Is Google Forms HIPAA Compliant? (Short Answer: Sort Of)

I get this question regularly. The short answer is: Google Forms can be made HIPAA compliant with the right configuration, but the defaults are not, and it has real limitations for healthcare workflows. The long answer follows.

I spent five years inside Jotform on the product team. I have nothing against Google Forms. For a school survey or a team sign-up sheet, it works fine. For healthcare data, you need to understand exactly what it does and does not give you.

The BAA requirement

A Google Forms form on a free Gmail account has no BAA. Zero compliance. If you collect PHI on a free Google Form, you are violating HIPAA. Full stop.

Google Workspace (formerly G Suite) includes a BAA across Business Starter, Business Standard, and Business Plus plans. The BAA covers Google Forms, Google Drive, Gmail, and the rest of the Workspace suite. You request the BAA through the Workspace admin console. Google signs it. You keep a copy on file.

The BAA exists. The form is covered. You are compliant, right? Not yet.

What you have to change from the defaults

Google Forms with a Workspace BAA gives you the legal foundation. The default settings still leave gaps. Here is what you must change.

Restrict response access

By default, anyone with edit access to a Google Form can view responses. If the form is linked to a Google Sheet, anyone with access to the Sheet can see submissions. You must restrict both the form and the linked Sheet to only the accounts that need to view PHI.

In the Sheet's sharing settings, set access to 'Restricted.' Add specific Workspace accounts as viewers or editors. Do not use 'Anyone with the link.' Do not share the Sheet with personal Gmail accounts.

Disable link sharing on the form

Google Forms has a setting to accept responses from anyone with the link. For healthcare use, you may want to restrict the form to users within your Workspace organization. This limits responses to authenticated accounts, which is more secure but also limits patient access since patients are not typically in your Workspace.

The realistic option for patient-facing forms: keep the link open but make sure the form itself does not display PHI in the confirmation message, and that the response Sheet is restricted.

Configure email notifications carefully

Google Forms can send an email notification when a response is submitted. By default, this notification includes the response content. If the form collects PHI, that PHI is now in an email. Gmail is covered under the Workspace BAA, so intra-organization emails are compliant. But if you forward that notification to an external address, you have a problem.

Use the notification as a ping only: 'A new response has been submitted.' Review responses in the form's Responses tab or the linked Sheet, not in email.

File uploads go to Drive

If your form includes a file upload field, the uploaded files are stored in a Google Drive folder. Drive is covered under the Workspace BAA, but the folder needs the same restricted sharing settings as the response Sheet. Check the folder's sharing settings after you create the form. Google sometimes defaults to broader access than you expect.

Also verify that the Drive folder is on your Workspace organizational Drive, not on a user's personal Drive. If the form creator leaves the organization, files on their personal Drive could become inaccessible or, worse, stay accessible to their account after they depart.

Where Google Forms falls short

Configuration gets you to baseline compliance. Capability gaps are what limit Google Forms for real clinical use.

No e-signature

Google Forms has no native e-signature field. You cannot collect a patient's signature on a consent form. Workarounds exist: a checkbox labeled 'I agree' is not the same as a signature, and third-party signature integrations through Google Apps Script are clunky and add a separate tool to your BAA list.

For telehealth consent, treatment consent, or any document that legally requires a signature, Google Forms is the wrong tool.

No conditional logic for clinical workflows

Google Forms supports section-based branching: you can send a respondent to a different section based on their answer. This is far less capable than Jotform's conditional logic, which supports show/hide individual fields, require/unrequire fields, calculate values, and skip pages.

A clinical intake form needs conditional logic. 'If the patient is new, show the full history section. If returning, show only the update section.' 'If the patient reports chest pain, require the cardiac history fields.' Google Forms' section branching can approximate this, but you end up creating many sections to cover each path. The form gets long and hard to maintain.

No PHI field controls

Google Forms treats every field the same. There is no way to mark a field as containing PHI and apply different storage or access rules to it. Your entire response Sheet is either accessible or not. You cannot restrict access to specific columns.

This matters when you want to share non-PHI data with a team that should not see PHI. Example: the scheduling team needs appointment type and time slot. They do not need the patient's insurance ID. In Jotform, you can route only the relevant fields. In Google Forms, you are copying the Sheet and deleting columns manually, or building a separate Apps Script to filter. Either way, it is extra work that introduces error.

No integration audit trail

Jotform logs every action on HIPAA accounts: who viewed a submission, when it was exported, which integrations received it. Google Forms has no comparable audit log. You can see edit history on a Google Sheet, but it does not tell you who accessed the form's response data through the Forms interface or via API.

HIPAA does not strictly require audit logging (the Security Rule says you must implement audit controls, but the interpretation is flexible). In practice, an auditor will ask how you know who accessed PHI. Without logs, you are relying on policy, not evidence.

Jotform vs Google Forms for HIPAA

I am not going to pretend I do not have an opinion here. I worked at Jotform. I also use Google Forms for non-healthcare things. For HIPAA, the gap is real.

Jotform's HIPAA plan gives you: a signed BAA, at-rest encryption, 2FA, team permissions with submission-level access control, HIPAA mode that disables PHI in email notifications, e-signature, conditional logic, and integration logging. The plan costs more than a Google Workspace subscription. You are paying for the healthcare-specific features.

Google Forms with a Workspace BAA gives you: a signed BAA, at-rest encryption, 2FA at the org level, and the entire Google ecosystem. You do not get e-signature, conditional logic beyond section branching, PHI field controls, or integration logging. You build those yourself or accept the limitations.

The cost difference is real. A Google Workspace Business Starter account is around $7 per user per month. Jotform's Gold plan (the entry point for HIPAA) is $39 per month. If you are a small practice with simple needs and tight budgets, Google Forms might be enough. If you have clinical workflows that need conditional logic, e-consent, or audit trails, Jotform is the better choice.

When Google Forms is good enough

I would use Google Forms for HIPAA-covered data in these situations: a simple patient satisfaction survey with no clinical data, a basic contact form where the only PHI is a patient's name and phone number, or an internal form where all respondents are within the Workspace organization.

I would not use it for: patient intake with insurance and medical history, telehealth consent forms, clinical screening tools, or any workflow that requires conditional logic or e-signature.

The checklist if you go with Google Forms

If you decide Google Forms meets your needs, here is the minimum you must do.

1. Sign up for Google Workspace. Request the BAA through the admin console.
2. Create forms only within your Workspace organization. Do not use personal Gmail accounts for form creation or response access.
3. Restrict the response Sheet's sharing to specific Workspace accounts. No link sharing. No external accounts.
4. Configure email notifications to not include response content. Use them as pings only.
5. If the form has file uploads, verify the Drive folder is on organizational Drive with restricted sharing.
6. Disable Gmail forwarding on accounts that receive form notifications.
7. Document the setup. Include your BAA copy, the sharing configuration for each form and Sheet, and the list of accounts with access.

Google Forms can be HIPAA compliant. It takes work and it has limits. Know both before you commit.