Vendor documentation review

Is Formstack HIPAA Compliant? (2026 Verdict)

Conditionally

Formstack offers a BAA and healthcare form setup, but the contracted account, form security, notification method, users, and integrations must be verified.

Last verified:

At a glance

BAA available
Yes
Plan required
Healthcare plan or qualifying custom account
Configuration required
Execute the BAA, use the healthcare account, restrict users, secure submissions, and review notifications and integrations.
Category
Forms
Official site
Visit Formstack

What Formstack says officially

Formstack markets healthcare form features with a Business Associate Agreement and a specialized account environment. Its documentation describes encryption, access controls, and settings intended for regulated workflows rather than treating every ordinary form account the same.

The Formstack healthcare guide explains that plan and account configuration affect available controls, including notification delivery. Current Forms pricing directs healthcare buyers toward the relevant commercial arrangement rather than promising the same scope on every self-service tier.

That supports a conditional verdict: Formstack supplies a documented BAA path, but the practice must confirm the exact account and configure the workflow before PHI enters it.

What this means for a medical practice

An intake form may collect demographics, symptoms, insurance, signatures, and files. The response can then be stored in Formstack, emailed, exported, viewed by staff, sent through an integration, or included in an audit record. The protected boundary must account for each copy.

Email is an especially common mistake. A secure submission database does not help if every patient’s answers are also placed in an ordinary mailbox. A generic “new response available” alert with an authenticated link can reduce unnecessary disclosure.

Form ownership and handoff should be explicit. A form copied by a contractor or left in a former employee’s folder can preserve access after launch. Name an internal owner, review permissions on a schedule, and document how a form is retired along with its stored responses and exports.

An embedded form on a HIPAAconscious medical website still interacts with the surrounding page, analytics, and scripts. Good patient engagement collects only information staff can use and routes it directly to the approved team.

How to use it safely

  1. Ask Formstack to identify the current healthcare plan or custom arrangement for the intended forms and response volume.
  2. Execute the BAA and retain the covered-product terms before accepting real patient information.
  3. Keep forms in a practice-owned account, use named users, require strong authentication, and assign minimum roles.
  4. Collect only necessary fields and keep PHI out of public URLs, form titles, and confirmation-page tracking.
  5. Configure storage, encryption, folder access, retention, and deletion according to practice policy.
  6. Use generic notifications or a separately approved secure email method; inspect what appears in subject lines and attachments.
  7. Review payments, e-signatures, webhooks, CRMs, cloud storage, and automation services individually.
  8. Submit fictional records and trace staff access, notifications, exports, integrations, files, and deletion.

Compliant alternatives

Jotform offers a BAA on Gold and Enterprise and a wizard that reviews existing forms before migration. Gravity Forms can keep responses inside a separately contracted WordPress stack, but that choice shifts more hosting, security, and maintenance responsibility to the practice.

Assign an owner to recheck the contracted account and response path whenever a form, plan, integration, or notification rule changes.

Bottom line

Formstack offers a documented healthcare account and BAA path. Use it conditionally: confirm the plan and product scope, secure the account and stored responses, keep PHI out of ordinary email, and verify every integration that receives a submission.

Frequently asked questions

Does Formstack offer a Business Associate Agreement?

Yes. Formstack documents a BAA and specialized healthcare form account path for qualifying customers.

Is every Formstack account intended for PHI?

No. The practice should contract for the healthcare or qualifying custom account and complete the BAA before collecting PHI.

Can Formstack send PHI in notification emails?

Notification behavior is plan- and configuration-dependent. Use generic alerts or an approved secure email route instead of assuming ordinary email is covered.

HIPAA-friendly alternatives

A practical second look

Not sure what your website and tools are doing with patient data?

Request a done-for-you review.

Request a review