This article is for informational purposes only and does not constitute legal advice. Consult a qualified healthcare compliance attorney for guidance specific to your organization.
Any healthcare organization collecting patient data through online forms must meet HIPAA’s technical and administrative requirements. This guide explains what those requirements actually mean, who is legally obligated to meet them, what violations cost, and what to look for when evaluating any online form tool — including common misconceptions that lead to accidental non-compliance.
Table of Contents
What is HIPAA compliance?
The Health Insurance Portability and Accountability Act (HIPAA), signed in 1996, sets the federal standard for protecting sensitive patient health information. For organizations collecting patient data digitally, two rules are directly relevant:
Privacy Rule — governs how Protected Health Information (PHI) can be used, disclosed, and shared. PHI includes any individually identifiable health information: names, dates of birth, addresses, medical record numbers, diagnosis codes, insurance IDs, and 14 other identifiers defined in 45 CFR §164.514(b).
Security Rule — sets specific technical, physical, and administrative safeguards for electronic PHI (ePHI). This is the rule with the most direct implications for online forms: it specifies encryption standards, access control requirements, audit capabilities, and session management.
Both rules apply simultaneously. The Privacy Rule determines what you’re allowed to do with data; the Security Rule determines how you must protect it while you do it.
The rules are enforced by the HHS Office for Civil Rights (OCR). OCR conducts both complaint-driven investigations and random audits, and has been increasingly focused on digital tools since 2020.
Who needs to be HIPAA compliant?
HIPAA applies to two categories of organizations. Many healthcare businesses fall into both.
Covered Entities
Any organization that transmits health information electronically as part of standard healthcare transactions:
- Healthcare providers: doctors, hospitals, clinics, dentists, therapists, chiropractors, pharmacies
- Health plans: insurance companies, HMOs, employer-sponsored health plans, Medicare and Medicaid
- Healthcare clearinghouses: organizations that process non-standard health information into standard formats
Note that “healthcare provider” is defined broadly. A solo therapist in private practice, a telehealth startup, and a multi-hospital network are all Covered Entities if they transmit health information electronically.
Business Associates
Any third-party vendor or contractor that handles PHI on behalf of a Covered Entity is a Business Associate. This includes:
- Online form builders and patient intake platforms
- Cloud storage providers where form data is stored
- Email and fax services used to transmit patient information
- Billing and coding services
- IT support companies with access to systems storing PHI
- Legal, accounting, or consulting firms that review patient records
A Business Associate Agreement (BAA) is legally required before any PHI flows through a third-party tool. Without a signed BAA, using that tool is itself a HIPAA violation — regardless of whether a breach occurs.
Practical implication: If you use an online form to collect patient intake information, appointment requests, or insurance details, the form builder must be HIPAA compliant and must sign a BAA with your organization. Using a general-purpose form tool without a BAA exposes your practice to liability.
What are the penalties for HIPAA violations?
HIPAA violations are enforced by OCR and carry penalties scaled to the severity and knowledge level of the violation:
| Violation category | Per-violation penalty | Annual cap |
|---|---|---|
| Did not know | $100 – $50,000 | $25,000 |
| Reasonable cause | $1,000 – $50,000 | $100,000 |
| Willful neglect (corrected within 30 days) | $10,000 – $50,000 | $250,000 |
| Willful neglect (not corrected) | $50,000 | $1,900,000 |
Penalty amounts are adjusted annually for inflation. Figures above reflect the original statutory amounts; 2024 adjusted minimums begin at $141 per violation, with the highest tier reaching $2,134,831 annually.
Criminal violations — where individuals knowingly disclose PHI — carry prison sentences of 1 to 10 years depending on intent.
State attorneys general can also bring independent HIPAA enforcement actions, sometimes resulting in additional penalties on top of federal fines.
