Is JotForm HIPAA Compliant?

The FTC's $14.8 Million Message About Form Data

In 2023 and 2024, the FTC brought enforcement actions against two telehealth companies for a nearly identical violation: sharing patient intake questionnaire responses with advertising platforms through tracking pixels. The combined penalties sent a clear signal that form data is health data, and regulators are watching.

BetterHelp paid $7.8 million after the FTC found that its tracking pixels transmitted mental health intake questionnaire responses, email addresses, and IP addresses to Facebook, Snapchat, Criteo, and Pinterest. The company had even used the fact that users had previously been in therapy to build Facebook lookalike audiences for ad targeting. A recent college graduate with no marketing training had been placed in charge of deciding what user data was uploaded to Facebook.

Cerebral followed with a $7 million FTC settlement after tracking pixels sent patient names, medical histories, prescription information, and mental health symptom questionnaire answers to Meta from 2019 to 2023. Cerebral reported the breach to HHS as affecting 3.2 million individuals. The FTC imposed a first-of-its-kind ban on using health information for most advertising purposes.

Both cases shared a common thread: the forms themselves may have been built with reasonable care, but the pages hosting those forms contained tracking scripts that captured everything a patient typed. The form was compliant. The page was not.

This distinction matters for every healthcare organization evaluating JotForm today.

Where JotForm Gets It Right

JotForm deserves credit for taking HIPAA seriously. Unlike many tools in the marketing technology stack, JotForm has built specific compliance features into its platform:

Business Associate Agreements. JotForm signs BAAs on its Gold plan and above. This means JotForm accepts legal responsibility as a Business Associate under HIPAA for the form data it processes and stores. The BAA covers JotForm's handling of form submissions, file uploads, and payment data collected through its forms.

Encryption and access controls. HIPAA-enabled JotForm accounts encrypt form submissions, restrict access to authorized users, and maintain audit logs of who viewed or exported submission data.

HIPAA-compliant form templates. JotForm provides pre-built templates for patient intake forms, appointment requests, medical history questionnaires, and consent forms. These templates are designed with appropriate field types and validation for healthcare use cases.

Dedicated compliance infrastructure. When HIPAA compliance is enabled on a JotForm account, form data is stored on separate, compliant servers. Certain integrations that would send data to non-compliant third parties are automatically disabled.

This is more than most tools offer. JotForm has invested real engineering effort into making its platform work within healthcare environments.

So why does the answer remain "Evaluate Carefully" rather than a simple yes?

The Page Problem: Why Form Compliance Is Not Page Compliance

Here is the core issue that most compliance evaluations miss: JotForm forms do not exist in isolation. They are embedded on your website.

When a healthcare organization adds a JotForm form to a page, that form typically loads via an iframe or JavaScript embed. JotForm's compliance controls govern what happens inside the form widget. But the page surrounding that form has its own scripts, cookies, and tracking technologies.

Consider a typical patient intake scenario. A visitor lands on your "New Patient" page to fill out a JotForm intake form. The form itself is encrypted and covered by JotForm's BAA. But what else is running on that page?

• Google Analytics may be tracking the page URL (which could contain a medical department name or condition) along with the visitor's behavior, scroll depth, and time on page.

• Meta Pixel may be firing a PageView event that tells Facebook a specific user visited your "Depression Screening" or "Orthopedic Consultation" page.

• Hotjar or FullStory may be recording the session, capturing mouse movements and potentially form field interactions.

• Google Tag Manager may be loading additional scripts that your marketing team added without IT review.

Each of these tools can see the page context. Some can observe interactions with the embedded form. None of them have BAAs in place for healthcare data. And every one of them represents the exact pattern that led to $193 million in enforcement actions and settlements since 2023.

JotForm's compliance stops at JotForm's boundary. Everything else on the page is your responsibility.

Lessons from the $47.5 Million Kaiser Settlement

The Kaiser Permanente case illustrates this exact risk at massive scale. Kaiser's websites used third-party tracking code that transmitted health information to Google, Microsoft, Meta, and X without member consent from 2017 to 2024. The breach affected 13.4 million members across nine states, resulting in a $47.5 million class action settlement.

Kaiser's patient portal itself had security controls. The tracking scripts running alongside it did not. The same architecture applies to any healthcare page with an embedded form: the form tool may be compliant, but the page environment determines whether patient data actually stays protected.

This is not a theoretical risk. It is the documented cause of every major healthcare tracking enforcement action in the past three years.

Building a Compliant Form Environment

Evaluating JotForm for healthcare use requires looking beyond JotForm itself. The compliance question is really about three layers:

Layer 1: The form tool

JotForm addresses this layer well. With a Gold plan or above, HIPAA compliance enabled, and a signed BAA, JotForm handles form data with appropriate safeguards. Verify that your specific plan includes the BAA, that HIPAA mode is activated (it is not on by default), and that you are using JotForm's compliant submission storage rather than routing data to non-compliant integrations.

Layer 2: The hosting page

This is where most organizations fail. Every script, cookie, and tracking pixel on the page that hosts your JotForm embed needs its own compliance evaluation. A server-side data collection architecture eliminates the most dangerous category of risk here. When data flows from your server to destinations rather than through the visitor's browser, tools like Meta Pixel and Google Analytics never see the page interaction at all.

