Get up to 50% off your Jotform plan through my partner linkClaim discount
TutorialApril 29, 20266 min read

How to Get the Jotform BAA Signed: A Step-by-Step Walkthrough

The Jotform BAA is a 10-minute task once you know which screen to click. Here is the exact path - what to enable, what to ask for, and how to verify it actually got signed.

TL;DR
  • The Jotform BAA is only available on the dedicated HIPAA plan tier. Upgrade your account first.
  • After upgrade, the BAA is generated from inside Account Settings. Most setups have it signed and on file within 24 hours.
  • Verify by checking your account's HIPAA badge and asking for a countersigned PDF copy. Keep that PDF in your compliance folder.
  • Common gotcha: the BAA covers the account holder, not the form. If you transfer ownership of the form to a new account, the BAA does not transfer with it.

If you searched 'jot forms hipaa' or 'jotform BAA' and want the BAA in hand without a week of back-and-forth, this is the exact path. I worked on the Jotform HIPAA codepath from 2020 to 2025, including the BAA flow itself. Here is what works.

Step 1: Upgrade to the HIPAA plan

  1. Sign in to Jotform with the account that owns the forms collecting PHI.
  2. Go to My Account → Billing.
  3. Select the HIPAA plan from the plan picker. If you do not see it, scroll - HIPAA is listed below the standard tiers.
  4. Complete the upgrade. The HIPAA badge appears in your account header within a minute.
  5. Important: the HIPAA badge is not the BAA. You still need to request and sign the agreement separately.

Step 2: Generate and sign the BAA

  1. Go to My Account → Settings → HIPAA Compliance.
  2. Click 'Request BAA'. The system generates a pre-filled BAA addressed to your account holder name.
  3. Review the document. The two clauses to read carefully are the breach notification timeline (typically 60 days) and the subprocessor list.
  4. Sign electronically. Jotform countersigns automatically and emails the executed PDF to the account email.
  5. Save the PDF in a compliance folder you control - not just in the email inbox where it can be lost on a staff change.

Step 3: Verify the BAA is in effect

Three checks - run all three before you put PHI on a form.

  1. Account header shows the HIPAA badge (green or marked 'HIPAA').
  2. Settings → HIPAA Compliance shows 'BAA Active' with a date.
  3. You have the countersigned PDF saved locally with both signatures on it (yours and Jotform's).

If any of those three are missing, do not assume the BAA is in effect. The most common failure mode I see is teams who signed the BAA on their side but never received the countersigned copy back. Without the countersigned PDF, you do not have a binding BAA.

Step 4: Configure the account-side defaults

Signing the BAA is necessary but not sufficient. Flip these account settings before any PHI form goes live:

  • Enable 2FA on every account that can access HIPAA forms (Account Settings → Security).
  • Set submission storage retention to your practice's policy (usually 6-7 years for medical records). HIPAA Compliance → Data Retention.
  • Restrict who can view submissions to specific named accounts (Form Builder → Settings → Form Permissions).
  • Turn on activity logging at the account level (Enterprise only, but useful where available).

Step 5: Document the chain

Auditors look for a paper trail. Keep a single document - I call it the 'Compliance Decision Log' - that lists:

  • Date the Jotform BAA was signed and a link to the countersigned PDF.
  • Date each downstream integration's BAA was signed (Zapier HIPAA, Workspace, Salesforce, etc.) and links to those PDFs.
  • List of accounts authorized to view PHI on this Jotform account, with role and start date.
  • Date of last access log review and who reviewed it.
  • Date of last integration audit and a 'safe / replace / remove' verdict for each.

Common failure modes

Signing the BAA after PHI has already been collected

If patient data was submitted before the BAA was active, that data was technically processed without a BAA in place. Best practice: delete those submissions and have patients re-submit under the active BAA, or document the gap in the decision log and remediate.

Transferring form ownership without re-signing

The BAA covers the account holder. If you transfer a HIPAA form to a different Jotform account (e.g., from a personal account to a clinic account), the new account needs its own HIPAA plan and its own BAA. The form does not carry compliance with it.

Forgetting to renew on plan change

If you downgrade off the HIPAA plan and then upgrade back later, you will need to request the BAA again. Some teams have run for months on a downgraded plan without realizing they were out of compliance.

Need help?

If you want a Jotform HIPAA expert to run the full BAA + integration + decision-log setup in your account once and hand it back compliant, that is what the Done-For-You HIPAA engagement covers. Book a 20-minute call from the contact page and we will scope it.

Related

Pages that go deeper on this.

Kits

Frequently asked

Questions on this topic.

  • How long does it take to get a Jotform BAA signed?

    Usually under 24 hours. The BAA is generated and self-signed inside the Jotform account; Jotform countersigns automatically. If you do not receive the countersigned PDF within a day, contact Jotform support and reference the request date.

  • Do I need a separate BAA for each form?

    No. The BAA covers the entire Jotform account, so every form built on a HIPAA-tier account is covered automatically. You do still need separate BAAs for downstream integrations (Zapier, Google Workspace, Slack Enterprise Grid, etc.).

  • Can I get the BAA before paying for the HIPAA plan?

    No. The BAA is only generated on the HIPAA tier. If you want to review the BAA language before committing, Jotform support can share a sample on request.

  • What if I am a solo practitioner - do I still need the full BAA flow?

    Yes. HIPAA does not have a small-practice exemption. A solo therapist or chiropractor handling PHI is a covered entity and needs the BAA in place. The good news is the BAA process is the same whether you are solo or running a 50-clinician group.

  • Does the Jotform BAA cover patient e-signatures?

    Yes. E-signature submission, the signed PDF generation, and the storage of signed forms are all under the BAA on the HIPAA plan. For higher-assurance e-signature (where you need a separate audit trail of who signed when from where), pair Jotform with DocuSign or SignNow that has its own BAA.

  • Where can I hire a Jotform HIPAA expert to do this setup for me?

    Book a 20-minute call from the contact page. We scope the engagement (BAA + integration audit + intake build + access controls + decision log), send a fixed-price proposal, and ship in 1-2 weeks for most practices.

Want this wired for your setup?

Free 20-minute call. I'll tell you if a kit fits, what a custom build would take, or help you decide whether to stick with Jotform for this case.

Book a callBack to all notes