Vendor documentation review

Is Gravity Forms HIPAA Compliant? (2026 Verdict)

Conditionally

Gravity Forms can sit inside a protected WordPress workflow, but the host and every service that stores or receives submissions determine the actual data boundary.

Last verified:

At a glance

BAA available
No
Plan required
Licensed plugin on a separately contracted WordPress stack
Configuration required
Use an eligible host, secure WordPress, minimize add-ons and email, encrypt storage, and audit every response destination.
Category
Forms
Official site
Visit Gravity Forms

What Gravity Forms says officially

Gravity Forms explains its architecture in HIPAA and Gravity Forms . The WordPress plugin runs on the customer’s own site. By default, entries are stored in that WordPress database and are not sent to Gravity Forms. The company therefore says it does not receive PHI through the default plugin and does not provide a BAA for that role.

That boundary changes when a customer adds services. Web hosting, transactional email, payment add-ons, webhooks, CRMs, cloud storage, backups, and support access may each receive form data. Gravity Forms' security documentation makes the site owner responsible for WordPress, server, and account safeguards.

This supports a conditional verdict. The plugin can be part of a protected workflow, but buying a license does not provide a hosted healthcare environment or contracts for the surrounding stack.

What this means for a medical practice

A response is usually written to the WordPress database and may then be placed in notifications . File uploads may sit in a web-accessible directory. Backups can copy both entries and files. Add-ons can send the record to another company immediately.

The practice must also maintain WordPress itself. Administrator accounts, plugin updates, server logs, database access, malware protection, encryption, retention, deletion, and incident response all affect the form. A “secure form” label cannot repair an unmanaged server.

Support procedures need a boundary as well. Never send a real patient entry, database export, or screenshot with PHI to plugin support unless the recipient relationship and transfer method have been approved. Reproduce technical issues with fictional data instead.

Our HIPAAconscious medical website guide recommends mapping this entire route. A disciplined healthcare website redesign should delete old entries, forms, add-ons, and administrator accounts instead of copying them blindly into a new site.

How to use it safely

  1. Decide whether WordPress needs to receive PHI or can embed/link to a separately hosted protected form.
  2. Use a host that will sign an appropriate BAA for the exact hosting, backup, and support services involved.
  3. Harden WordPress with HTTPS, managed accounts, multifactor authentication, minimum permissions, prompt patching, and audit logging.
  4. Encrypt stored submissions and uploads, prevent public file access, and set a documented retention and deletion schedule.
  5. Configure notifications as generic alerts without response values unless the mail provider and mailbox workflow are approved.
  6. Remove unused add-ons and review every active feed, webhook, payment provider, CRM, and automation separately.
  7. Test fictional entries through storage, notifications, files, logs, backups, exports, support, and deletion.

Compliant alternatives

Jotform supplies a hosted healthcare environment and BAA on eligible plans, reducing the number of infrastructure vendors a small practice manages. Formstack offers healthcare account options and a BAA path when a managed form platform is preferred.

Repeat the full data-flow test after any WordPress, plugin, hosting, mail, or integration change.

Bottom line

Gravity Forms does not receive entries in its default self-hosted architecture, so the decisive systems are the WordPress host and connected services. Use it for PHI only inside a contracted, hardened stack with carefully controlled storage, email, add-ons, backups, and administrators.

Frequently asked questions

Does Gravity Forms host submitted PHI?

Gravity Forms says the plugin runs on the customer's WordPress installation and does not send entries to Gravity Forms by default.

Does Gravity Forms sign a BAA for the plugin?

Gravity Forms says it does not need a BAA for the default plugin because it does not receive or store the entries; required agreements must come from hosts and connected providers.

Can Gravity Forms email patient answers?

It can send notifications, but ordinary email may create an unapproved PHI copy. Configure alerts without sensitive answers unless the email path is separately approved.

HIPAA-friendly alternatives

A practical second look

Not sure what your website and tools are doing with patient data?

Request a done-for-you review.

Request a review