The 12-Item HIPAA Jotform Workflow Checklist (Pre-Launch)
Twelve items to check before any Jotform form that handles PHI goes live. If any of these are unchecked, the workflow is not ready. Save the page or copy the list into your decision log.
- BAA signed with Jotform, countersigned copy on file.
- Every integration on the form has its own BAA with that vendor.
- Email notifications stripped of PHI; reviewers click through to Jotform to view records.
- 2FA on every account that can read submissions.
- Submission storage retention configured to your practice's policy.
- A test submission walked through every hop in the data path before any real patient touches it.
Every HIPAA Jotform engagement I run ends with this checklist. Twelve items, in order, run before the form is exposed to a single real patient. Miss any of them and there is a hole in the compliance chain.
If you are searching for a Jotform HIPAA expert checklist or a 'jot forms hipaa' pre-launch list, copy this one. It is the same one I use when I deliver a Done-For-You build.
1. The BAA is signed and on file
Account is on the Jotform HIPAA plan. BAA is signed by you, countersigned by Jotform, and the executed PDF is saved in a compliance folder you control. Date noted in the decision log. (If you are unsure of any of this, see the BAA walkthrough on this site.)
2. Every integration on the form has a BAA
Open the form, list every integration (webhook, Zap, Google Sheet, Slack notification, CRM connector, payment processor). For each one: confirm a signed BAA exists with that vendor or remove the integration. No 'we will figure it out later' allowed.
3. Email notifications contain no PHI
Open every email notification configured on the form. Replace any PHI placeholder ({Medical Conditions}, {Diagnosis}, etc.) with a link back to Jotform where the full record can be viewed under authentication. Identifying placeholders like {First Name} are fine; clinical detail is not.
4. 2FA enabled on every reader account
Account Settings → Security → 2FA, on for every Jotform login that can view submissions. Shared logins must be replaced with individual accounts. This is the single most common audit finding I see and the easiest to fix.
5. Form-level access restricted
Form Builder → Settings → Form Permissions. Restrict to specific named accounts. Default 'anyone with the link' access does not survive an audit when PHI is involved.
6. Submission storage retention set
HIPAA Compliance → Data Retention. Set to your practice's policy (medical records typically 6-7 years, varies by state and specialty). Document the policy alongside the setting.
7. Encrypted transport verified
Confirm the form loads under HTTPS (it will by default on Jotform but verify the embed code on your site does not downgrade to HTTP). Confirm any webhook destination is HTTPS. Reject any HTTP endpoint.
8. Test submission walked end-to-end
Submit a test entry with synthetic PHI ('John Doe / DOB 1900-01-01 / Diagnosis: TEST'). Walk every hop: form lands in Jotform, email notification fires, integration triggers, downstream tool receives data, reviewer can see and access the record, exports work. Confirm no PHI appears in any non-compliant location along the way.
9. Patient-facing language reviewed
The form's privacy notice, consent text, and any disclosures are reviewed by someone with practice-management or legal-aware authority. The notice should disclose the BAA chain, retention policy, and patient rights to access and delete their data.
10. Access logs reviewed and scheduled
If on Enterprise, confirm activity logs are recording. Schedule a quarterly review (date in the decision log). On standard HIPAA plans, rely on Jotform's built-in activity timeline and document the review cadence.
11. Backup and breach plan documented
Document where backups live (Jotform's automated backups + any local CSV exports), who has access, and the breach notification procedure. The BAA obligates Jotform to notify you of breaches on their side; your obligation is to notify patients within HIPAA's 60-day window.
12. Decision log is current
Single document, dated entries, covering: BAA signed (date + PDF link), integration BAAs (each with date + PDF link), authorized accounts list, access log review schedule, integration audit verdicts, retention policy. This is the artifact an auditor wants.
If you want help running this
The free HIPAA workflow risk assessment runs a lighter 8-question version of this in 90 seconds. The Done-For-You HIPAA engagement runs the full 12-item version against your account and hands you the decision log on completion. Book a 20-minute call from the contact page if you want a Jotform HIPAA expert to run it with you.
