Healthcare organizations building websites on WordPress face a forms challenge that doesn’t exist in most other industries: patient intake forms, appointment requests, contact forms, and payment forms all potentially touch Protected Health Information (PHI), which means HIPAA applies to how that data is collected, transmitted, and stored. Most standard WordPress form plugins don’t meet these requirements.
Convesio + ConvesioPay provides the complete HIPAA-compliant WordPress stack — HIPAA hosting, payment processing, and BAAs covering both layers. Get started →
1. When Are WordPress Forms Subject to HIPAA?
A WordPress form is subject to HIPAA when it collects information that constitutes PHI — Protected Health Information. PHI is any individually identifiable information relating to a person’s health, healthcare, or payment for healthcare.
Forms that typically involve PHI:
- Patient intake forms (health history, medications, allergies)
- Appointment request forms (reason for visit, symptoms)
- Contact forms on medical practice websites (any form where patients describe their condition)
- Payment forms on patient portals (balance tied to medical services)
- Prescription refill request forms
- Insurance information collection forms
A basic contact form that only collects name, phone, and “I’d like to schedule an appointment” might not be PHI on its face, but once it’s associated with a patient record, it becomes PHI. In practice, most healthcare website forms should be treated as potentially involving PHI.
2. What HIPAA-Compliant Forms Require
Encryption in Transit
All form data must be transmitted over encrypted connections (HTTPS/TLS). This is a baseline requirement, any WordPress site should be running HTTPS, but healthcare sites must ensure every form submission goes over TLS 1.2 or higher.
Encryption at Rest
PHI collected via forms must be encrypted when stored. This applies to form submission data stored in your WordPress database, form entries stored by your form plugin, and any email notifications that include form data.
Business Associate Agreement (BAA) with Form Provider
Your form plugin provider is a business associate if their servers process or store form submissions containing PHI. Many popular form plugins use cloud storage or send submissions to third-party servers, those providers must sign BAAs.
Access Controls
Access to form submission data should be limited to staff who need it for treatment, payment, or healthcare operations. Role-based access controls in WordPress can enforce this.
Audit Logging
HIPAA requires tracking who accessed PHI. Your form system should log access to submission data.
3. Popular WordPress Form Plugins: HIPAA Considerations
| Plugin | BAA available? | Notes |
|---|---|---|
| Gravity Forms | No (stores data locally) | Data stored in your WordPress DB — HIPAA compliance depends on your hosting |
| WPForms | No | Standard version stores data locally; HIPAA compliance depends on hosting |
| Formidable Forms | No standard BAA | Same — local storage, hosting-dependent |
| HIPAASpace / Formstack | Yes — purpose-built for HIPAA | Adds cost; purpose-built for healthcare |
| Contact Form 7 | No | Sends submissions via email — not recommended for PHI |
The key distinction: form plugins that store submissions only in your WordPress database put HIPAA responsibility on your hosting infrastructure. If your hosting is HIPAA compliant (with a BAA), and the form plugin doesn’t send data to external servers, you can achieve compliance through the hosting layer. If the form plugin sends data to cloud servers or third-party email services without a BAA, that’s a compliance gap.
4. Payment Forms on Healthcare WordPress Sites
Patient payment forms where patients enter card data to pay a balance have dual compliance requirements: PCI DSS (protecting card data) and HIPAA (protecting the health information associated with the payment).
For payment forms on HIPAA-covered sites:
- Use embedded hosted card fields — card data captured on the processor’s servers (not your WordPress server) minimizes both PCI scope and HIPAA exposure
- Don’t display PHI in URL parameters — payment links that include patient identifiers in query strings expose PHI in server logs
- BAA with your payment processor — required if the payment context involves PHI
- HIPAA-compliant hosting for the page itself — even if card data doesn’t touch your server, the page that displays patient balance information must be on HIPAA-compliant hosting
ConvesioPay’s payment form uses Adyen’s embedded hosted fields — card data is tokenized on Adyen’s infrastructure. ConvesioPay + Convesio HIPAA hosting covers both layers.
5. Email Notifications from Forms
Standard form notification emails are a significant HIPAA risk. When a patient submits an intake form and your form plugin emails you the submission, that email typically:
- Travels over standard SMTP (unencrypted in transit between mail servers)
- Is stored in your email provider’s servers (subject to their retention and security policies)
- May be forwarded or replied to in ways that expose PHI
Solutions:
- Use email notification plugins that only send an alert (“new form submission — log in to view”) without including PHI in the email body
- Use a HIPAA-compliant email provider (Google Workspace with BAA, Microsoft 365 with BAA, or a healthcare-specific email service) for all staff email
- Store submissions in the WordPress database only and access them through the admin interface
6. The Hosting Layer: Why It’s the Foundation
For WordPress form plugins that store data in the local database (Gravity Forms, WPForms, Formidable), HIPAA compliance depends entirely on the hosting environment. If your hosting provider:
- Provides a BAA covering your account
- Encrypts data at rest on the server
- Provides access controls and audit logging
- Maintains HIPAA-required security controls
…then your locally-stored form data is covered under the hosting BAA.
Convesio’s HIPAA-compliant WordPress hosting is built for exactly this — healthcare organizations that need HIPAA-compliant infrastructure for their entire WordPress environment, including form data, payment processing, and everything in between.
For payment form compliance, see HIPAA Compliant Payment Processing: The Complete Guide. For invoicing compliance, see HIPAA Compliant Invoicing: How to Bill Patients Without Violating Privacy.
HIPAA-compliant forms start with HIPAA-compliant hosting. Convesio provides WordPress hosting built for healthcare organizations — BAA included. Add ConvesioPay for HIPAA-compliant patient payment forms. Talk to our team →