HIPAA & BAA · Forms
Is Typeform HIPAA compliant?
Conditionally. Typeform will provide a BAA, but only to customers on its HIPAA-eligible plans and only with certain features (like AI) disabled.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: HIPAA-eligible plans only (e.g., Enterprise / Growth Custom); request the BAA from Typeform Sales. AI features must be disabled. Confirm current eligible-plan names with Typeform.
- Official source: Typeform Help Center — Business Associate Agreement (BAA) — https://help.typeform.com/hc/en-us/articles/4404321307796-Business-Associate-Agreement-BAA (verified 2026-06)
How to use Typeform in a HIPAA-compliant way
- Subscribe to a HIPAA-eligible plan and confirm eligibility with Typeform Sales.
- Request a BAA from Typeform's Sales team using your company name and account email, and execute it before collecting PHI.
- Disable Typeform's AI capabilities, which do not support HIPAA compliance.
- Disable non-compliant integrations (e.g., Mailchimp, Google Analytics) and configure minimum-necessary access.
- Manage backups/exports and account hierarchy to keep PHI access limited.
Important caveats
- Self-serve/standard plans are not HIPAA-eligible and cannot receive PHI.
- AI features and several common integrations break compliance and must stay off.
- Confirm current plan eligibility with Typeform Sales, as eligible plan names can change.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Typeform correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Typeform.
Frequently asked questions
Does Typeform sign a BAA?
On specific plans. HIPAA-eligible plans only (e.g., Enterprise / Growth Custom); request the BAA from Typeform Sales. AI features must be disabled. Confirm current eligible-plan names with Typeform. A signed BAA is required before any PHI is involved.
Is Typeform HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Typeform offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Typeform with PHI?
Self-serve/standard plans are not HIPAA-eligible and cannot receive PHI.
