means your automation tool is a business associate even if it only routes data and never stores it. Zapier processes the data on its servers. Make processes the data on its servers. The fact that the data passes through in seconds does not matter. The processing happened.

Zapier and HIPAA

Zapier is the most widely used no-code automation tool in healthcare settings, mostly because it has the largest integration library. If your EHR has an API, there is probably a Zapier integration for it. If your form builder is Jotform, there is definitely a Zapier integration for it.

The HIPAA plan

Zapier offers a dedicated HIPAA plan. It costs $300 or more per month and includes a signed BAA. The plan also adds audit logging and restricts which Zapier integrations can be used with PHI (only those that have been verified for HIPAA compliance on Zapier's end).

If you use Zapier in a HIPAA context, you must be on this plan. The free tier, the Starter tier, the Professional tier: none of these include a BAA. If PHI flows through a non-HIPAA Zapier account, you have a violation.

What the HIPAA plan actually gives you

Beyond the BAA, the HIPAA plan restricts which apps can participate in Zaps that handle PHI. Not every Zapier integration is HIPAA-ready. If the app on the other end does not have its own BAA, Zapier's BAA does not cover the gap. You still need to verify each connected app.

The plan also provides audit logs that show which Zaps ran, what data they processed, and when. This is important for compliance documentation. Without it, you have no evidence that your automation is handling PHI correctly.

Make (formerly Integromat) and HIPAA

Make does not offer a BAA. As of this writing, there is no HIPAA-compliant plan, no signed BAA, no audit logging, and no restricted app ecosystem for healthcare. Make's official documentation does not mention HIPAA compliance at all.

This means you cannot use Make in any workflow that processes PHI. Not on a paid plan, not on a free plan, not with a workaround. If PHI flows through a Make scenario, you are in violation.

Make is a capable tool for non-healthcare automation. I have used it for e-commerce and marketing workflows where no PHI is involved. For healthcare, it is off limits until they offer a BAA.

n8n and HIPAA

n8n is different. It is open source and can be self-hosted. When you self-host n8n on your own infrastructure, the data never leaves your servers. n8n the software is not a business associate because n8n the company never touches your data. You are the business associate.

This is a viable path, but the compliance burden shifts to you. You must ensure that the server running n8n meets HIPAA requirements: encryption at rest and in transit, access controls, audit logging, patch management, and a documented security policy. If you have a cloud engineering team or a managed hosting provider with a BAA, this is workable. If you are a small practice without IT staff, self-hosting n8n is likely more than you can manage securely.

n8n also offers a cloud-hosted version. That version does not include a BAA, so it has the same limitation as Make for HIPAA workflows.

The three most common violations

These show up in my reviews so often that I can predict them before I look at the workflow.

1. Zapier free tier routing PHI

A practice sets up a Zap: new Jotform submission triggers a step that creates a patient record in their EHR. The Zapier account is on the free or Professional plan. No BAA. PHI (patient name, DOB, insurance ID) passes through Zapier's servers.

The fix: either upgrade to Zapier's HIPAA plan or replace Zapier with a direct integration. Jotform can send webhooks directly to your EHR's API. Jotform can also push data to Google Sheets (with a Workspace BAA) or to a custom backend that you control.

2. Google Sheets without a Workspace BAA

A practice routes Jotform submissions to a Google Sheet for tracking. The Sheet is on a free Gmail account. No BAA. Even if the Sheet is on a Workspace account, the BAA must specifically cover Google Sheets (it usually does under the Workspace BAA, but verify). The Sheet's sharing settings must be restricted. If 'Anyone with the link can view' is enabled, the BAA does not save you.

The fix: use a Workspace account, verify the BAA covers Sheets, restrict sharing to specific accounts, and review sharing settings regularly.

3. Slack notifications containing patient data

A Zapier automation posts to a Slack channel when a new patient intake arrives. The Slack message includes the patient's name, date of birth, and reason for visit. The Slack account is on the Business+ plan. Business+ does not include a BAA. Only Slack Enterprise Grid includes a BAA.

The fix: change the Slack notification to contain no PHI. 'New intake submitted, review in portal.' The team clicks through to Jotform or the EHR to see the details. Same alert, no violation.

The decision framework

For every tool in your automation chain, answer these four questions.

1. Does this tool touch PHI? If no, you are done. No BAA needed. If yes, continue.
2. Does this tool have a BAA? If yes, verify that the BAA covers the specific service and data type you are using. If no, you cannot use this tool for PHI. Find an alternative or remove it from the chain.
3. Does this tool encrypt data at rest and in transit? Ask the vendor. Check their documentation. Do not assume.
4. Can you audit who accessed the data and when? Audit logs are not strictly required by HIPAA's minimum necessary standard, but they are expected in practice. Without them, you are relying on trust instead of evidence.

If a tool fails any of these, you have three options: upgrade to a plan that includes a BAA, replace the tool with one that does, or remove PHI from the data that flows through the tool.

When to automate and when not to

Not every workflow needs automation. Not every automated workflow needs to touch PHI. The most secure automation is the one that does not process PHI at all.

Good candidates for non-PHI automation: appointment reminders (patient name plus appointment time is borderline, but appointment time alone is not PHI), scheduling confirmations, form status updates ('intake form completed'), task assignments to staff without including clinical data.

Workflows that inherently require PHI: syncing patient records between systems, routing insurance information, sending clinical screening results, creating patient records in an EHR. These can be automated, but every tool in the chain needs a BAA.

Building a compliant automation stack

Here is what a compliant automation setup looks like for a healthcare practice using Jotform.

1. Jotform (HIPAA plan) collects the form data. All PHI stays in Jotform's encrypted, access-controlled environment.
2. Jotform sends a webhook to your EHR's API. The webhook payload contains PHI, but it goes directly from Jotform to your EHR. No middleman. Both Jotform and the EHR have BAAs with you.
3. Jotform sends a non-PHI notification to Slack or email: 'New intake received for [appointment date].' Staff logs into Jotform or the EHR to view details.
4. For non-PHI workflows (scheduling, reminders, task routing), use Zapier without the HIPAA plan. Keep PHI out of those Zaps entirely.
5. For PHI workflows that need automation, use Zapier's HIPAA plan or direct webhooks. Do not use Make. Do not use n8n cloud. Self-hosted n8n is an option if you can manage the infrastructure.

The principle is simple: PHI travels the shortest possible path between tools that have BAAs. Everything else stays in the form builder or the EHR. Automate the edges, protect the center.

Document the chain

I keep coming back to this because it keeps being the missing piece. Draw your automation workflow. Label each tool with: BAA status (yes/no), encryption (at rest, in transit, both), access controls, and audit logging. Highlight the tools that process PHI in red. Any red tool without a BAA is a gap that needs fixing.

This document is your compliance evidence. Update it every time you add, change, or remove an integration. It is not exciting work. It is necessary work.