Is Typeform HIPAA Compliant?

In 2023, the FTC ordered BetterHelp to pay $7.8 million for sharing mental health intake questionnaire responses with Facebook, Snapchat, Criteo, and Pinterest through tracking pixels. The data included answers patients had typed into online forms about their therapy needs, emotional struggles, and personal history. A recent college graduate with no marketing training had been placed in charge of deciding what user data was uploaded to Facebook.

That case should resonate with any healthcare organization currently using Typeform. The tool's signature conversational format, presenting one question at a time in an engaging sequence, is exactly the kind of interface patients use to describe symptoms, request appointments, and answer screening questionnaires. Patients type more freely in Typeform than in a standard grid of form fields. They share details they might otherwise leave out. And every keystroke flows through a system that was never designed for healthcare data.

$7.8 Million for Sharing What Patients Typed Into Forms

The BetterHelp enforcement action is worth understanding in detail because it maps directly to how form builders operate in healthcare settings.

BetterHelp used intake questionnaires to collect sensitive mental health information. That information was transmitted to advertising platforms via tracking pixels embedded on their site. The FTC found that BetterHelp had used the fact that users had previously been in therapy to build Facebook lookalike audiences, turning private health disclosures into marketing fuel.

The mechanism was not a sophisticated breach. It was standard marketing technology doing exactly what it was designed to do: capturing user interactions and sharing them with ad platforms. The intake forms were the data source. The tracking pixels were the transmission vector.

Healthcare organizations using Typeform for patient intake, satisfaction surveys, or screening questionnaires face a structurally similar risk. The form collects health information. The embed and any connected integrations create pathways for that data to flow beyond your control.

How Typeform's Architecture Creates Compliance Gaps

Typeform is a form and survey builder known for its polished, conversational UX. Organizations embed Typeform on their websites in one of two ways: via a JavaScript embed snippet or through an iframe. Both approaches are client-side, meaning the form loads and executes in the visitor's browser.

This matters for several reasons.

The embed runs in the browser. When a patient fills out a Typeform on your healthcare website, the data passes through the patient's browser before reaching Typeform's servers. Any other scripts running on that page (analytics tools, advertising pixels, chat widgets) can potentially observe or interact with that data. If your site has a Meta Pixel, Google Analytics tag, or any other third-party script, those tools may capture form interaction data alongside page context that reveals health intent.

Integrations multiply data flows. Typeform connects to dozens of downstream tools: Zapier, HubSpot, Mailchimp, Google Sheets, Slack, Airtable, Salesforce, and more. Each integration creates an additional system that receives the data patients typed into your form. If a patient submits a screening questionnaire through Typeform that routes to Google Sheets via Zapier, the health data now lives in three systems (Typeform, Zapier, Google Sheets), none of which have signed a BAA with your organization.

No BAA available. Typeform does not sign Business Associate Agreements. Under HIPAA, any vendor that creates, receives, maintains, or transmits protected health information on behalf of a covered entity must sign a BAA and accept liability as a Business Associate. Without a BAA, using Typeform to collect any data that qualifies as PHI places your organization outside the requirements of the HIPAA Privacy and Security Rules.

The Integration Chain Problem

The BetterHelp case involved a relatively straightforward data flow: form responses to ad pixels. Typeform introduces something more complex: a chain of integrations where PHI can propagate across multiple non-compliant systems before anyone notices.

Consider a common healthcare workflow. A practice embeds a Typeform patient intake form on their website. The form asks about symptoms, current medications, and insurance information. Responses are routed through Zapier to a Google Sheet shared with the front desk team and simultaneously pushed to HubSpot for follow-up email sequences.

In this scenario, protected health information flows through four separate systems: Typeform, Zapier, Google Sheets, and HubSpot. Each system stores the data on its own servers, under its own security policies, with its own retention rules. None of these four vendors has signed a BAA covering this use case (HubSpot has limited healthcare options, but not for data flowing through a Typeform integration chain).

