What Typeform says officially
Typeform’s Business Associate Agreement page identifies a specific commercial route. Customers on Enterprise or Growth Custom can request a BAA through their account team or Typeform sales. The page does not document the same agreement for the ordinary self-service plans.
Typeform’s security overview describes encryption, access controls, and plan-dependent account features, but also frames security as a shared responsibility. Those measures are useful evidence about the service; they do not replace the agreement, a risk analysis, or control over response destinations.
The verdict is therefore conditional. Typeform provides an eligible-plan and BAA path, while the practice remains responsible for the questions, respondent experience, workspace access, exports, and connected tools.
What this means for a medical practice
A patient intake can become PHI before the patient reaches an obviously clinical field. A name and email address combined with a form titled “fertility consultation,” for example, can reveal a healthcare relationship. Hidden fields, URL parameters, file uploads, scoring logic, response notifications, and analytics deserve the same review as visible questions.
The response path matters after submission. Typeform may send an email, call a webhook, update a spreadsheet, create a CRM record, or pass data to an automation platform. A BAA with Typeform covers only the contracted Typeform relationship; it should not be read as a blanket agreement for every destination selected by the customer.
That distinction is central to a HIPAAconscious medical website . Embedding an eligible form does not make the surrounding analytics and scripts suitable for PHI. A useful patient engagement workflow collects only what staff can protect and act on.
How to use it safely
- Obtain an Enterprise or Growth Custom proposal that identifies the Typeform services the practice will use.
- Request and execute Typeform’s BAA before creating a live form that accepts PHI.
- Keep the form in a practice-owned workspace. Require strong authentication and limit access to staff who need the responses.
- Collect the minimum necessary data and avoid placing PHI in URLs, form names, tracking parameters, or public confirmation pages.
- Review email notifications so they alert staff without copying patient answers into an unapproved mailbox.
- Inventory webhooks, spreadsheets, CRMs, analytics, file storage, payment tools, and automation services. Disable any connection that lacks an approved data path.
- Submit test responses and trace every copy, export, deletion, and access log before launch.
Compliant alternatives
Jotform offers a BAA on Gold and Enterprise and includes an upgrade wizard that checks forms before moving them into its HIPAA environment. Google Forms can be used inside an eligible Google Workspace organization after the administrator accepts Google’s BAA and limits the workflow to covered functionality.
Repeat the response-path test after any form edit, account change, webhook, notification, add-on, or destination is introduced.
Bottom line
Typeform has a documented BAA route for Enterprise and Growth Custom customers. Do not place PHI in a standard account or assume an embedded form covers connected tools. Contract for the eligible service, restrict the workspace, and verify the entire response path.