HIPAA & BAA ยท Forms
Is Cognito Forms HIPAA compliant?
Yes. Cognito Forms offers HIPAA compliance and a self-executable BAA on the Enterprise plan.
Key facts
- BAA available: Yes โ with a signed BAA
- What it takes: Enterprise plan
- Official source: Cognito Forms Support: HIPAA-Compliant Forms for Healthcare โ https://www.cognitoforms.com/support/78/entries/hipaa-compliance (verified 2026-06)
How to use Cognito Forms in a HIPAA-compliant way
- Upgrade to the Cognito Forms Enterprise plan.
- Open the in-app BAA, review it, and have an authorized owner sign and click 'I Agree'.
- Confirm HIPAA features activate (encryption at rest, 1-hour session timeout, protected fields).
- Mark sensitive fields as protected and restrict access.
- Train staff; route legal health record data into a proper EMR as needed.
Important caveats
- HIPAA/BAA is Enterprise-only.
- The person signing must be an owner authorized to enter binding contracts.
- Cognito Forms is not an EMR and should not be the system of record for patient health records.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Cognito Forms correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Cognito Forms.
Frequently asked questions
Does Cognito Forms sign a BAA?
Yes. Enterprise plan A signed BAA is required before any PHI is involved.
Is Cognito Forms HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Cognito Forms offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Cognito Forms with PHI?
HIPAA/BAA is Enterprise-only.