The Cerebral enforcement action illustrates where this leads. From 2019 to 2023, Cerebral's tracking pixels sent patient names, medical histories, prescription information, and mental health symptom questionnaire answers to Meta. The breach affected 3.2 million individuals, and the FTC imposed its first-ever ban on using health information for most advertising. Cerebral's problem was not that it intended to share health data with advertisers. The problem was that its technology stack created data flows the organization did not fully understand or control.

That is the core risk with Typeform in healthcare. The tool itself may not be malicious, but the architecture, client-side embeds feeding into chains of third-party integrations, creates exactly the kind of uncontrolled data flow that enforcement actions target.

What a Compliant Form Architecture Actually Requires

If your organization collects any health-related information through online forms, the compliance bar includes several requirements that Typeform's current architecture does not meet.

A signed, comprehensive BAA. The form vendor must sign a Business Associate Agreement that covers the full data lifecycle: collection, processing, storage, and transmission. The BAA must apply to the actual data being collected, not just a subset. Many vendors offer BAAs that exclude certain categories of data or apply only to specific product tiers. Typeform offers no BAA at all.

SOC 2 Type II with all five trust criteria. SOC 2 Type II certification covering Security, Availability, Processing Integrity, Confidentiality, and Privacy means independent auditors verified that the vendor handles data with the rigor healthcare requires over a sustained review period. Most SaaS tools certify only Security (one of five). That is table stakes, not compliance.

Server-side data handling. Client-side form embeds send data through the visitor's browser, where any other script on the page can potentially access it. Server-side architectures send data directly from your server to the destination. The browser never exposes form submission data to third-party scripts. This is not a preference; it is the architectural difference between "we hope nothing leaks" and "nothing can leak."

Consent-gated data flows. Data should only flow to downstream systems after consent is verified server-side. A JavaScript-based consent check can be bypassed, delayed, or ignored by other scripts on the page. Server-side consent gating ensures that no data moves to any destination until consent requirements are confirmed.

Continuous monitoring of your form pages. Installing a compliant form tool does not guarantee your form pages stay compliant. Marketing teams add scripts, plugins update, third-party tags load other tags. A web scanner crawls your site on a scheduled basis and detects every cookie, script, localStorage entry, and tracking pixel running on every page, including the pages where your forms are embedded. Every enforcement case in the regulatory record involved tracking technology that had been running for months or years before anyone at the organization noticed.

Five Questions to Ask Before Using Any Form Tool in Healthcare

Rather than a simple compliant-or-not verdict, healthcare organizations should evaluate any form builder against these criteria:

1. Does the vendor sign a BAA that covers form submission data? Not a BAA for a different product line or a limited subset of data. A BAA that explicitly covers the responses patients type into your forms. Typeform does not offer this.

2. Where does form data travel after submission? Map every integration, webhook, and automation connected to your forms. Each system in the chain needs its own BAA and its own security posture. If your Typeform connects to Zapier, which connects to Google Sheets, which triggers a Mailchimp email, you need four BAAs covering four systems.

3. What scripts run on the page where the form is embedded? A compliant form embedded on a page with a Meta Pixel is not compliant. The pixel can capture form field interactions, the URL (which may contain health context), and page metadata. An ongoing site scan is the only way to keep track of what scripts are actually running on your form pages over time.

4. Is the form architecture client-side or server-side? Client-side embeds (JavaScript snippets, iframes) execute in the browser. Server-side form handling processes submissions on your server before routing them to any destination. The difference determines whether third-party scripts on your page can observe form data.

5. How is consent captured and enforced? Does the form respect consent preferences before transmitting data? Is consent checked server-side or only via a client-side JavaScript flag that other scripts can ignore?

Building a Form Workflow That Meets the Compliance Bar

Organizations that need to collect health information through online forms have several options that address the gaps Typeform leaves open.

