HIPAA & BAA ยท Forms
Is Wufoo HIPAA compliant?
No. Wufoo does not sign a BAA and is not suitable for collecting PHI.
Key facts
- BAA available: No โ vendor will not sign a BAA
- Official source: Wufoo Security (no HIPAA/BAA offering published) โ https://www.wufoo.com/security/ (verified 2026-06)
What to do instead of Wufoo
- Do not use Wufoo to collect, store, or transmit PHI.
- Use Wufoo only for non-PHI forms (general contact, event registration, etc.).
- For healthcare intake, choose a builder that signs a BAA (e.g., Cognito Forms Enterprise, Formstack, SurveyMonkey Enterprise).
- If migrating, confirm the replacement vendor's BAA before handling PHI.
Important caveats
- Wufoo (a SurveyMonkey product) publishes no HIPAA/BAA offering for the Wufoo platform.
- Lack of a BAA means it cannot lawfully process PHI for a covered entity.
- Security features alone do not equal HIPAA compliance without a BAA.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Wufoo correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Wufoo.
Frequently asked questions
Does Wufoo sign a BAA?
No. Wufoo does not sign a Business Associate Agreement, so it should not be used to create, receive, store, or transmit protected health information (PHI).
Is Wufoo HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Wufoo offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Wufoo with PHI?
Wufoo (a SurveyMonkey product) publishes no HIPAA/BAA offering for the Wufoo platform.