Recent enforcement examples:
- In 2025, OCR settled with Deer Oaks Behavioral Health for $225,000 after patient discharge summaries remained publicly accessible online for over 18 months due to a coding error in a discontinued patient portal. OCR’s investigation found the core failure was an inadequate risk analysis — a foundational Security Rule requirement.
- In 2022, OCR settled with New England Dermatology for $300,640 after patient information on specimen container labels was discarded in an unsecured dumpster — a reminder that HIPAA covers physical handling of PHI as well.
Ignorance is not a legal defense. OCR’s position is that each Covered Entity and Business Associate has an obligation to understand the rules and verify compliance proactively.
What HIPAA requires from online forms
The Security Rule (45 CFR Part 164) specifies six categories of technical safeguards that any system handling ePHI must meet. Here is what each means in the context of online forms:
1. Encryption at rest and in transit
ePHI must be encrypted when stored on servers and when transmitted between a patient’s browser and your server. NIST recommends AES-128 or AES-256 for data at rest, and TLS 1.2 or higher for data in transit. HTTPS alone is not sufficient — HTTPS only addresses in-transit encryption; the data must also be encrypted on disk.
2. Access controls
Only authorized individuals should be able to view patient form submissions. This requires role-based permissions: an intake coordinator should be able to view submissions, but not necessarily download raw data exports; a billing administrator may need different access than a clinician. Generic shared logins for your entire staff do not satisfy this requirement.
3. Audit controls
Systems must maintain logs recording who accessed PHI, when, and what actions they took. These logs must be retained and available for review during a HIPAA audit. Audit logs are one of the first things OCR requests during an investigation.
4. Automatic session timeout
To prevent unauthorized access to unattended workstations, sessions must automatically terminate after a defined period of inactivity. OCR does not specify an exact timeout period, but the standard practice in healthcare settings is 15 minutes for auto-lock and 30 minutes for full session termination.
5. Business Associate Agreement
Before any ePHI flows through a third-party tool, a signed BAA must be in place. The BAA establishes that the vendor accepts legal responsibility for HIPAA compliance on their end. Without it, you are personally liable for any PHI that passes through that vendor’s system.
6. Integrity controls
Systems must have mechanisms to detect whether ePHI has been improperly altered or destroyed — for example, checksums or digital signatures on submitted documents. This is particularly relevant for consent forms and treatment authorizations.
Common misconceptions
These misunderstandings frequently lead to accidental non-compliance:
“We use HTTPS, so we’re covered.”
HTTPS encrypts data in transit only. The Security Rule also requires encryption at rest. A form that sends data over HTTPS but stores it unencrypted on a server does not comply. Additionally, HTTPS says nothing about access controls, audit logs, or session management.
“We use Google Forms / Typeform / JotForm.”
Google Workspace offers a BAA for paid plans, but standard Google Forms does not qualify for HIPAA-covered use. Typeform requires an Enterprise or Growth Custom plan to access a BAA; standard plans do not include one. JotForm requires a Gold or Enterprise plan for HIPAA features and a signed BAA — Free, Bronze, and Silver plans are excluded. If you are on a standard plan for any of these tools, using them to collect PHI is a HIPAA violation regardless of how the data is handled afterward. Always verify your current plan’s BAA eligibility directly with the vendor before collecting any PHI.
“Our practice is too small to matter.”
HIPAA applies to all Covered Entities regardless of size. OCR has issued penalties against solo practitioners and small clinics. The “did not know” penalty tier still carries fines up to $50,000 per violation.
“We only collect appointment requests, not medical records.”
Appointment requests that include a patient’s name, contact information, and reason for visit (which typically includes health information) constitute PHI. Intake forms, insurance verification forms, and consent forms all fall under HIPAA jurisdiction.
“Our IT team handles HIPAA — we don’t need to worry about forms.”
HIPAA compliance applies to every system that touches PHI, not just your EHR. Each tool must be individually evaluated and, if it’s a third-party service, covered by a BAA.
