How to Build HIPAA-Compliant Forms with Gravity Forms

If you run a healthcare website on WordPress and need to collect patient information, appointment requests, intake data, or anything that qualifies as Protected Health Information (PHI), you cannot just drop a form on a page and call it a day. HIPAA is unforgiving, and the fines for even accidental exposure of PHI are brutal — we are talking $100 to $50,000 per violation, with annual caps up to $1.5 million.

The good news: you can absolutely build HIPAA-compliant forms on WordPress using

, but it takes more than just installing the plugin. Gravity Forms itself is a powerful form builder, but HIPAA compliance is a combination of the plugin, your hosting, your storage, your notifications, and your internal policies. This guide walks through exactly what you need to configure — and what gotchas will trip you up if you are not paying attention.

What HIPAA Actually Requires From a Form

Before touching Gravity Forms, you need to understand what the Health Insurance Portability and Accountability Act actually demands when a form collects PHI. In short, any form that touches patient-identifiable health information must protect it at three stages: in transit, at rest, and during any secondary processing (email notifications, CRM sync, backups).

That translates to a concrete checklist:

• Encryption in transit — TLS 1.2 or higher, enforced everywhere
• Encryption at rest — stored entries and attachments must be encrypted on disk
• Access controls — only authorized users can view submissions
• Audit logs — who viewed, edited, or exported what, and when
• Signed Business Associate Agreements (BAAs) with every vendor that touches the data
• No PHI in email notifications (or encrypted if unavoidable)
• Data retention and disposal policies
• Breach notification procedures

Gravity Forms alone does not give you all of this out of the box. You get the form engine and a solid foundation. You layer compliance on top of it.

Step 1: Get Your Hosting in Order First

This is the step everyone skips, and it is the step that actually kills compliance. Your WordPress host stores the database where Gravity Forms entries live. If your host will not sign a BAA, you are not HIPAA compliant — period. It does not matter how locked down your form is.

Use a HIPAA-ready WordPress host that will sign a BAA. Common choices include WP Engine (with their HIPAA-compliant plan), Pressable, Kinsta (enterprise), or self-hosted on AWS/GCP/Azure where you can sign a BAA directly with the cloud provider. Avoid generic shared hosting like Bluehost or GoDaddy for anything HIPAA-related.

While you are at it, make sure:

• SSL/TLS is enforced site-wide (HTTPS only, HSTS enabled)
• Database-level encryption at rest is on
• Automatic backups are encrypted and stored in a BAA-covered location
• PHP version is current and patched

Once your hosting foundation is HIPAA-ready, you can move on to the form layer.

Step 2: Install Gravity Forms and a Compliance Add-On

Gravity Forms by itself is not marketed as a HIPAA solution, but it is extensible enough that you can make it one. The most common approach is to pair it with a dedicated HIPAA add-on.

HIPAA Forms by HIPAAtizer is probably the most popular option — it is a Gravity Forms-compatible add-on that adds entry-level encryption, audit logging, and a signed BAA from the vendor. Install it alongside Gravity Forms and it transparently encrypts every form entry using AES-256 before it hits your database.

Alternatively, you can use Forms HIPAA or build your own encryption layer using Gravity Forms hooks (gform_entry_pre_save and gform_entries_field_value), but unless you have a developer who genuinely understands cryptographic key management, use a vetted add-on. Rolling your own encryption is how you end up in a breach notification letter.

If you are comparing your options across form builders first, check out our roundup of the best WordPress form plugins for business sites to understand the landscape.

Step 3: Configure the Form Itself

Now the actual form work. Inside Gravity Forms:

Use the right field types

Mark any field that collects PHI (name, DOB, SSN, medical details, insurance info) appropriately. Use the Advanced fields where possible — they give you better validation. For Social Security Numbers, use a text field with an input mask and strict regex validation, not a plain single-line text field.

Disable browser autofill on sensitive fields

In the field's appearance settings, set autocomplete="off". This prevents the browser from caching PHI locally.

Turn off entry storage selectively if you do not need it

If the form's only purpose is to forward information to an encrypted EHR via API, you can disable database entry storage entirely using the gform_disable_entry_creation filter. No stored data means nothing to breach. This is the strongest form of protection — but only works if you are confident the API receiver is also HIPAA-compliant and has a BAA.

Enable conditional logic carefully

Conditional logic is a Gravity Forms superpower, but be careful: if you branch based on a sensitive answer, that branching event itself may leak information through analytics or logs. Avoid sending conditional logic events to Google Analytics or any third-party tracker.

Step 4: Lock Down Notifications (This Is the #1 Mistake)

This is where most "HIPAA-compliant" WordPress setups actually fall apart. The form may be encrypted, but then Gravity Forms fires off an email notification containing every field the patient just submitted — in plain text, through regular SMTP, to a Gmail inbox. That is a HIPAA violation even if the database is fully encrypted.

Your options, in order of preference:

1. Do not include PHI in notifications at all. Send a generic "New submission received — log in to view" email. Staff logs into the HIPAA-compliant admin area to see the data.
2. Use an encrypted email gateway like Paubox or Virtru that has a BAA, integrated via SMTP plugin.
3. Use secure internal messaging (Slack with a BAA on Enterprise Grid, Microsoft Teams with a BAA) via webhook, with only notification metadata — not PHI.

