How a 6-Therapist Group Practice Sets Up Jotform for HIPAA

Real HIPAA client, can't name them. So this is a composite - drawn from real engagements but with no identifying details. If you run a small or mid-sized therapy practice and want to know what a clean Jotform HIPAA setup looks like in practice, this is shape-accurate to what I deliver.

Day 1-2: Account, plan, and BAA

Practice owner upgrades the existing Jotform account to the HIPAA plan. We sign the BAA the same day, save the countersigned PDF in the practice's compliance Drive folder. Decision log gets its first entry.

Account-level settings get configured: 2FA enforced, retention set to 7 years (state requirement for mental health records in their jurisdiction), authorized accounts limited to the practice owner + the office manager.

Day 3-5: Intake form

The intake is one form with conditional branching, not six separate forms. Patient picks the therapist they were referred to (or scheduled with), then the form branches by visit type and presenting concern.

Sections that fire conditionally:

• Demographics + emergency contact (always).
• Insurance card upload (if the patient is using insurance) or sliding-scale fee disclosure (if cash-pay).
• Mental health history + current medications + prior providers (always, but with branching by 'first time in therapy' vs 'returning').
• Telehealth-specific block: technology check, e-consent for video, platform preference (fires only for telehealth visits).
• PHQ-9 and GAD-7 screening for depression and anxiety (always, used as a baseline).

Branching is invisible to the patient. They see one continuous form that adapts to their answers. The office sees a structured submission with the right fields filled in for the right visit type.

Day 6: Consent

Consent gets its own form, sent automatically as a follow-up after intake. Reasons:

• Legally cleaner: a separate, dated, e-signed consent record is what an auditor or licensing board wants to see.
• Updateable: practice updates its consent annually; new versions go out without re-doing the intake.
• Retention is independent: consent stays on file even if the patient terminates and submission records are minimized.

Consent form covers: telehealth-specific risks (video failure, jurisdictional rules, emergency procedure), payment terms, no-show policy, release of information for insurance and consultation, and the practice's privacy notice. E-signature with timestamp.

Day 7: Notifications and triage

Three notifications fire on intake submission:

1. Patient confirmation: 'Thanks for completing intake. Here is what to expect at your first session.' No PHI in the body, no medical detail.
2. Office manager notification: 'New submission for [therapist name] - click to view.' Link to authenticated Jotform view; no clinical content in the email.
3. Therapist notification: same pattern, sent only to the named therapist's account.

Slack notifications were intentionally not added. The practice was on standard Slack, which has no BAA, so the integration would have broken HIPAA the moment a submission name appeared in a channel.

Day 8-9: Telehealth pre-visit

Separate pre-visit form, fires 24 hours before the appointment, only for telehealth visits. Quick: identity confirmation, technology check (browser, camera, mic, bandwidth self-test), platform link confirmation, and a short PHQ-9 update if it has been more than 30 days since the last.

Pre-visit completion routes a 'patient ready' signal to the therapist's morning queue. Incompletes get a phone call from the front desk an hour before the session.

Day 10: EHR export

SimplePractice does not have a deep API for inbound intake (yet). The clean pattern: structured CSV export from Jotform, weekly batch import to SimplePractice. For practices on EHRs with proper APIs (DrChrono, Athena), we wire a webhook + API call instead of CSV.

Day 11-12: Decision log + checklist

Run the 12-item HIPAA pre-launch checklist (separate note on this site). Walk every hop in the data path with a synthetic test patient. Document the BAA chain in the decision log, including SimplePractice's BAA (which they have, on their HIPAA-compliant tier).

Day 13-14: Soft launch and adjustments

Form goes live for the next batch of new-patient intakes. First week, both the office manager and I review every submission together to catch field-level issues (fields the patient confused, branching that did not fire as expected, language the practice owner wanted softened). Adjustments roll out same-day.

By end of week 2, the form is running on its own. The practice's average intake-to-first-session time drops from 9 days to 4 days because the back-and-forth on insurance and consent paperwork is gone.

What this kind of engagement costs

For a practice this size, a Done-For-You setup is in the $1,500-$3,000 range depending on EHR integration depth and how many intake variants are needed (e.g., adult vs pediatric, individual vs couples). The kit catalog on this site has fixed-price entry points starting much lower if you want a base setup and own the configuration yourself.

The reason to hire a Jotform HIPAA expert specifically (not a general consultant or a freelancer learning HIPAA on your project) is that the integration audit, the BAA chain, and the PHI-stripped notifications are all judgment calls that go faster when someone has done them before. The cost of doing this once correctly is meaningfully lower than the cost of finding out from an auditor that you missed something.

If you want this for your practice

Book a 20-minute call from the contact page. We scope the engagement, send a fixed-price proposal, ship in about two weeks. You end up with a setup that is HIPAA-clean, fits how your practice actually runs, and that you fully own inside your own Jotform account.