Is Typeform HIPAA compliant?
Why Typeform is not HIPAA compliant
The Business Associate Agreement is the legal foundation of HIPAA compliance for any third-party service that touches protected health information. Without a signed BAA, the service is not a covered associate and any PHI flowing through it is unprotected under the law. Typeform does not offer a BAA on any of its publicly listed plans.
What Typeform's security page actually says
Typeform's security documentation highlights SOC 2 Type II certification, GDPR compliance, and data encryption at rest and in transit. These are good security practices, but none of them equal HIPAA compliance. SOC 2 covers operational security controls. GDPR covers data privacy for EU residents. Encryption is a technical safeguard. A BAA is the legal mechanism that extends HIPAA liability to a third party, and Typeform does not provide one.
- SOC 2 Type II ≠ BAA (different standard, different scope)
- GDPR compliance ≠ HIPAA compliance (different regulation, different jurisdiction)
- Data encryption ≠ HIPAA compliance (necessary but not sufficient)
What to use instead for HIPAA intake
Jotform's HIPAA Gold plan signs a BAA on signup, provides HIPAA-eligible field markers, a native e-signature widget with audit metadata, and conditional logic for routing PHI only to authorized recipients. At $99/month billed annually, it is the most accessible HIPAA-compliant form builder for small and mid-size healthcare practices.
Jotform HIPAA Gold at a glance
- BAA signed on plan activation
- HIPAA field markers to tag PHI fields explicitly
- E-signature widget with IP address, timestamp, and consent text versioning
- Conditional logic to route PHI submissions only to authorized recipients
- 36 healthcare-specific widgets and templates
When Typeform is fine (non-HIPAA use)
Typeform's one-question-at-a-time interface excels at marketing surveys, NPS score collection, event registration, and any scenario where the form will never touch protected health information. The UI drives higher completion rates on long surveys because respondents see one question at a time instead of a full page of fields.
I spent five years on Jotform's product team and regularly compared Jotform's HIPAA stack against Typeform's for prospects. The BAA gap came up in every healthcare sales conversation.
- Typeform security documentationTypeform
- HHS Business Associate Contracts guidanceU.S. Department of Health and Human Services
- Jotform HIPAA features overviewJotform
Related questions
Does Typeform Enterprise include a BAA?
Not as of 2026. Typeform's Enterprise tier is custom-priced and includes SSO and advanced features, but their documentation does not list a BAA as an included feature. Contact their sales team for the current status, but do not assume one exists without written confirmation.
Can I use Typeform for healthcare if I don't collect PHI?
Yes. If the form collects only non-identifiable feedback (satisfaction scores, general wellness interest, event signups with no health data), Typeform works fine. The line is crossed when you ask for a name tied to a health condition, an insurance ID, or any data that could identify a patient and their health status.
How does Jotform's HIPAA plan compare to Typeform for non-HIPAA forms?
For non-HIPAA use, Typeform's one-question-at-a-time UI often gets higher completion rates on long surveys. For anything that might touch PHI, Jotform is the only option that signs a BAA at an accessible price point.
What about Typeform's e-signature add-on?
Typeform Sign (via Dropbox Sign) handles signatures but does not include HIPAA-grade audit metadata (IP address, timestamp, consent text versioning). For clinical consent, Jotform's native e-signature widget captures all three.