HIPAA-Compliant Contact Form for Your Website

If you’re running a private practice or working as a therapist, you need a HIPAA-compliant contact form on your website so prospective clients can reach out safely. 

Some practices turn to expensive software subscriptions, but you can create a contact form using a subscription you’re already paying for, such as Google Forms (from Google Workspace) or Microsoft Forms (from Microsoft 365).

For advanced needs, such as an online form with the ability to attach an electronic signature, you’ll need a dedicated HIPAA-compliant form builder, and I’ll discuss a few options in this guide. 

However, the main focus of this article will be on creating a HIPAA-compliant contact form for your private practice website using Google Forms or Microsoft 365.

As a brand and website designer, I regularly set up HIPAA-compliant contact forms for my private practice and therapist clients. You can reach out to learn more about this service, or keep reading to discover how to create your own form!

What Is a HIPAA Compliant Contact Form?

A HIPAA-compliant contact form is a secure way for potential clients to share their information with your practice. 

If you’re a therapist, a private practice, or a healthcare provider, your contact form must be compliant with HIPAA regulations to protect your clients’ privacy.

Even basic details like “I need help with my teenager’s behavioral issues” count as protected health information that requires proper safeguarding and HIPAA-compliant web forms.

Your contact form needs to meet specific security requirements to be HIPAA-compliant, such as:

• Business Associate Agreement (BAA) with your form provider: This legally requires the platform to protect patient information according to HIPAA standards.
• Data encryption both in transit and at rest: Information must be encrypted when it’s being sent and when it’s stored.
• Proper access controls: Only authorized team members can view form responses containing sensitive information.
• Secure data storage: Patient information must be stored on HIPAA-compliant servers with appropriate security measures.
• Audit logs and monitoring: The system should track who accesses patient data and when.
• Automatic session timeouts: Forms should log out users after periods of inactivity to prevent unauthorized access.

The form itself should collect only the essential information you need to respond effectively, such as name, email, phone number, and a message describing what type of support they’re seeking.

You’ll want to keep it simple, but at the same time, make sure you have enough details to give a helpful initial response.

Your contact form is just one piece of your HIPAA-compliant website, so there will be other steps you’ll need to take to make sure your website protects your clients’ privacy.

How to Create a HIPAA-Compliant Contact Form

You have two main options for creating a HIPAA-compliant contact form.

The first is subscribing to a specialized platform that handles HIPAA-compliant forms automatically. However, these subscriptions can get expensive, especially for solo practitioners or small practices.

The second option is building your own HIPAA-compliant contact form using tools you might already have access to: Google Workspace or Microsoft 365. Both platforms can be configured to meet HIPAA requirements when set up correctly, which makes them cost-effective alternatives to create forms.

Google Workspace Forms

To create a HIPAA-compliant contact form with Google Forms, you’ll need a Google Workspace account (such as Business Standard or higher). Your regular Gmail account won’t work. 

You’ll also need to sign Google’s Business Associate Agreement (BAA).

Here’s the basic process:

1. Sign up for Google Workspace using your practice’s domain name.
2. Sign the BAA through your Admin console under Security and Privacy Additional Terms.
3. Configure proper access controls by restricting form sharing to only people in your organization
4. Create your form with essential fields like name, email, and message.
5. Embed the form on your website using the HTML code Google provides.
6. Ensure any customized settings (like response to Google Sheets) are also HIPAA-compliant.

Once you’ve completed these steps, you can customize your form to match your practice’s branding using Google’s built-in options or custom coding for a more professional appearance.

It’s also a good idea to make sure you get email notifications about form submissions. If you want inquiry details in your email notifications, you can use Google Apps Script to do this.

I have a detailed tutorial on how to create a HIPAA-compliant contact form using Google Forms that you may find helpful if you want to DIY. You can also reach out to me for help with creating this form!

For example, one of my clients, Jodi Berman, is a Westport, Connecticut-based therapist. I created her contact form using Google Forms in her Google Workspace account with custom coding to ensure HIPAA compliance and match her branding:

The form looks professional and integrated with her website design, and it protects all client data according to HIPAA standards during the data collection process.

Microsoft 365

If you already have Microsoft Office, the easiest thing may be to create a HIPAA-compliant contact form using Microsoft 365. To do this, you’ll need a Microsoft 365 business plan (Basic, Standard, or Premium). 

Microsoft automatically enters you into a Business Associate Agreement (BAA) if you identify your organization as being subject to HIPAA during setup.

Here’s a breakdown of the setup process:

• Choose the right Microsoft 365 plan because personal accounts don’t support HIPAA compliance.
• Verify your BAA status and obtain a copy of your BAA by following these instructions.
• Configure security settings, including data loss prevention policies, multi-factor authentication, and email encryption.
• Set up your Microsoft Form with proper access controls (anyone can respond, but only your organization can view submissions).
• Create automated notifications using Power Automate to send alerts to your email within the Microsoft environment.
• Embed the form on your website using Microsoft’s embed code.

Microsoft Forms doesn’t allow the same level of visual customization as Google Forms, but you can still adjust elements like fonts and colors to make your contact form look more branded.

For example, here’s a contact form I created using Microsoft 365 for my client Rise Neuro Rehab, a neurologic physical therapy in Tacoma and the South Sound:

Even though Microsoft Forms has more limited customization options compared to Google Forms, I was able to match their branding through the available font and color settings. You just won’t be able to use CSS coding.

I have a detailed tutorial on how to create a HIPAA-compliant contact form using Microsoft 365, or you can reach out to me for help!

Paid HIPAA-Compliant Online Forms

For contact forms on your website, Google Workspace or Microsoft 365 should handle everything you need.

