HIPAA & BAA ยท Forms (self-hosted WordPress plugin)
Is Gravity Forms HIPAA compliant?
No. Gravity Forms is a self-hosted WordPress plugin and does not sign a BAA; compliance depends on your hosting and the BAAs you sign with those vendors.
Key facts
- BAA available: No โ vendor will not sign a BAA
- Official source: Gravity Forms Documentation: HIPAA and Gravity Forms โ https://docs.gravityforms.com/hipaa-and-gravity-forms/ (verified 2026-06)
What to do instead of Gravity Forms
- Choose a HIPAA-compliant WordPress host and sign a BAA with that host (the host handles PHI storage, not Gravity Forms).
- Sign BAAs with any other vendors that touch PHI (encryption add-on, storage, email/SMS).
- Add encryption at rest for submissions (e.g., a compliant add-on/plugin or custom code), since data is not encrypted at rest by default.
- Enforce TLS in transit, access controls, audit logging, and least-privilege admin access.
- Configure the forms to avoid sending PHI to any non-covered third party.
Important caveats
- Gravity Forms itself does not store your data or sign a BAA, so it is not 'HIPAA compliant' on its own.
- Compliance is your architecture's responsibility: hosting, encryption, and vendor BAAs.
- Submission data is not encrypted at rest by default; you must add that.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Gravity Forms correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Gravity Forms.
Frequently asked questions
Does Gravity Forms sign a BAA?
No. Gravity Forms does not sign a Business Associate Agreement, so it should not be used to create, receive, store, or transmit protected health information (PHI).
Is Gravity Forms HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Gravity Forms offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Gravity Forms with PHI?
Gravity Forms itself does not store your data or sign a BAA, so it is not 'HIPAA compliant' on its own.