How to evaluate any form tool
Before using any online form tool to collect patient data, verify the following. These apply to any vendor, not just PlatoForms:
1. Does the vendor sign a BAA?
Ask for it directly. If a vendor declines to sign a BAA or says it’s unnecessary, do not use their tool for PHI. A BAA template review by your legal counsel before signing is advisable.
2. Where is data stored, and is it encrypted at rest?
Ask the vendor to confirm their encryption standard for stored data (AES-256 is the current best practice) and the geographic location of their servers. Data residency can matter for state-level compliance requirements.
3. Does the platform have role-based access controls?
Can you assign different permissions to different team members? Can you restrict who can view, download, or delete submissions?
4. Are audit logs available?
Can you export a log of all access and authentication events for your account? Are logs retained long enough to support a HIPAA audit (minimum 6 years)?
5. Does the platform enforce session timeouts?
Are sessions automatically terminated after inactivity? Is this configurable, or fixed by the vendor?
6. Does the vendor have independent security certifications?
SOC 2 Type II is the most common third-party security audit for SaaS companies. Its presence doesn’t guarantee HIPAA compliance, but it indicates the vendor takes security seriously and undergoes independent review. Note: PlatoForms’ own SOC 2 certification is currently planned; however, the underlying AWS infrastructure that hosts PlatoForms data is SOC 2 Type II certified.
7. How long is form data retained?
HIPAA requires a minimum 6-year retention period for covered records. Verify the vendor’s default data retention policy and whether you can configure it.
How PlatoForms meets every requirement
PlatoForms provides HIPAA compliance as a built-in account feature on Silver and Gold plans. When enabled, all technical safeguards activate automatically.
AES-256 encryption and TLS 1.2+
All form data is encrypted at rest using AES-256 and in transit using TLS 1.2+. This applies to every submission, PDF, and attachment from the moment a patient begins filling out the form.
Secure domain
After enabling HIPAA, all published forms move from form.platoforms.com to secure.platoforms.com. If you have used any embed script or sharing URL, update them within 7 days — old URLs and embed scripts stop working after that. If you use a custom domain, the share URL stays the same, but embed scripts still need to be updated.
Automatic lock and logout
- 15-minute auto-lock — the page locks after inactivity; password required to unlock
- 30-minute auto-logout — session ends completely after 30 minutes of inactivity or when the browser closes
Team audit log
Team Admins have access to a full audit log recording every sharing, authentication, and access event across the team. Regularly reviewing these logs is recommended to detect unusual behavior and support compliance documentation. See how to use the audit log.
Role-based access controls
Granular permissions let you control exactly which team members can view, edit, or download form submissions.
Two-factor authentication
2FA can be enabled per account or made mandatory for all team members.
Signed Business Associate Agreement
When HIPAA compliance is activated, PlatoForms sends a signed BAA to the Team Admin’s email. A downloadable BAA template is also available in the Trust Center.
E-signatures with tamper-evident certificates
Each signature certificate captures the signer’s timestamp, IP address, and a SHA-256 checksum of the submitted PDF — creating a verifiable integrity record for consent forms, treatment authorizations, and patient agreements.
Configurable data retention
For HIPAA-compliant accounts, data retention defaults to “Forever”, ensuring submission data is retained to meet HIPAA standards. See the data retention policy for full details.
Getting started
HIPAA compliance is available on Silver and Gold plans at no additional cost.
- Subscribe to a Silver or Gold plan and upgrade from your account dashboard
- Go to your Team page on the Dashboard
- Click Enable HIPAA Compliance for Your Team and follow the prompts
4. PlatoForms upgrades all team accounts and sends the signed BAA to the Team Admin’s email
For a complete technical walkthrough, see the HIPAA compliance documentation. For security architecture, certifications, and downloadable compliance documents, visit the Trust Center.
For the HHS Security Rule guidance, refer to the official HHS resource page.
Ready to collect patient data securely? Start a free trial and enable HIPAA compliance from day one.
