BLOG POST:

Are Google Forms HIPAA-Compliant? A Simple Guide

April 8, 2025

Web Design

If you’re a therapist or healthcare provider collecting client information online, you’ve probably wondered about HIPAA compliance for your forms. HIPAA (Health Insurance Portability and Accountability Act) protects sensitive patient health information, and therapists, counselors, and other healthcare professionals need to follow these guidelines.

So, are Google Forms HIPAA-compliant? The short answer: not automatically, but they absolutely can be with the right setup. In this guide, I’ll walk you through the steps you need to take to make your Google Forms HIPAA-compliant in simple language you can understand!

Disclaimer: Following the steps in this article does not constitute a guarantee of HIPAA compliance. This article is for informational purposes only. I am not an attorney, and I am not providing legal advice. Each practice is different, and HIPAA compliance extends far beyond just Google Forms. Reach out to an attorney in your area to fully educate yourself on what you need to do to ensure that your practice is fully HIPAA-compliant. 

What Is HIPAA Compliance?

HIPAA compliance means protecting your clients’ private health information when you collect, store, or transfer it. For example, a speech therapist collecting information about a client’s communication difficulties needs a HIPAA-compliant form.

You’ll need HIPAA-compliant forms when:

  • Collecting intake information from new therapy clients
  • Asking about symptoms or health history
  • Gathering insurance information
  • Requesting details about medications or treatments
  • Creating feedback forms about services provided
  • Setting up contact forms on your website

As a brand & website designer who often works with therapists and private practice owners, I primarily focus on creating HIPAA-compliant contact forms that live on your therapy website.

These contact forms are often the first touchpoint potential clients have with your practice, and even basic information like “I’m looking for help with my anxiety” or “I need therapy for my child’s speech delay” counts as protected health information.

Google Forms can work really well as your contact forms because they’re familiar, easy to use, and can be customized to fit your practice’s needs!

Are Google Forms HIPAA-Compliant?

Google Forms straight out of the box aren’t HIPAA-compliant. However, it’s relatively simple to make them HIPAA compliant and safeguard patient data.

Here’s a preview of what you’ll need to do:

  • Sign up for a Google Workspace Account
  • Sign Google’s Business Associate Agreement (BAA)
  • Configure proper access controls and security measures
  • Make sure your third-party integrations are also HIPAA-compliant
  • Train your staff

What’s really great about Google Forms is that by taking the appropriate steps, you can accomplish a cost-effective way of staying HIPAA-compliant (especially when it comes to embedding a HIPAA-compliant Google Form on your website).

Plus, I can customize the look of the form using HTML/CSS code and use Google Apps Script to create a customized notification email that sends the inquiry contents straight to your inbox. Just reach out and I’ll explain more!

How to Make Google Forms HIPAA-Compliant

1. Sign Up for a Google Workspace Account

You’ll need a Google Workspace account, typically the Business Standard plan or higher, to qualify for HIPAA compliance. This account is paid, but it’s much cheaper than specialized HIPAA-compliant form solutions. Plus, you’ll need it for many other reasons when running your private practice!

When you sign up, make sure you’re using your therapy practice’s domain name (like yourpractice.com) rather than gmail.com.

2. Sign Google’s Business Associate Agreement (BAA)

A Business Associate Agreement (BAA) is basically a promise between you and Google that both parties will protect patient information according to HIPAA security rules. Without this agreement, Google Forms can’t be HIPAA-compliant.

Here’s how to sign the BAA:

  1. Log in to the Admin console with your administrator account
  2. Navigate to the Account section, then find Account settings, and look for the Legal and Compliance area
  3. Look for the section labeled Security and Privacy Additional Terms
  4. Find and select the HIPAA Business Associate Amendment option for Google Workspace
  5. Read through the agreement carefully, and confirm that you qualify as a HIPAA-covered entity
  6. Complete the acceptance process (click OK)

This agreement officially designates Google as your “Business Associate” under HIPAA regulations, making them partly responsible for safeguarding any patient data stored in your Google Forms.

Visual showing how to sign Google BAA.

3. Configure Proper Access Controls and Security Measures

Once you sign the BBA, there’s not THAT much more that you need to do to make your Google Forms HIPAA-compliant, especially if we’re talking about the contact form on your website.

According to The HIPAA Journal, you should:

  • Restrict form sharing to only people within your organization
  • Set default visibility to private so only the creator can see the form initially
  • Manage access permissions carefully for each form containing sensitive patient data

Overall, make sure that the forms with patient data are only shared with team members who legitimately need access to that information as part of their job responsibilities.

There are also important boxes that your website and internal systems need to check, such as data encryption and other HIPAA requirements. Many of them can be satisfied by building a HIPAA-compliant website.

You can learn more by reading through Google’s handy HIPAA Implementation Guide, too!

4. Make Sure Third-Party Integrations Are Also HIPAA-Compliant

One of the trickiest aspects of HIPAA compliance with Google Forms is making sure that they’re connected to other services or tools in a HIPAA-compliant way.

For example, when someone fills out your Google Form, maybe the responses automatically save to Google Sheets. In this case, your Google Sheets also need to be HIPAA-compliant.

If you’ve set up other integrations, make sure to check how they’re handling secure sensitive healthcare data (if any of it spills over through Google Forms).

I typically recommend either creating notifications that simply alert you to check the form OR utilizing Google Apps Script in Google Workspace to create a notification email built within Google Workspace, so that way you’re not messing with any third-party apps or add-ons.

5. Train Your Staff on Google Forms HIPAA Compliance

Properly setting up your Google Forms eliminates most HIPAA compliance risks, but when your staff members don’t understand why your security measures are important, they might try to work around them for convenience.