Inside Gravity Forms, edit each notification and strip any merge tags that contain PHI. Use only {form_title} and {entry_id}. Link back to the admin entry view.

Step 5: Set Up Access Controls and Audit Logging

Gravity Forms has native role-based access controls. Use them.

• Create a HIPAA Reviewer role with only the gravityforms_view_entries capability. No editing, no exporting.
• Require strong passwords and two-factor authentication for every user with access (use a plugin like Wordfence Login Security or WP 2FA).
• Install an audit log plugin — WP Activity Log is the standard — and configure it to log every Gravity Forms entry view, edit, export, and deletion. Store logs for at least six years, which is the HIPAA retention requirement.
• Regularly review who has access. Offboard departed staff immediately.

Step 6: Handle File Uploads Carefully

Gravity Forms supports file uploads, which is great for insurance cards and medical records — but by default, uploaded files are stored in /wp-content/uploads/gravity_forms/ with obfuscated URLs. That is not sufficient protection. Anyone who guesses the URL can retrieve the file.

At minimum:

• Enable the Secure File Upload setting in Gravity Forms (moves files outside the web-accessible directory).
• Or use an add-on that stores uploads in an encrypted S3 bucket with a signed BAA from AWS.
• Never allow files in notification email attachments.

Step 7: Test, Document, and Train

HIPAA compliance is a moving target. Once your form is live:

• Run a penetration test or at least a thorough security scan (Sucuri, Wordfence).
• Document your entire setup in a risk assessment — what data you collect, where it flows, who has access, what vendors touch it, and what their BAAs cover.
• Train every staff member who touches the form on what PHI is and how to handle it.
• Set a calendar reminder every six months to re-audit. Hosts change policies, plugins update, staff turns over.

Do You Actually Need Gravity Forms for This?

Honest answer: if HIPAA is your only use case and you are not already deep in the WordPress ecosystem, a purpose-built service like JotForm HIPAA, Formstack HIPAA, or Typeform's enterprise tier may be simpler. They handle the compliance layer for you — no add-ons, no hosting gymnastics.

But if you already run a WordPress site, have other Gravity Forms use cases, and want everything under one roof, Gravity Forms + a HIPAA add-on + a compliant host is a very workable stack. You get the flexibility and ownership of WordPress with the compliance layer bolted on cleanly. For a broader look at what else Gravity Forms can do beyond healthcare, see our guide to the best form builders for WordPress.

A Quick Reality Check

HIPAA compliance is not a checkbox. It is an ongoing program. The tools described above — Gravity Forms, a compliant host, an encryption add-on, audit logging — get you the technical safeguards. But HIPAA also requires administrative safeguards (written policies, workforce training, incident response plans) and physical safeguards (securing the devices staff use to access PHI).

If you are a solo practitioner or a small clinic, strongly consider hiring a HIPAA compliance consultant for a one-time audit once your form is live. A few hundred dollars of expert review is cheap insurance against a five-figure fine.

Frequently Asked Questions

Is Gravity Forms HIPAA-compliant by default?

No. Gravity Forms is not HIPAA-compliant out of the box. It is a form builder, not a compliance platform. You have to add encryption (via a compliance add-on), use a HIPAA-ready host with a signed BAA, configure notifications to exclude PHI, and implement access controls and audit logging. The plugin itself is extensible enough to support compliance, but you are responsible for assembling the pieces.

Does the Gravity Forms company sign a BAA?

Rocketgenius (the company behind Gravity Forms) does not typically sign Business Associate Agreements because the plugin is self-hosted on your server — they never touch your data. The BAAs you need are with your hosting provider, your email/notification service, and any third-party integrations (Stripe, Mailchimp, etc.) that receive form data.

Can I use the Gravity Forms Stripe add-on for HIPAA-covered payments?

Stripe will sign a BAA on their enterprise tier, but the default Stripe integration with Gravity Forms may transmit metadata that includes PHI. If you are billing for healthcare services, keep the payment form separate from the medical intake form, and confirm that no PHI flows through the payment processor unless Stripe has specifically approved it under a BAA.

What happens if a form submission accidentally includes PHI I did not plan for?

This is actually common — patients write medical details in "Additional comments" fields. Treat every free-text field on a healthcare form as if it will contain PHI, and apply the full encryption and access control stack accordingly. Do not assume the field is safe just because you did not label it as medical.

Do I need HIPAA compliance for an appointment request form?

If the form collects name plus any health-related context (specialty requested, reason for visit, current symptoms), yes — that combination is PHI. Even a form that just asks "What are you seeing the doctor for?" is collecting PHI the moment the patient answers.

How long do I need to keep Gravity Forms entries?

HIPAA requires most PHI-related records to be retained for six years. That includes audit logs, access records, and the data itself (unless the patient has requested deletion under a state-specific law like CMIA in California). Set up automated retention policies and make sure your backups also respect them.

Is a free SSL certificate from Let's Encrypt enough for HIPAA?

Technically yes — HIPAA requires encryption in transit, not a specific certificate authority. A Let's Encrypt cert providing TLS 1.2+ is fine from a compliance standpoint. What matters is that you enforce HTTPS everywhere, disable weak ciphers, and keep the cert auto-renewing. You can check out more productivity and security tools that complement this setup.