Is Zapier HIPAA-compliant with Jotform?

Only if you are on the Zapier HIPAA tier (their Companies plan with the HIPAA add-on) AND have a signed BAA with Zapier. Standard and free Zapier plans break HIPAA the moment a Zap carries PHI from Jotform to anywhere else.

Can I use Google Sheets for HIPAA Jotform submissions?

Only via a Google Workspace plan that supports a BAA (Business Standard and above) and only if Google countersigns the BAA for your account. A personal Gmail-owned Sheet is not HIPAA-safe.

Will Slack sign a BAA for our practice?

Slack will only sign a BAA on Enterprise Grid, their top tier. Free, Pro, and Business+ workspaces do not get a BAA. Practices typically work around this by routing notifications to Slack with no PHI in the body and a link back to Jotform.

Is HubSpot HIPAA-compliant?

Only on Enterprise tiers (Sales Hub Enterprise, Service Hub Enterprise, CMS Hub Enterprise) with a signed BAA. Starter and Professional HubSpot accounts cannot legally receive PHI from your Jotform setup.

What is the easiest HIPAA-safe alternative to Zapier?

A direct webhook from Jotform to your own backend, or a webhook to a HIPAA-compliant function-as-a-service like AWS Lambda behind API Gateway with a Google or AWS BAA in place. Both are simpler to audit than a chain of Zaps.

How do I know if a vendor has a real BAA or just marketing language?

Ask for the BAA in writing before connecting. A real BAA is a signed legal document with specific clauses around breach notification, subprocessor disclosure, and data return on termination. Marketing language like 'we are HIPAA-aware' or 'we follow HIPAA principles' is not a BAA.

Can a Jotform HIPAA expert audit our existing integration setup?

Yes. Run the free risk assessment first to see the obvious gaps, or book a 20-minute call - we walk every integration on your form, identify which ones lack a BAA, and either replace, remove, or upgrade. Most engagements are 1-2 weeks, fixed price.

GuideApril 29, 20269 min read

HIPAA-Safe Jotform Integrations: What Breaks PHI, What Doesn't

The Jotform HIPAA plan covers Jotform. It does not cover what happens to a submission once it lands in Zapier, Google Sheets, Slack, or your CRM. Here is the integration-by-integration verdict from a Jotform HIPAA expert who built the integration codepath.

TL;DR

The BAA you sign with Jotform does not extend to downstream tools. Each integration that touches PHI needs its own BAA.
Zapier breaks HIPAA by default. The HIPAA plan exists but it costs extra and you have to opt in per workspace.
Google Sheets is only HIPAA-safe via a Google Workspace BAA. A personal Gmail or free Workspace account does not count.
Slack is only HIPAA-safe on Enterprise Grid. Standard, Business+, and free Slack workspaces all break compliance the moment PHI lands in a channel.
Salesforce, HubSpot, and Stripe all have HIPAA paths but require enterprise tiers and signed BAAs - not the standard accounts.
When in doubt: route the integration to a Jotform-internal table or webhook to your own infrastructure. Do not push PHI into a generic SaaS without confirming the BAA chain.

If you searched 'jot forms hipaa' and landed here, this is the question I get most often after the BAA itself: 'Can I keep using Zapier / Google Sheets / Slack / HubSpot with my HIPAA Jotform setup?' The answer in every case is the same - it depends on whether that vendor will sign a BAA with you. The Jotform BAA covers Jotform. Once a submission leaves Jotform, you are in a separate compliance contract with whatever tool received it.

I was on the Jotform product team for five years. The integration codepath - webhooks, the integrations marketplace, the email pipeline - those were the surfaces I worked on. The good news: most of the HIPAA integration questions have clean answers. The bad news: a lot of teams are running setups today that break HIPAA without realizing it because the marketplace lets you connect tools that have no BAA.

Zapier and Make

Verdict: Conditional. Possible with the paid HIPAA tier only.

Zapier sells a HIPAA plan ('Zapier for Companies' tier or higher with HIPAA add-on, current pricing on their site). Without it, every Zap that carries PHI is a compliance break. Same logic for Make - a HIPAA tier exists but is enterprise-priced and per-workspace.

What this means in practice: if you want a Zap to fire on every submission, you have to pay for the Zapier HIPAA plan AND you have to limit the workspace to that purpose. Mixing HIPAA Zaps with non-HIPAA Zaps in the same workspace is muddier than people realize.

Google Sheets

Verdict: Conditional. Only via a Google Workspace BAA.

Google will sign a BAA with you, but only if you are on a Google Workspace plan that supports it (Business Standard and above, plus Enterprise tiers). The BAA covers Sheets, Drive, Gmail, and most core Workspace services. It does NOT cover free personal Gmail accounts or Workspace plans below the BAA-eligible tier.

Practical implications: if you are pushing Jotform submissions to a Sheet owned by your Workspace organization with the BAA in place, that's compliant. If the Sheet is owned by your personal Gmail account, it is not. I have seen practices run for years on a personal-Gmail-owned Sheet without realizing they were out of compliance.

Slack

Verdict: Conditional. Enterprise Grid only.

Slack will only sign a BAA with customers on Enterprise Grid - their top-tier plan. Standard and Business+ workspaces do not get a BAA, full stop. So that handy 'send a Slack notification when a new patient submits intake' Zap? Compliance break unless you are on Enterprise Grid.

HubSpot

Verdict: Conditional. Sales Hub Enterprise + signed BAA.

HubSpot offers HIPAA support on Sales Hub Enterprise and Service Hub Enterprise (and CMS Hub Enterprise for content), all with a signed BAA. Lower tiers (Starter, Professional) do not. If your practice uses HubSpot for marketing or CRM, that is fine for non-PHI lead capture - but you cannot push patient intake submissions into a HubSpot Pro account.

I see a common confusion here: teams use HubSpot Marketing for general business outreach and assume it is fine to push the patient intake into the same account. It is not, unless that HubSpot account is on Enterprise with the BAA in place.

Salesforce

Verdict: Yes with effort. BAA available on most editions.

Salesforce is the most HIPAA-friendly major CRM. They will sign a BAA on most Enterprise editions and provide Health Cloud as a healthcare-specific product. The integration with Jotform via webhook or native connector is clean once the BAA is in place.

The catch: Salesforce is expensive enough that most small practices will not run it. If you are at the size where Salesforce makes sense, the HIPAA layer is straightforward.

Stripe and payment processors

Verdict: Stripe yes (under their BAA terms). Most others no.

Stripe will sign a BAA for healthcare customers and is comfortable with PHI in the metadata of charges. Square, PayPal, and most consumer payment tools will not sign a BAA, so do not put PHI in line items or notes when you process through them.

The clean pattern: keep PHI in Jotform, send only a transaction reference (patient ID, not patient name + condition) to the payment processor, reconcile in your back office where the BAA chain holds.

The decision framework

When auditing a new integration on a HIPAA Jotform setup, walk through these four questions:

Does this vendor offer a BAA at all? If no, do not connect.
What plan tier do they require for the BAA? Are we on it?
Does the BAA cover the specific product we're using (e.g., Slack BAA covers Enterprise Grid only, not the standard Slack app)?
What does the data flow look like? If PHI lands in a place a reviewer might forward, screenshot, or copy-paste, the integration needs additional access controls.

When you are unsure, ask

If you got to the bottom of this and are not sure whether your current setup holds, run our free HIPAA workflow risk assessment - it asks 8 questions and outputs a personalized gap list. Or book a 20-minute call with a Jotform HIPAA expert and we will walk your specific integration chain together. The cost of finding out from an auditor is worse than the cost of finding out from us.