Your Forms Collect PHI. Here's Why That Makes HIPAA Your Problem.
January 4, 2026 · Formisoft Team
From the team at Formisoft, the HIPAA-ready platform for patient intake, scheduling, and payments. Learn more →
Here's a question that trips up more businesses than you'd expect: do your forms collect protected health information?
If you're a hospital or a doctor's office, the answer is obviously yes. But HIPAA doesn't only apply to traditional healthcare providers. If you run a wellness clinic, a mental health practice, a dental office, a physical therapy studio, a chiropractic office, or any business that collects health-related information tied to an identifiable person, HIPAA applies to you.
And "applies to you" means your forms need to be compliant. Not eventually. Now.
What Counts as PHI
Protected health information is any individually identifiable information that relates to health, healthcare, or payment for healthcare. The "individually identifiable" part is key — it's not just diagnoses and lab results. It's anything that could be used to identify a person in combination with health data:
- Names, addresses, phone numbers
- Dates (birth dates, appointment dates, treatment dates)
- Email addresses
- Social Security numbers
- Medical record numbers
- Insurance information
- Medication lists and allergy information
- Any notes about a person's health condition
If your intake form collects a name, a date of birth, and a reason for visit, you're collecting PHI. If it collects insurance details and a medication list, you're definitely collecting PHI. There's no minimum threshold — even a single piece of identifiable health information triggers HIPAA requirements.
What Happens When You Get It Wrong
The penalties for HIPAA non-compliance are designed to hurt.
Financial penalties scale with culpability. Unknowing violations start at $100 per incident. Willful neglect that goes uncorrected can reach $50,000 per violation, with annual caps of $1.5 million per violation category. For a practice that's been running non-compliant forms for years, the math gets very bad very fast.
Reputation damage is often worse than the fines. Breaches affecting 500+ people are posted on HHS's public breach portal — informally known as the "Wall of Shame." Patients read the news. They talk to each other. Trust, once lost, is extremely difficult to rebuild.
Lawsuits follow breaches. Patients whose data is compromised can and do sue. Class action suits against healthcare organizations for data breaches have resulted in settlements in the tens of millions.
Business impact compounds everything else. Insurance premiums increase. Staff morale suffers. Referral relationships weaken. The downstream effects of a HIPAA violation extend far beyond the initial penalty.
What HIPAA-Compliant Forms Actually Require
Compliance isn't about checking a box on a vendor's website. Your forms — and the platform hosting them — need to meet specific requirements:
Encryption. AES-256 for stored data. TLS 1.3 for data in transit. This is non-negotiable. If your form platform stores patient data unencrypted, you have a problem that no amount of policy documentation fixes.
Access controls. Not everyone needs to see every submission. Implement role-based permissions so the billing team sees billing information, clinical staff see clinical information, and the front desk sees what they need to do their job.
Audit logging. HIPAA requires you to track who accesses PHI, when, and what they did with it. Your form platform should log every view, edit, and export automatically.
A signed BAA. Your form provider is a business associate. You need a Business Associate Agreement on file. If your provider won't sign one, they either don't understand HIPAA or they know their platform doesn't meet the requirements. Either way, find someone else.
Data minimization. Only collect what you need. Review your forms periodically and remove fields that aren't serving a clear purpose. Conditional logic helps — it shows patients only the questions relevant to their situation, which reduces both data collection and form fatigue.
Getting This Right Isn't Hard
HIPAA compliance for forms sounds daunting, but it's really about choosing the right platform and following sensible practices. You don't need to become a security expert. You need to:
- Use a platform built for healthcare data (not a generic form builder with "HIPAA" in the marketing copy)
- Sign a BAA with your form provider
- Set up role-based access for your team
- Review your forms to ensure you're only collecting necessary information
- Train your staff on proper PHI handling
Formisoft handles the technical requirements — AES-256 encryption, TLS 1.3, US-hosted infrastructure, audit logging, role-based permissions, and BAA — at a flat $79.99/month. The compliance infrastructure is built in, not bolted on.
The question isn't whether HIPAA compliance is worth the effort. If you're collecting PHI, you don't have a choice. The question is whether you make it easy on yourself by choosing the right tools from the start, or hard on yourself by scrambling to fix it after something goes wrong.
