HIPAA & BAA ยท Forms
Is Formstack HIPAA compliant?
Yes. Formstack provides a standard BAA for accounts and offers HIPAA-enabled (Healthcare) account configurations.
Key facts
- BAA available: Yes โ with a signed BAA
- What it takes: HIPAA-enabled / Formstack for Healthcare account (standard BAA for all accounts; custom BAA case-by-case)
- Official source: Formstack: HIPAA Data Security โ https://www.formstack.com/solutions/hipaa-data-security (verified 2026-06)
How to use Formstack in a HIPAA-compliant way
- Contact Formstack to set up or convert to a HIPAA-enabled / Healthcare account.
- Review and execute Formstack's standard BAA (or request a custom BAA, evaluated case-by-case).
- Enable the account's HIPAA security configuration before collecting PHI.
- Restrict access and configure encryption/controls on PHI forms.
- Train staff on permitted ePHI handling per the BAA.
Important caveats
- HIPAA features require a properly configured/HIPAA-enabled account, not just any default plan.
- Custom BAA requests are evaluated case-by-case.
- Confirm which Formstack products (Forms, Documents, Sign) are in scope for your BAA.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Formstack correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Formstack.
Frequently asked questions
Does Formstack sign a BAA?
Yes. HIPAA-enabled / Formstack for Healthcare account (standard BAA for all accounts; custom BAA case-by-case) A signed BAA is required before any PHI is involved.
Is Formstack HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Formstack offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Formstack with PHI?
HIPAA features require a properly configured/HIPAA-enabled account, not just any default plan.