However, if you’re looking for more advanced functionality, such as patient intake forms, consent forms, forms that require patient signatures, and other HIPAA compliance forms, you may want to consider specialized paid software.

Popular options include:

• FormDR
• HIPAAtizer
• FormHippo
• Jot Forms
• SimplePractice
• Jane App

These platforms offer more sophisticated features for collecting electronic protected health information (ePHI). But for contact forms that allow potential clients to reach out and introduce themselves, Google Forms in Google Workspace and Microsoft 365 work great!

Choosing Your HIPAA Compliant Contact Form

Overall, Google Forms in Google Workspace or Microsoft 365 can be the right option for you if you need a simple contact form for initial inquiries to put on your website. 

You can customize them to match your branding, and they can easily integrate with other tools you’re already using.

That said, you’ll need to pay for specialized HIPAA software if you need to:

• Schedule appointments through the form
• Create intake forms for patients to share their medical history
• Have access to advanced features like conditional logic
• Ask patients to sign consent forms or other digital forms

For most therapists and small private practices, a well-designed contact form using Google Forms within Google Workspace or Microsoft 365 gives you everything you need for a secure and professional solution.

More Examples of HIPAA-Compliant Contact Forms

The Vibrant Tapestry

The Vibrant Tapestry is a therapy practice in Washington state for aging adults. Renee helps them figure out how to honor their unique stories, perspectives, and complexities.

As Renee’s designer, I created her brand identity and Showit website, and it included a HIPAA-compliant contact form made with Google Forms:

Community Connections Therapy

Community Connections Therapy is a speech and language therapy practice in Columbus, Ohio. Founded by twin sisters, they empower parents and children through education, speech and language therapy, and community involvement.

I designed this practice’s earthy, welcoming, and a little boho-inspired website, along with their HIPAA-compliant contact form:

Sequoia Therapy Group

Sequoia Therapy Group is a therapy practice in Columbus, Ohio. They work with individuals, couples, and families on a variety of challenges, and they wanted their therapist website to be warm, earthy, and welcoming, with a particular focus on SEO. Here’s their contact form:

Sage & Bloom Wellness

Sage & Bloom Wellness is a therapy practice for women, focusing on holistic therapy (including EMDR and trauma therapy) as well as nutritional services in Nevada, New Jersey & Pennsylvania. The owner, Elizabeth, wanted her branding, website, and contact form to convey a sense of boutique sophistication:

FAQs

What Makes an Online Form HIPAA-Compliant?

An online form becomes HIPAA-compliant when it meets specific security requirements to protect sensitive patient data. This includes having a Business Associate Agreement (BAA) with your form provider, proper data encryption, secure storage on compliant servers, and controlled access so only authorized people can view submissions. The form platform must also have audit logs, automatic timeouts, and other security measures in place to safeguard any protected health information that gets submitted.

Do Contact Forms Need to Be HIPAA-Compliant?

Yes, contact forms on therapists’, private practices’, healthcare organizations’, and other covered entities’ websites need to be HIPAA-compliant because even basic inquiries contain protected health information. When someone writes “I need help with my anxiety,” that counts as health information under HIPAA. Since you can’t control what potential clients will share in their initial contact, your form needs to be set up to protect any sensitive information they might include.

Are Google Forms HIPAA-Compliant?

Google Forms aren’t HIPAA-compliant by default, but they can be when you configure them to be. You need a paid Google Workspace account (not a free Gmail account) and must sign Google’s Business Associate Agreement. Once you’ve completed the setup process and configured proper security settings, Google Forms can safely handle protected health information for your practice.

Is Microsoft Forms HIPAA-Compliant?

Microsoft Forms can be HIPAA-compliant when used with a qualifying Microsoft 365 business plan and proper configuration. Microsoft automatically enters you into a Business Associate Agreement when you identify your organization as being subject to HIPAA, but you’ll need to obtain a copy for your records to verify this agreement is in place. You’ll also need to set up the right security controls. Microsoft Forms is considered an “in-scope service” under their BAA, meaning it’s covered by their HIPAA compliance protections when configured correctly.

Is There a Standard HIPAA Form?

There’s no single “standard HIPAA form” that works for every practice. HIPAA compliance is about how you handle and protect patient information. You don’t need to follow a specific form template. However, there are requirements that all HIPAA forms have to comply with.

Is there a way to add an anti-spam filter or CAPTCHA to Google Forms?

Yes! While Google Forms doesn’t have built-in CAPTCHA, you can implement effective anti-spam filtering using custom HTML/CSS and JavaScript through Google Apps Script. This approach can filter out approximately 90% of bot-generated spam while keeping your form fully HIPAA-compliant.

Since this solution uses coding techniques rather than third-party plugins, there are no additional integrations that could compromise HIPAA compliance. This technique requires technical expertise to implement, but this is something that I’ve done for my private practice clients using Google Workspace forms! 

So, How to Make a Form HIPAA-Compliant?

First, decide whether you want to use a free option (Google Forms within Google Workspace or Microsoft 365) or invest in paid specialized software. 

If you choose the free (well, technically not fully free, but you’re already paying for the subscription!) route, pick between Google Forms (with Google Workspace) or Microsoft Forms (with Microsoft 365 business plans).

Next, sign the required Business Associate Agreement with your chosen provider, configure proper security settings and access controls, create your form with essential fields only, and embed it on your website. 

Finally, test everything to make sure it works smoothly!

If this process seems overwhelming or you want a professionally designed form that matches your branding, get in touch with me! I’ll help you create a custom HIPAA-compliant contact form using Google Forms or Microsoft 365.