Vendor documentation review

Is Typeform HIPAA Compliant? (2026 Verdict)

Conditionally

Typeform offers a BAA for Enterprise and Growth Custom customers, but the form, account, notifications, and integrations still need review.

Last verified:

At a glance

BAA available
Yes
Plan required
Enterprise or Growth Custom
Configuration required
Execute the BAA, restrict account access, minimize PHI, and review notifications and integrations.
Category
Forms
Official site
Visit Typeform

What Typeform says officially

Typeform’s Business Associate Agreement page identifies a specific commercial route. Customers on Enterprise or Growth Custom can request a BAA through their account team or Typeform sales. The page does not document the same agreement for the ordinary self-service plans.

Typeform’s security overview describes encryption, access controls, and plan-dependent account features, but also frames security as a shared responsibility. Those measures are useful evidence about the service; they do not replace the agreement, a risk analysis, or control over response destinations.

The verdict is therefore conditional. Typeform provides an eligible-plan and BAA path, while the practice remains responsible for the questions, respondent experience, workspace access, exports, and connected tools.

What this means for a medical practice

A patient intake can become PHI before the patient reaches an obviously clinical field. A name and email address combined with a form titled “fertility consultation,” for example, can reveal a healthcare relationship. Hidden fields, URL parameters, file uploads, scoring logic, response notifications, and analytics deserve the same review as visible questions.

The response path matters after submission. Typeform may send an email, call a webhook, update a spreadsheet, create a CRM record, or pass data to an automation platform. A BAA with Typeform covers only the contracted Typeform relationship; it should not be read as a blanket agreement for every destination selected by the customer.

That distinction is central to a HIPAAconscious medical website . Embedding an eligible form does not make the surrounding analytics and scripts suitable for PHI. A useful patient engagement workflow collects only what staff can protect and act on.

How to use it safely

  1. Obtain an Enterprise or Growth Custom proposal that identifies the Typeform services the practice will use.
  2. Request and execute Typeform’s BAA before creating a live form that accepts PHI.
  3. Keep the form in a practice-owned workspace. Require strong authentication and limit access to staff who need the responses.
  4. Collect the minimum necessary data and avoid placing PHI in URLs, form names, tracking parameters, or public confirmation pages.
  5. Review email notifications so they alert staff without copying patient answers into an unapproved mailbox.
  6. Inventory webhooks, spreadsheets, CRMs, analytics, file storage, payment tools, and automation services. Disable any connection that lacks an approved data path.
  7. Submit test responses and trace every copy, export, deletion, and access log before launch.

Compliant alternatives

Jotform offers a BAA on Gold and Enterprise and includes an upgrade wizard that checks forms before moving them into its HIPAA environment. Google Forms can be used inside an eligible Google Workspace organization after the administrator accepts Google’s BAA and limits the workflow to covered functionality.

Repeat the response-path test after any form edit, account change, webhook, notification, add-on, or destination is introduced.

Bottom line

Typeform has a documented BAA route for Enterprise and Growth Custom customers. Do not place PHI in a standard account or assume an embedded form covers connected tools. Contract for the eligible service, restrict the workspace, and verify the entire response path.

Frequently asked questions

Does Typeform sign a Business Associate Agreement?

Yes. Typeform says Enterprise and Growth Custom customers can request its BAA through their account team or Typeform sales.

Can a standard Typeform plan collect PHI?

Typeform does not document BAA availability for standard self-service plans. Use an eligible contracted plan and complete the BAA before collecting PHI.

Are Typeform integrations covered by its BAA?

Do not assume so. Each integration and destination that receives form responses requires its own scope, security, and contract review.

HIPAA-friendly alternatives

A practical second look

Not sure what your website and tools are doing with patient data?

Request a done-for-you review.

Request a review