Is Google Forms HIPAA compliant?

Why the default answer is no

Out of the box, Google Forms runs on a consumer Gmail account with no BAA, stores responses on shared Google infrastructure, and offers no controls for marking fields as PHI. Free Google Workspace accounts also do not sign BAAs. Any practice collecting protected health information through a default Google Forms instance is operating outside HIPAA.

The five changes to make it compliant

First, upgrade to Google Workspace Business Associate or Enterprise. Second, sign the BAA from your Workspace admin console (it lives under Account > Account Settings > Legal and Compliance). Third, ensure Forms is one of the BAA-covered services (Google publishes the list and updates it; check before you start). Fourth, restrict the form to require sign-in and limit access to your domain. Fifth, disable third-party add-ons and turn off the response-collected email confirmation, which can leak PHI.

What Google Forms still cannot do

Even after the five changes, Google Forms cannot capture an e-signature with audit metadata, cannot conditionally branch fields based on prior PHI answers, cannot mark individual fields as encrypted-at-rest with separate access logs, and cannot integrate with a clinical EHR API. For an intake form for a therapy or telehealth practice, those four gaps usually push practices to Jotform HIPAA, SimplePractice, or a similar purpose-built tool.

When Google Forms is the right call anyway

Internal employee health screening with low PHI volume. Conference health attestations. Simple satisfaction surveys that do not collect PHI at all. In those cases the Workspace BAA plus the five changes is sufficient and you save the cost of a dedicated form builder.