The architectural difference is fundamental. Client-side tracking (JavaScript pixels and tags) sends data through the visitor's browser to third-party servers. Server-side tracking sends data from your infrastructure to destinations you control. The browser never communicates with Facebook, Google, or any advertising platform. This is not a preference or a nice-to-have. It is the structural difference between "we hope nothing leaks" and "nothing can leak."

Layer 3: Ongoing monitoring

Even if you audit your form pages today and remove non-compliant scripts, the page will change. Marketing teams add tags. Plugins update. Third-party scripts load other scripts. Your compliance posture can shift without anyone making a deliberate decision to change it.

Continuous website scanning detects every cookie, script, localStorage entry, and tracking pixel across every page of your site. It flags which scripts lack a BAA, which cookies are set by third parties, and which tracking pixels are sending data to advertising platforms. Without this kind of ongoing monitoring, you are relying on the hope that nobody on your team introduced a non-compliant script since your last manual audit.

Every enforcement case in the reference record involved tracking that had been running for months or years before anyone noticed.

The Consent Layer Healthcare Organizations Are Missing

Compliance is evolving beyond "did we sign BAAs" toward "did the patient consent to this specific data use." State privacy laws in California, Washington, Connecticut, and others are creating new obligations around health data consent that apply even to organizations not covered by HIPAA.

For form data specifically, this means that collecting a patient's intake information with proper encryption and a signed BAA may still not be sufficient if your site lacks a consent mechanism that governs what tracking fires before, during, and after the form interaction.

Consent-gated data dispatch ensures that data only flows to destinations after consent is verified server-side. This is different from a cookie banner that sets a JavaScript variable. Server-side consent verification means that even if a script loads before consent is given, no data reaches its destination until your server confirms the patient has opted in.

This is the direction healthcare compliance is heading. Organizations that build consent into their data architecture now will avoid retrofitting it under regulatory pressure later.

Evaluating JotForm for Your Healthcare Organization

Use this framework to determine whether JotForm can work within your compliance requirements:

1. Confirm BAA coverage. Verify you are on JotForm's Gold plan or above and that a BAA has been executed. Review the BAA scope to understand exactly what data handling it covers.

2. Enable HIPAA mode. JotForm's HIPAA features are not active by default. Ensure your account has HIPAA compliance enabled and that form submissions are stored on compliant infrastructure.

3. Audit the hosting page. Identify every script, pixel, cookie, and tag on every page where a JotForm form is embedded. Each one represents a potential data leak if it lacks healthcare-grade compliance controls.

4. Evaluate your data architecture. Determine whether your site uses client-side or server-side data collection. Client-side pixels are the root cause of nearly every enforcement case documented. Server-side architecture eliminates this category of risk entirely.

5. Implement continuous scanning. A point-in-time audit tells you what is on your pages today. A web scanner tells you what is on your pages every day going forward. This is the difference between compliance at launch and compliance in practice.

6. Establish a consent framework. Ensure that tracking on form pages is gated behind patient consent, verified server-side, before data flows to any destination.

Frequently Asked Questions

Does JotForm sign a Business Associate Agreement?

Yes. JotForm signs BAAs for customers on Gold plans and above with HIPAA compliance enabled. The BAA covers JotForm's handling of form submission data, file uploads, and payment information collected through forms. You must specifically request HIPAA compliance activation for your account; it is not enabled by default.

Can I use JotForm for patient intake forms?

JotForm can handle the form submission itself in a HIPAA-compliant manner when properly configured. The larger question is whether the page hosting your form is also compliant. If your intake form page has Google Analytics, Meta Pixel, or session replay tools running alongside the JotForm embed, those tools may capture patient data outside of JotForm's compliance controls. Evaluate the entire page, not just the form widget.

Is JotForm's free plan HIPAA compliant?

No. HIPAA compliance features, including BAA availability, encrypted submission storage, and compliant infrastructure, require JotForm's Gold plan or higher. Using a free or lower-tier plan for healthcare data collection does not meet HIPAA requirements regardless of the form content.

How does JotForm compare to Typeform for healthcare use?

JotForm offers more robust HIPAA compliance features than many form builders. JotForm signs BAAs and provides dedicated HIPAA infrastructure, while Typeform's compliance posture requires its own careful evaluation. For either tool, the hosting page compliance question remains the same: the form is only one piece of the puzzle. Evaluate both the form tool and the environment surrounding it.

What should I do if I am already using JotForm on healthcare pages?

Start by confirming your JotForm account has HIPAA compliance enabled and a BAA in place. Then audit every page where JotForm forms are embedded to identify other scripts and tracking technologies. Consider implementing a server-side data architecture that prevents client-side scripts from accessing form page interactions. Set up continuous website scanning to catch any new scripts that get added to form pages over time.

Protect the Entire Page, Not Just the Form

JotForm has done real work to make its form infrastructure healthcare-ready. That is more than many tools can claim. But form compliance is only as strong as the page that hosts the form.

If your JotForm intake form sits on a page with unaudited tracking scripts, the form's encryption and BAA do not protect the data those other scripts capture. Solving this requires a platform-level approach: server-side data collection that keeps browsers from talking to third parties, continuous scanning that catches new scripts before they become breaches, and consent-gated data flows that verify patient permissions before any data moves.

See how Ours Privacy protects healthcare websites with server-side architecture, SOC 2 Type II certification across all five trust criteria, and continuous compliance monitoring that covers every page, not just the ones with forms.