Is Microsoft Forms HIPAA compliant?
Why Microsoft Forms is closer than Google Forms
Microsoft includes Forms in its Microsoft 365 BAA scope, which means you can legally operate under HIPAA if you have the right plan and configuration. Google, by contrast, does not cover Google Forms under a standard Workspace BAA without manual configuration and verification. This makes Microsoft Forms the easier path to conditional HIPAA compliance among the two major free-with-subscription form builders.
- Microsoft 365 BAA covers the Forms service explicitly
- BAA available on Business Premium and Enterprise plans
- Data stays within Microsoft's cloud infrastructure (Azure/Azure AD)
The configuration requirements
Having a Microsoft 365 BAA is necessary but not sufficient. You must also configure your tenant correctly. Sign the BAA in the Microsoft 365 admin center, restrict form access to internal or authenticated users only, disable external sharing for Forms, and confirm that Forms appears in the BAA-covered services list in your compliance documentation.
- Sign the BAA in your Microsoft 365 admin center (under Compliance > Data Protection)
- Restrict form access to authenticated users within your organization
- Disable external sharing for the Forms service in the admin center
- Confirm Forms is listed in the BAA-covered services in your compliance documentation
What Microsoft Forms still cannot do
- No e-signature with IP address, timestamp, and consent text versioning
- No conditional branching on PHI fields
- No per-field encryption or access audit logging
- No native EHR integration
- Limited template library for healthcare-specific workflows
When Microsoft Forms is the right call
Microsoft Forms works well for internal employee health attestations, non-PHI surveys across a large organization, and any scenario where you are already paying for Microsoft 365 Enterprise and the form does not require clinical-grade features like e-signature or conditional PHI routing.
I configured M365 HIPAA-eligible tenants for clients during my Jotform years and compared them against Jotform HIPAA for clinical intake.
- Microsoft 365 HIPAA compliance overviewMicrosoft
- HHS Business Associate Contracts guidanceU.S. Department of Health and Human Services
- Jotform HIPAA features overviewJotform
Related questions
Which Microsoft 365 plans support HIPAA compliance for Forms?
Microsoft 365 Business Premium, Microsoft 365 E3, and Microsoft 365 E5 include the BAA scope that covers Forms. Microsoft 365 Business Basic and Business Standard do not include BAA coverage. Check your plan's compliance documentation to confirm Forms is listed as a covered service.
Should I use Microsoft Forms or Jotform for HIPAA intake?
If you need e-signature with audit metadata, conditional logic for PHI routing, or per-field access logging, Jotform Gold is the better choice. Microsoft Forms is adequate for simple internal forms where the BAA coverage is the only requirement and no clinical-grade features are needed.
Does Microsoft Forms support e-signature for HIPAA?
No. Microsoft Forms does not have a built-in e-signature field. You can integrate with third-party e-signature tools through Power Automate, but the audit metadata (IP, timestamp, consent version) is not captured in a single unified record the way Jotform's native e-signature widget provides.
Can I use Microsoft Forms and Jotform together?
Yes. Some organizations use Microsoft Forms for internal, non-clinical surveys under their M365 BAA, and Jotform Gold for patient-facing clinical intake where e-signature and conditional PHI routing are required. This avoids paying for Jotform on forms that do not need clinical features.