HIPAA-Compliant Survey & Patient Intake Form Software (2026)
Patient intake forms, treatment-outcome surveys, and PHQ-9 / GAD-7 style assessments collect PHI by design. Free survey tools (Google Forms, basic Typeform, basic SurveyMonkey) do NOT sign BAAs. This guide compares survey and form platforms that are HIPAA-eligible for healthcare research and clinical operations.
Skip the manual work — generate your HIPAA pack in 15 minutes
PoliWriter generates all the policies, mappings, and audit-ready artifacts referenced in this guide — customized to your AWS / GitHub / Okta stack. 60+ integrations, continuous monitoring, evidence collection — at a fraction of Vanta's price.
Monthly billing · cancel anytime · 30-day money-back guarantee
Formstack Healthcare, JotForm HIPAA plan, SurveyMonkey Enterprise, REDCap, and Qualtrics offer HIPAA-eligible plans with signed BAA. Google Forms, basic Typeform, Microsoft Forms (personal), and free SurveyMonkey do NOT qualify.
Compliance Assessment
Healthcare-specific Formstack tier with BAA, e-signatures, EHR integration, and HIPAA-aware form templates.
JotForm offers a HIPAA-eligible plan with BAA at the Bronze tier and above. Includes encrypted submissions, audit logs, and signed PDF outputs.
HIPAA-eligible on the Enterprise plan with a signed BAA. Lower SurveyMonkey tiers (Basic, Advantage, Premier) do NOT qualify.
Open-source research-focused data capture platform widely used in academic medical centers. HIPAA compliant when deployed on covered infrastructure with appropriate access controls.
Enterprise-grade survey platform with HIPAA-specific contract and BAA. Strong analytics and EHR integration.
Google does not extend Workspace BAA to Forms. Even on a HIPAA-eligible Workspace plan, Google Forms is OUT of scope.
No BAA. Do not collect patient information in standard Typeform or personal Microsoft Forms.
Business Associate Agreement (BAA)
Formstack Healthcare and JotForm HIPAA include the BAA by default on their healthcare tiers. SurveyMonkey BAA is Enterprise-only. REDCap BAA depends on the hosting institution (most academic medical centers handle it through their hosting contract). Qualtrics BAA requires Enterprise contract.
How to Make HIPAA-Compliant Survey & Form Software HIPAA Compliant
Sign the BAA before collecting any patient-submitted PHI.
Encrypt submissions at rest and in transit (default on the HIPAA-eligible platforms above).
Limit form fields to minimum necessary — don't collect SSN, full DOB, or detailed clinical history unless strictly needed.
Configure audit logging with ≥ 6 year retention.
Disable email notifications that include PHI in plain text; use secure messaging or in-portal review instead.
For research data, store de-identified copies separately for analytics; keep PHI versions in HIPAA-eligible infrastructure.
Limitations
- Conditional logic and "save and continue" features can persist drafts to less-protected storage; verify.
- File-upload fields can introduce malware and PHI exposure if not virus-scanned within the BAA-covered platform.
- Third-party integrations (Zapier, Slack, etc.) commonly export form data to non-BAA-covered destinations; audit each.
- Public-share links to forms can be discovered/forwarded; use authenticated portals for sensitive intake when possible.
Alternative Tools & Related Assessments
Frequently Asked Questions
Is Google Forms HIPAA compliant?
No. Google does NOT extend the Workspace BAA to Google Forms — even on the highest Workspace plans. Do not collect patient information in Google Forms. Use a HIPAA-eligible alternative like Formstack Healthcare or JotForm HIPAA.
Is JotForm HIPAA compliant?
Yes — JotForm offers a HIPAA-eligible plan (Bronze and above) that includes a Business Associate Agreement, encrypted submissions, signed PDF outputs, and audit logging. The free JotForm plan and Silver tier without HIPAA mode do not qualify.
Is SurveyMonkey HIPAA compliant?
Only the SurveyMonkey Enterprise tier with a signed BAA is HIPAA compliant. Basic, Advantage, and Premier SurveyMonkey plans do NOT include a BAA.
Is REDCap HIPAA compliant?
REDCap itself is software — it is HIPAA compliant when deployed on appropriately-secured infrastructure (typically at an academic medical center under an institutional BAA). The hosting institution handles the BAA, not REDCap directly.
Can I use Typeform for patient intake?
Only the Enterprise plan offers HIPAA terms; standard Typeform plans do not have a BAA. For non-PHI surveys (employee NPS, public outreach), Typeform standard is fine.
What forms can I send via email if I am using a HIPAA-compliant survey tool?
You can email a link to the survey. Do NOT email the form-submission contents in plain text. Configure the survey tool to keep PHI inside the platform; reviewers log in to the platform to see submissions.
Generate your full HIPAA pack with PoliWriter
PoliWriter generates all the policies, mappings, and audit-ready artifacts referenced in this guide — customized to your AWS / GitHub / Okta stack. 60+ integrations, continuous monitoring, evidence collection — at a fraction of Vanta's price.
Generate HIPAA policies for your stack
PoliWriter creates all the HIPAA policies you need, customized to tools like HIPAA-Compliant Survey & Form Software and your specific configuration. AI-powered, audit-ready, hours not months.
Get Started Free