HIPAA-Compliant Telehealth Forms: What You Need Before the First Video Call

Telehealth form compliance breaks before the video call starts. I have seen it happen repeatedly: a practice sets up Zoom, builds a Jotform intake, and assumes they are compliant. They are not. The video platform, the form builder, the automation tools, and the storage destinations each need their own compliance layer. Miss any one and the whole chain is compromised.

I spent five years inside Jotform. I built and reviewed healthcare form workflows for dozens of practices. The pattern is always the same: the form itself is fine, the integrations are not. This guide covers what you need before the first telehealth visit and where the quiet violations live.

The four forms you need before a telehealth visit

1. Pre-visit intake

This is the big one. The pre-visit intake collects patient demographics, insurance information, medical history, current medications, and the reason for the visit. It replaces the clipboard in the waiting room.

Structure it so PHI is clearly separated from administrative data. Demographics and insurance ID are PHI. Appointment type and preferred time slot are not. This separation matters when you route data downstream: you can send the non-PHI scheduling data to a calendar tool without a BAA, but the insurance data must stay in a compliant system.

Use conditional logic to keep the form short. If the patient is returning, skip the full medical history section and ask only what changed since the last visit. If the patient is new, show the complete intake. Jotform's show/hide conditions handle this cleanly.

2. E-consent for telehealth

Telehealth consent is not the same as general treatment consent. A proper telehealth e-consent form must disclose at least these elements.

• The visit will be conducted via video. The patient has the right to request an in-person visit instead.
• Technology can fail. If the video connection drops, the provider will call the patient by phone. If the provider cannot reach the patient, the visit will be rescheduled.
• Emergency protocol: if the patient is in crisis during the visit, the provider will call 911 to the patient's location. The patient must provide their current physical address at the start of every telehealth visit.
• The same privacy protections apply as in an in-person visit, with the additional note that the provider cannot control the patient's physical environment. The patient should be in a private space.
• The provider may determine that telehealth is not appropriate for this condition and require an in-person follow-up.

This consent needs an e-signature. Jotform's HIPAA plan includes an e-signature widget. Google Forms does not have e-signature at all, which is one of the reasons I do not recommend it for telehealth consent. Typeform requires a third-party integration for signatures.

3. Technology check

A short form or embedded check that verifies the patient's browser supports the video platform, their camera and microphone work, and their internet connection is stable enough for video. This is not a compliance requirement but it prevents the most common telehealth failure mode: five minutes of 'can you hear me?' at the start of a session.

Build this as a simple checklist in the form. Camera works (yes/no). Microphone works (yes/no). Browser is up to date (yes/no). If any answer is no, route the patient to a troubleshooting page or a phone visit option.

4. Screening tools

Mental health practices commonly use PHQ-9 (depression), GAD-7 (anxiety), and AUDIT-C (alcohol use) as pre-visit screeners. These scores are PHI. The form builder must handle them under the same HIPAA controls as any other clinical data.

Jotform's Form Calculation widget can score these automatically. Set up the calculation, then use conditional logic to flag scores above the clinical threshold. The flag can trigger a notification to the provider (without including the score in the email body: just 'Screening score above threshold, review before visit').

The video platform needs its own BAA

This is the piece most practices overlook. The form builder has a BAA. The EHR has a BAA. The video platform is just a video call, right? It is not. If the provider discusses PHI during the video call (which is the entire point), the video platform is a business associate.

Zoom for Healthcare includes a BAA. Doxy.me includes a BAA on its paid plans. Google Meet is covered under the Google Workspace BAA. Apple FaceTime is not HIPAA compliant. WhatsApp is not HIPAA compliant. A plain Zoom Pro account without the Healthcare add-on is not compliant.

Verify the BAA before you schedule the first visit. If your provider is using a personal Zoom account, that is a problem.

Integrations that break compliance silently

The form is compliant. The video platform is compliant. The EHR is compliant. The integrations between them are where it all falls apart. Here are the three violations I see most often.

Zapier free tier routing PHI

A practice connects Jotform to their EHR via Zapier. The Zap triggers on new form submissions and creates a patient record. The Zapier account is on the free tier. No BAA. PHI passes through Zapier's servers during processing. Even though Zapier does not store the data long-term, transient processing of PHI makes it a business associate under HIPAA.

Zapier offers a HIPAA plan at $300 or more per month. It includes a BAA. If you cannot justify that cost, use a direct integration or a webhook from Jotform to your EHR's API instead of routing through Zapier.

Google Sheets without a Workspace BAA

A common setup: Jotform submissions flow into a Google Sheet for tracking. The Sheet is on a free Gmail account. No BAA. Even if the Sheet is on a Workspace account, the BAA does not cover Google Sheets unless you specifically verify that Sheets is included in your Workspace BAA scope. It usually is, but verify it.

Also check the Sheet's sharing settings. If anyone with the link can view, you have a breach risk regardless of the BAA.

Slack notifications containing patient data

A Zapier automation posts 'New patient intake: [Name], [DOB], [Insurance ID]' to a Slack channel. Unless Slack is on Enterprise Grid with a BAA, this is a violation. Slack's Business+ plan does not include a BAA. Only Enterprise Grid does.

The fix is simple: post a non-PHI notification ('New intake received, review in portal') instead of the patient data. The team clicks through to the secure Jotform portal or EHR to see the details.

Identity verification before the visit

Telehealth introduces a verification problem that in-person visits do not have: how do you know the person on the video is the patient? Most state licensing boards require identity verification before the first telehealth visit.

The simplest approach: require a photo ID upload as part of the pre-visit intake. Jotform's file upload widget sends the file to Jotform's servers, which are encrypted under the HIPAA plan. The provider reviews the ID at the start of the video visit and compares it to the patient's face.

Do not ask for ID photos via email or text message. Both are unencrypted and violate HIPAA if they contain identifying information linked to health data.

The pre-visit workflow, end to end

Here is the complete flow from a compliance perspective.

1. Patient receives a link to the pre-visit form (via patient portal or secure message, not email if the link contains any PHI in URL parameters).
2. Patient completes intake, e-consent, tech check, and screening tools on a HIPAA-compliant form builder (Jotform with HIPAA plan enabled).
3. Submissions are stored in the form builder's encrypted, access-controlled environment. Notifications alert staff without including PHI in the message body.
4. Provider reviews the intake in the secure portal before the visit. Screening scores are visible in the portal.
5. Patient joins the video visit on a platform with a BAA (Zoom for Healthcare, Doxy.me, Google Meet on Workspace).
6. Provider verifies identity against the uploaded photo ID.
7. After the visit, any new clinical notes go into the EHR. The form builder retains the intake data per your retention policy.
8. If automation is used to move data from the form to the EHR, every tool in the chain has a BAA.

Document everything

If you are audited, you will need to show that you took reasonable steps to protect PHI. This means having documentation for: every BAA you signed, every integration in your workflow and its compliance status, your access control policies, your breach notification procedures, and your retention and deletion policies for form data.

I keep saying this because it keeps being the thing people skip. The technical setup is not that complicated. The documentation discipline is what separates a compliant practice from one that just looks compliant.