A Guide to HIPAA Compliant Online Forms for Your Healthcare Website


In most healthcare websites the most common Call to Action (CTA) for the user is either a phone call or scheduling online. It’s crucial to include online forms that allow patients and referring doctors to easily get in touch. However, to protect patient privacy, these forms must be implemented in a HIPAA compliant manner. In this guide, we’ll break down everything you need to know to add online forms to your healthcare website the right way. 

We understand each website’s situation is unique but we have implemented several of these systems on websites and hope this guide shows the real players in the space and not just those with better marketing.

Types of Online Forms Your Healthcare Website Needs 

There are three main types of online forms commonly used on healthcare websites:

  1. Patient forms – intake forms, health background forms, insurance verification, etc. 
  2. Doctor referral forms – allow referring doctors to send patient referrals
  3. Generic contact forms – enable website visitors to ask questions
  4. Honorable Mention – Request Appointment Forms. While we believe (and there is strong evidence for) implementing robust online scheduling is a good idea, sometimes for various reasons its not feasible. In this case, something is better than nothing. 

All of these forms must be HIPAA compliant, even generic contact forms, since they may capture protected health information.

Best Practices for HIPAA Compliant Online Forms

To ensure your online forms meet HIPAA requirements:

  • Use a reputable form provider that will sign a Business Associate Agreement (BAA) 
  • Avoid emailing form submissions directly; use secure storage instead
  • Consider eliminating generic contact forms entirely and encouraging phone calls/convenient online scheduling instead
  • Pediatrics Considerations – having online scheduling available only may be difficult as parents tend to not care about the rules and schedule where they want (this is especially true in any type of pediatrics situation). If you don’t have that situation, online scheduling may be a really great improvement. 
  • Where possible, make sure the form provider uses an embed to install on the site and not an iframe. Embed’s can usually be styled a bit or at the very least provide more info by way of analytics. iFrames will typically only let you see analytics if you redirect to a thank you or success page or the form provider has analytics. Either way, ask the question when considering a provider.

Top Picks for HIPAA Compliant Form Providers

  1. Patient Forms (incl. Online Scheduling)
    1. Nexhealth – the Nexhealth product is impressive and likely more customizable than most are using it for. Their secret weapon is the integrations they built to many PMS platforms. While primarily in the dental space, they are quickly expanding to other healthcare verticals. I’ve been told by several DSO’s that their service and onboarding is second to none. I’m not sure on prices but their sales team is helpful and not pushy.
    2. Promptly – Another form of online scheduling that integrates with your EHR/PMS. Promptly has quietly made significant improvements to their product in recent years and may be worth a demo.
    3. Next Patient – A clear cut provider of online scheduling and other smart features. Next Patient is a solid candidate for your healthcare website
    4. Dental Intelligence – while specific to the dental space, if you’re looking for more than just online scheduling, Dental Intelligence may be a suitable option.
    5. Weave – Weave is a decent product but their bread and butter is combining your office’s phone system and integrating that with their platform for some really fancy features for the office staff. Worth a demo if you hate your current phone set up. 
  2. Just Patient Forms
    1. Formdr – They do require you to contact sales for the fancier features which is a bit annoying but I was able to find out the Business Plan does support HIPAA compliance and starts at $59/mo per site.
    2. Formstack
      1. The HIPAA doesn’t appear to be available until their enterprise membership which of course requires you to contact sales (ugh) but I would suspect this pricing is in line with other solutions.
  3. Doctor referral forms – allow referring doctors to send patient referrals
    1. You can use the Generic form providers below but a lot of PMS platforms include features for facilitating and tracking doctor referrals. Check your PMS provider and see if they provide an embed that your web developer can insert on the doctor referral page. 
  4. Generic contact forms and Request Appointment Forms. 
    1. Gravity Forms HIPAA Compliant Add on – This is Carenetic’s favorite to use right now because this is a native add on to Gravity Forms which is our go-to form builder for WordPress. We especially like it because the form can be styled to look the best like the website and not simply be an embed or iframe. 
      1. Free tier
        1. 1 form and 25 submissions/mo
      2. Standard
        1. $65/mo or $715/yr
        2. Supports 1 live domain and 1 staging domain
        3. Unlimited forms
        4. Unlimited submissions
        5. File-upload add-on $30/mo or $300/yr
        6. They are willing to sign a custom BAA if you send it over.
    2. JotForm w/ HIPAA add on
      1. HIPAA is only available starting at their gold plan which is $99/mo billed annually
      2. This can get a touch expensive though as you’re supposed to have a user license for each person to have proper access control.
      3. Jotform’s form creation features are exceptional though
    3. 123 Forms w/ HIPAA Add on
      1. HIPAA doesn’t kick in until their enterprise pricing which is starting at $225/mo

Key Takeaway: Prioritize Online Scheduling Over Contact Forms

The most efficient and effective call-to-action for your healthcare website is online scheduling that syncs with your EHR/PMS. This streamlines operations while ensuring HIPAA compliance. We understand that may not always be possible and hope one of the form providers above is suitable for your next healthcare website project. If your website is doing its job and answers common questions that are intuitive to find for the user, you may be able to eliminate generic contact forms entirely and avoid that added cost and complexity.

By selecting the right HIPAA compliant form provider for your practice’s needs, you’ll be able to capture leads, book more appointments, and keep patient data secure. A small investment in the proper tools pays major dividends!

Picture of Grayson Allen

Grayson Allen

What can we do for you?

Let’s connect, and see if our solution is right for you.