What Gravity Forms says officially
Gravity Forms explains its architecture in HIPAA and Gravity Forms . The WordPress plugin runs on the customer’s own site. By default, entries are stored in that WordPress database and are not sent to Gravity Forms. The company therefore says it does not receive PHI through the default plugin and does not provide a BAA for that role.
That boundary changes when a customer adds services. Web hosting, transactional email, payment add-ons, webhooks, CRMs, cloud storage, backups, and support access may each receive form data. Gravity Forms' security documentation makes the site owner responsible for WordPress, server, and account safeguards.
This supports a conditional verdict. The plugin can be part of a protected workflow, but buying a license does not provide a hosted healthcare environment or contracts for the surrounding stack.
What this means for a medical practice
A response is usually written to the WordPress database and may then be placed in notifications . File uploads may sit in a web-accessible directory. Backups can copy both entries and files. Add-ons can send the record to another company immediately.
The practice must also maintain WordPress itself. Administrator accounts, plugin updates, server logs, database access, malware protection, encryption, retention, deletion, and incident response all affect the form. A “secure form” label cannot repair an unmanaged server.
Support procedures need a boundary as well. Never send a real patient entry, database export, or screenshot with PHI to plugin support unless the recipient relationship and transfer method have been approved. Reproduce technical issues with fictional data instead.
Our HIPAAconscious medical website guide recommends mapping this entire route. A disciplined healthcare website redesign should delete old entries, forms, add-ons, and administrator accounts instead of copying them blindly into a new site.
How to use it safely
- Decide whether WordPress needs to receive PHI or can embed/link to a separately hosted protected form.
- Use a host that will sign an appropriate BAA for the exact hosting, backup, and support services involved.
- Harden WordPress with HTTPS, managed accounts, multifactor authentication, minimum permissions, prompt patching, and audit logging.
- Encrypt stored submissions and uploads, prevent public file access, and set a documented retention and deletion schedule.
- Configure notifications as generic alerts without response values unless the mail provider and mailbox workflow are approved.
- Remove unused add-ons and review every active feed, webhook, payment provider, CRM, and automation separately.
- Test fictional entries through storage, notifications, files, logs, backups, exports, support, and deletion.
Compliant alternatives
Jotform supplies a hosted healthcare environment and BAA on eligible plans, reducing the number of infrastructure vendors a small practice manages. Formstack offers healthcare account options and a BAA path when a managed form platform is preferred.
Repeat the full data-flow test after any WordPress, plugin, hosting, mail, or integration change.
Bottom line
Gravity Forms does not receive entries in its default self-hosted architecture, so the decisive systems are the WordPress host and connected services. Use it for PHI only inside a contracted, hardened stack with carefully controlled storage, email, add-ons, backups, and administrators.