A purpose-built healthcare form solution would include server-side data handling, a signed BAA, SOC 2 Type II certification across all five trust criteria, and consent-gated data routing. But the form tool alone is not enough. The entire page where the form lives needs to be clean of non-compliant scripts.

This is where ongoing site scanning becomes essential. A web scanner that crawls your site continuously can flag when a marketing team member adds a new script to a page that contains a patient intake form, or when a tag manager loads an unexpected third-party pixel. Without that monitoring layer, you are relying on the hope that no one on your team (and no third-party plugin) introduced a tracking script since your last manual audit.

A compliant data infrastructure also ensures that form submissions route through a server-side pipeline rather than bouncing between client-side integrations. This means the data a patient types into a screening questionnaire goes from your server to your compliant destinations, without passing through the patient's browser where other scripts can intercept it.

For organizations evaluating their current form setup, the key is to look beyond the form tool itself and examine the entire data flow: from the page where the form is embedded, through every integration and automation, to the final destination where the data is stored and used. If any link in that chain lacks a BAA, processes data client-side without consent controls, or has not been independently audited, the chain is only as strong as its weakest point.

Frequently Asked Questions

Can I use Typeform for patient intake forms if I don't ask for names or medical details?

Context matters more than individual field labels. If a form is embedded on a page titled "Schedule a Cardiology Appointment" or lives at a URL like /mental-health-screening, the URL itself and the page context can constitute protected health information when combined with identifiers like IP addresses. The HHS OCR guidance on tracking technologies clarified that even IP addresses on health-related pages may qualify as PHI. Avoiding clinical questions does not eliminate the compliance obligation.

Does Typeform encrypt form submissions?

Typeform uses TLS encryption for data in transit and encrypts data at rest. Encryption is necessary but not sufficient for HIPAA compliance. Without a BAA, Typeform has no contractual obligation to handle your data according to HIPAA requirements, report breaches within the required timeframe, or limit how it uses the data internally. Encryption addresses one technical safeguard; HIPAA requires administrative, physical, and technical safeguards along with a binding legal agreement.

What about using Typeform's GDPR features for HIPAA compliance?

GDPR and HIPAA are different regulatory frameworks with different requirements. GDPR compliance features (consent checkboxes, data deletion requests, privacy settings) do not satisfy HIPAA obligations. HIPAA requires a signed BAA, specific security safeguards, breach notification procedures, and audit controls that go beyond what GDPR mandates. A tool can be fully GDPR compliant and still fail every HIPAA requirement.

Is there a HIPAA-compliant alternative to Typeform for healthcare forms?

Several form solutions offer BAAs and healthcare-specific security features. When evaluating alternatives, look for the full stack: a signed BAA covering form data, SOC 2 Type II with all five trust criteria, server-side data handling, and consent-gated routing to downstream systems. Also consider whether the alternative integrates with a compliant data pipeline so you do not recreate the integration chain problem with a different tool. Check our HIPAA-compliant tools hub for current evaluations. JotForm is one form builder that offers a HIPAA-specific tier worth comparing.

If I embed Typeform in an iframe, does that isolate it from other scripts on my page?

Iframes provide some isolation, but they are not a compliance solution. The iframe still loads Typeform's client-side JavaScript in the patient's browser. Typeform's own cookies and scripts operate within the iframe. The parent page's URL (which may contain health context) can still be accessed depending on configuration. And the data submitted through the iframe still flows to Typeform's servers and any connected integrations without a BAA in place. An iframe changes the browser security boundary; it does not change the legal or regulatory obligations.

Healthcare organizations need tools built for the compliance requirements they face today and the consent-driven expectations patients will demand tomorrow. [Ours Privacy](https://www.oursprivacy.com) provides server-side data infrastructure, a comprehensive BAA, SOC 2 Type II certification across all five trust criteria, and continuous site scanning that detects every script running on your pages. [See how it works](https://www.oursprivacy.com/cdp) or explore our [HIPAA-compliant tools hub](/learn/hipaa-compliant-tools) for more evaluations like this one.