If you run a private practice and have office assistants or other staff members, have a conversation with them. Explain how to properly access and handle form responses containing health information, which types of information should never be collected on non-compliant forms, and other important HIPAA privacy rules.

Creating and Embedding Your Google Forms

Once you’ve set up the HIPAA compliance fundamentals, you can create your actual form! Here’s how to do it. This is specifically for adding a contact form to your website:

  1. Head over to Google Forms while logged into your Google Workspace account (the one covered by your BAA).
  2. Open a Blank Form.
Opening a blank form to create a Google Form.
  1. Add your response fields. For contact forms, I usually recommend keeping it simple with First Name, Last Name, Email, Inquiring About, and Message. Make all fields required so you get complete information.
  2. Once you’re done setting up your form, click Settings.
  3. Under Defaults > Form Defaults, make sure that “Collect email addresses by default” is set to Do not collect.
Important setting to make a Google Form HIPAA-compliant.
  1. In the Responses tab, click View in Sheets to create your response spreadsheet.
  2. Double-check that your spreadsheet sharing is restricted to only people in your organization.
  3. Back in Responses, click the three dots menu and select Get email notifications for new responses.

Your Google Form is now all ready to go on your contact page! Here’s how to add it there:

  1. Click the Send button in the top right corner.
  2. Select Send via and click the brackets icon for Embed HTML.
Finding your HIPAA-compliant Google Form's HTML to embed it.
  1. Copy the code that appears, this is what you’ll add to your website.
  2. Log in to your website builder.
  3. Find the option to add embedded code (I use Showit with all my clients; in there, you can click the plus sign and select Embed Code).
Embedding your Google Form.
  1. Paste your copied code and save it.
Embedding HIPAA-compliant Google Form.
  1. Adjust the dimensions of your form to fit your page layout (remember to check both desktop and mobile views!).
Successfully embedded HIPAA-compliant Google Form.
  1. Preview, publish, and test your form by submitting a practice inquiry.

That’s it! Now your contact form supports HIPAA compliance.

Customizing Your Google Forms

Standard Google Forms aren’t the prettiest thing to look at…but you can make them match your therapy practice’s branding! The easiest way to do this is using Google Forms’ built-in customization options. You can add your logo to the header and choose colors that go along with your brand’s palette.

This approach can work fine for many private practices. But, unfortunately, the form will still look recognizably like a Google Form.

I use custom HTML/CSS coding to fully customize Google Forms for my clients so they match your exact brand fonts and colors and look good when embedded on your website! Reach out to me if you need help with this 🙂

I’ll also create a Thank You page that your contact form will redirect to when the form is submitted. This creates a much better experience for your potential clients and confirms that their message was successfully sent.

Examples of HIPAA-Compliant Google Forms

Jodi Berman, PhD

Jodi Berman as an example of a HIPAA compliant contact form created through Google Forms.

Jodi Berman, PhD, is a Licensed Clinical Psychologist who offers in-person and online psychotherapy to adults in Westport and across Connecticut. I designed Jodi’s branding and website, including her contact form! It’s set up through Google Forms, but seamlessly integrates with her colors and style.

The Vibrant Tapestry

The Vibrant Tapestry as an example of a HIPAA-compliant Google Form on the contact page.

For my brand & web design client The Vibrant Tapestry, an online therapist for aging adults in Washington State, I created a contact form through Google Forms and custom-coded it to perfectly match her earthy, warm, and a little funky aesthetic!

Sage & Bloom Wellness

Sage & Bloom Wellness as an example of a HIPAA-compliant contact form.

Sage & Bloom Wellness is a private therapy practice for women in Nevada, New Jersey & Pennsylvania. I designed their brand & website to feel holistic, high-end, and gentle, and then custom-coded their Google Form to integrate on the contact page.

You can see more examples of branding & website design I’ve created for therapists and other creatives in my Portfolio!

Alternatives to Google Forms for HIPAA Compliance

If you don’t want to use Google Forms, there are other options available, such as:

  • Therapy-Specific Practice Management Systems: Many therapists already use platforms like SimplePractice for scheduling and client management. These systems typically include HIPAA-compliant intake forms and contact forms built right in. But these forms usually live on a separate portal, not directly on your website, so it’s a less seamless experience for your potential clients.
  • Direct Email Contact: For contacting you specifically, sometimes the simplest solution is just linking your Google Workspace email (the one covered by your BAA) directly on your website. With this setup, your potential clients simply click your email link and reach out directly from their email account. However, you’ll miss out on capturing structured information that helps you respond more effectively. In my opinion, this approach can end up being pretty disorganized.

If you want to use your email, you MUST use your HIPAA-compliant Google Workspace email, not a personal Gmail account or regular business email that isn’t covered by a BAA!

So, Is Google Forms HIPAA-Compliant?

Google Forms aren’t automatically compliant with HIPAA, but they definitely can be if you set them up correctly. You’ll need to use them through a paid Google Workspace account and sign Google’s Business Associate Agreement (BAA). You’ll also need to configure appropriate access controls and security settings.

If you’re using any third-party tools or services together with the Google Forms, they must be set up in a HIPAA-compliant manner, too.

For therapists, speech therapists, physical therapists, and other healthcare providers who need to collect sensitive information through their websites, Google Forms are a great option because they’re secure and customizable (with coding!).

At Rose Benedict Design, I regularly work with private practice owners on branding, website design, and creating + customizing HIPAA-compliant Google Forms for their contact pages. Get in touch or learn more about my services!