Free tool

HIPAA workflow risk assessment.

Eight questions. Built by a Jotform HIPAA expert and former Jotform engineer. Spot the BAA gaps, PHI leaks, and integration risks that fail audits, in two minutes, with a specific fix for each.

Will the form collect protected health information (PHI)?

Health history, medications, treatment detail, insurance info, anything covered.

Answer every question to see the assessment.

How the assessment works

The eight gaps that fail Jotform HIPAA audits.

I run paid HIPAA audits for Jotform-based workflows. The same eight questions land on the table every time, because the same eight gaps are responsible for almost every failure I find. This tool is that audit, distilled.

The questions cover the parts of a HIPAA setup that fail in practice, not the parts that look obvious on paper. Plan eligibility, BAA status, integrations in the data path, storage outside the BAA, custom email senders, role-based access, and access-log review cadence. Each gap maps to a specific fix, with a link to the guide.

The result is a snapshot. Re-run it any time the data path changes: new integration, new email sender, new collaborator, new tier of plan. If a high-severity item appears, pause PHI collection on the affected workflow until it is closed.

Common questions

About this HIPAA risk assessment.

What does this HIPAA risk assessment actually check?
Eight questions covering the most common HIPAA gaps in Jotform setups: whether the form handles PHI at all, plan eligibility, BAA status, third-party integrations, file storage, notification email senders, account access, and access-log review cadence. Each gap returns a specific fix and a link to the relevant guide.
Is this a legal HIPAA audit?
No. This is a workflow-level gap analysis built by a Jotform HIPAA expert, not legal counsel. It catches the technical and operational issues that account for most HIPAA failures I see in Jotform setups. For a full legal compliance audit, you still want a healthcare attorney. But the issues this tool surfaces are usually the ones that get flagged first.
How is this different from running through HIPAA's Security Rule on my own?
The Security Rule is the universe; this assessment is the subset that actually shows up in Jotform-based workflows. The questions are the ones I ask on every paid HIPAA audit engagement, so if you fail this, you would fail the paid audit too. If you pass this, the paid audit goes faster.
Why do you ask about Zapier or Make in the data path?
Because standard Zapier and Make tiers do not have a HIPAA BAA. The moment a Jotform submission flows through them, you are out of compliance. This is the most common gap I see in setups inherited from generalist consultants. They wired Zapier 'because it works' without checking the BAA chain.
Will my answers be stored anywhere?
No. The assessment runs entirely in your browser. Nothing is sent to a server, nothing is logged, and no answers leave the page. We literally do not collect PHI on the PHI risk assessment. The irony would be too much.
What if my risk comes back high?
Pause PHI collection on the affected workflow until the high-severity items are closed. The result page links each gap to a specific fix guide. If you want a Jotform HIPAA expert to close them for you, the page also has a CTA into the audit + remediation engagement. We scope it on a 20-minute call and ship a fixed-price proposal.
How do I hire you for a HIPAA audit?
Run this assessment first. Want me to run this end-to-end on your forms? /contact?subject=HIPAA+audit+and+remediation. I'll send a scoped one-pager in 48 hours. Most audit + remediation engagements ship in one to two weeks.

Get the HIPAA checklist, free.

A printable 12-item pre-launch checklist, plus new HIPAA notes and kits when I publish them.

Free HIPAA compliance checklist

A printable 12-item PDF covering BAAs, PHI in notifications, integration safety, and access review. Delivered to your inbox.

Loading…

The eight gaps that fail Jotform HIPAA audits.

About this HIPAA risk assessment.

What does this HIPAA risk assessment actually check?

Eight questions covering the most common HIPAA gaps in Jotform setups: whether the form handles PHI at all, plan eligibility, BAA status, third-party integrations, file storage, notification email senders, account access, and access-log review cadence. Each gap returns a specific fix and a link to the relevant guide.

Is this a legal HIPAA audit?

No. This is a workflow-level gap analysis built by a Jotform HIPAA expert, not legal counsel. It catches the technical and operational issues that account for most HIPAA failures I see in Jotform setups. For a full legal compliance audit, you still want a healthcare attorney. But the issues this tool surfaces are usually the ones that get flagged first.

How is this different from running through HIPAA's Security Rule on my own?

The Security Rule is the universe; this assessment is the subset that actually shows up in Jotform-based workflows. The questions are the ones I ask on every paid HIPAA audit engagement, so if you fail this, you would fail the paid audit too. If you pass this, the paid audit goes faster.

Why do you ask about Zapier or Make in the data path?

Because standard Zapier and Make tiers do not have a HIPAA BAA. The moment a Jotform submission flows through them, you are out of compliance. This is the most common gap I see in setups inherited from generalist consultants. They wired Zapier 'because it works' without checking the BAA chain.

Will my answers be stored anywhere?

No. The assessment runs entirely in your browser. Nothing is sent to a server, nothing is logged, and no answers leave the page. We literally do not collect PHI on the PHI risk assessment. The irony would be too much.

What if my risk comes back high?

Pause PHI collection on the affected workflow until the high-severity items are closed. The result page links each gap to a specific fix guide. If you want a Jotform HIPAA expert to close them for you, the page also has a CTA into the audit + remediation engagement. We scope it on a 20-minute call and ship a fixed-price proposal.

How do I hire you for a HIPAA audit?

Run this assessment first. Want me to run this end-to-end on your forms? /contact?subject=HIPAA+audit+and+remediation. I'll send a scoped one-pager in 48 hours. Most audit + remediation engagements ship in one to two weeks.