Is JotForm a HIPAA compliant forms provider? (2026 update)

Jotform is an online form-building company that allows organizations to collect registrations, applications, orders, and payments. The company provides several form templates for its clients and a drag-and-drop creation tool for straightforward use by customers.

Is Jotform HIPAA compliant? Yes, Jotform can be HIPAA compliant for certain plan levels.

What changed this year?

As of May 2026, our review did not identify any publicly disclosed changes to Jotform HIPAA-related policies or BAA terms.

Will Jotform sign a business associate agreement (BAA)?

Yes, Jotform will sign a business associate agreement, which can be reviewed here.

What does the Jotform BAA cover?

The Jotform BAA covers the use and disclosure of protected health information (PHI), stating, “We offer a Business Associate Agreement (BAA) for HIPAA customers who operate in the USA and who have enabled HIPAA compliance features in their account. Our BAA’s contractual terms meet HIPAA requirements and reflect our data privacy and security commitments to our clients.”

Their BAA covers:

• The overall protection of PHI
• PHI segmentation
• Auditing, logging, and scanning
• Backups every 24 hours
• Notifications of PHI use or disclosure and security incidents
• Notifications of the breach of unsecured PHI
• Access by HHS requests

What does the Jotform BAA exclude?

Jotform only signs a BAA with its Gold or Enterprise customers. Its other plans are excluded from its BAA, and only Enterprise customers can customize an agreement. Jotform further states that customers must always use HIPAA-enabled accounts; any other use is strictly prohibited and not covered by the BAA. What this means is that the customer:

• Must only copy forms to other HIPAA-enabled accounts
• Agrees that Jotform is not responsible for PHI once it is exported
• Acknowledges that PHI shared via Jotform abides by its terms of services and regulations
• If using third-party integrations, enters into agreements with those business associates before using or disclosing PHI

Within the BAA, Jotform adds, “Jotform is a tool for securely collecting complex information using customizable forms. Jotform is not an electronic health record or other medical record system and should not be used to maintain a Designated Record Set or relied upon directly to provide patient care. Information collected via Jotform must be transferred into an appropriate system of record (for example, an electronic health record) in accordance with appropriate processes to assure confidentiality, accuracy and availability before being used for patient care.”

Conclusion

Jotform can be HIPAA compliant for its Gold or Enterprise customers, but not users on a lower plans.

Learn more: HIPAA Compliant Email: The Definitive Guide

FAQS

What is a business associate agreement?

A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).

HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.