How do I set up HIPAA-compliant telehealth with intake forms and e-signature?
What you need before you start
Three accounts and one signature. A Jotform HIPAA Gold account (the only plan that signs a Business Associate Agreement), a telehealth video tool that also signs a BAA (Zoom for Healthcare or Doxy.me), and your encrypted storage destination (Box for Business with BAA, Google Workspace with BAA, or your EHR). Sign the Jotform BAA first; the platform refuses to let you toggle HIPAA fields on forms until that paperwork is complete.
Build the intake form
One form, not three. Include demographics, insurance, presenting concern, consent for treatment, telehealth-specific consent (audio/video recording disclosure, state of residence at time of visit), and the e-signature widget. Use conditional logic to hide fields that do not apply: if a patient says they are out of state, show the state-of-residence question; otherwise hide it. Mark every field that touches PHI as HIPAA-protected in Jotform's field settings.
Add the e-signature and consent flow
Drop in Jotform's e-signature widget at the end. It captures a drawn signature plus IP address and timestamp, which is what HIPAA requires for attestation. The consent text above it should be your own; do not use a generic template. State explicitly that telehealth is being delivered, list the risks (audio dropout, screen privacy, recording policy), and require a checkbox plus signature before submission.
Generate the unique video link per submission
Use a Make or Zapier scenario triggered by the Jotform submission. The scenario hits Zoom's API (or Doxy's) to create a one-time meeting link, emails it to the patient via Jotform's HIPAA-eligible email (or a transactional email service with a BAA), and stamps the meeting ID back to the submission record. Never reuse links across patients.
Route to encrypted storage
Send the completed submission PDF plus the signed consent to your EHR via API if it supports one (Athena, eClinicalWorks, Practice Fusion all have integrations). If you do not have an EHR, store the PDF in Box for Business or Google Workspace under the patient's chart folder, both of which sign BAAs. Slack and standard Dropbox are not HIPAA-eligible and should never see PHI.
I built telehealth intake flows for several solo therapists and small healthcare practices during my Jotform years and after, including the exact two-hour setup described here.
- HHS HIPAA Telehealth FAQU.S. Department of Health and Human Services
- Jotform HIPAA features overviewJotform
- Zoom Healthcare BAA termsZoom