Skip to main content

Do WordPress Forms Need to Be HIPAA Compliant?

If your WordPress form collects any patient health information, the answer is yes. Here's how to build a HIPAA compliant contact form, where Contact Form 7 falls short, and which plugins and hosting actually keep you compliant.

View Hosting Plans Talk to a Specialist

When a WordPress form falls under HIPAA

A WordPress form needs to be HIPAA compliant whenever it collects, transmits, or stores protected health information (PHI) on behalf of a covered entity or business associate. Appointment requests, patient intake forms, "describe your symptoms" contact forms, refill requests, and telehealth questionnaires all qualify — because they tie an identifiable person to a health detail.

A form is not automatically in scope just because it lives on a healthcare website. A newsletter signup that captures only an email address, or a brochure download that asks for a name, isn't PHI. The dividing line is simple: the moment a submission links a person to their health, condition, treatment, or payment for care, the form — and everything it touches — must satisfy HIPAA's Security and Privacy Rules.

What makes a HIPAA compliant form

A compliant form is a chain of safeguards — break one link and the whole form is non-compliant.

Encryption in Transit

Every submission travels over TLS/HTTPS so PHI can't be intercepted between the patient's browser and your server.

Encryption at Rest

Stored entries are encrypted in the database — not saved as plaintext rows any admin or attacker can read.

No Plaintext Email

Standard form plugins email submissions in the clear. A compliant form suppresses PHI in notifications or sends it only over encrypted channels.

Access Controls & Unique Logins

Only authorized staff with their own credentials can view submissions, satisfying HIPAA's access-control safeguard.

Audit Logging

A record of who viewed or exported submissions, retained so you can answer 'who accessed this PHI?' during an audit.

Signed BAAs

Every vendor in the chain — the form tool, any integration, and your host — must sign a Business Associate Agreement.

Is Contact Form 7 HIPAA compliant?

No — Contact Form 7 is not HIPAA compliant by default, and it's the single most common reason a healthcare WordPress site is quietly out of compliance. Contact Form 7 is a fantastic free form builder, but on its own it:

  • Emails every submission in plaintext to your inbox — PHI travels unencrypted and lands in a mailbox that usually has no BAA.
  • Can store entries (via add-ons like Flamingo) in the database unencrypted.
  • Comes with no BAA — the project is open-source software, not a HIPAA business associate.
  • Has no built-in access logging or role-based restrictions on who reads submissions.

You can push Contact Form 7 toward compliance by serving the site over HTTPS, disabling the plaintext mail notification (or stripping PHI fields from it), encrypting any stored entries, locking down admin access, and running everything on HIPAA compliant hosting with a signed BAA. But that's a lot of hardening — for most practices a purpose-built HIPAA form solution is safer than retrofitting Contact Form 7.

HIPAA compliance plugins for WordPress

There is no single "HIPAA plugin" that makes WordPress compliant by activation. Compliance is a stack, not a switch. For forms specifically, look for a WordPress HIPAA compliance plugin or service that offers:

  • BAA coverage from the vendor. Some Gravity Forms and Formidable Forms add-ons, and dedicated HIPAA form services that embed into WordPress, will sign a BAA.
  • Encrypted storage for submissions, with PHI never written to logs or plaintext email.
  • Access controls and audit trails so you can prove who read each submission.
  • SSL/encryption enforcement across the whole site, not just the form page.

Whatever plugin you choose, it only counts if the website underneath runs on a compliant platform. A perfectly configured form on non-compliant hosting is still a HIPAA violation waiting to happen.

Standard WordPress form vs. HIPAA compliant form

The difference between a form that looks fine and a form that holds up to an audit.

Encryption in Transit (HTTPS/TLS)
Standard Hosting
Not included
HIPAA Compliant
Included
Encrypted Stored Submissions
Standard Hosting
Not included
HIPAA Compliant
Included
No PHI in Plaintext Email
Standard Hosting
Not included
HIPAA Compliant
Included
Access Controls & Unique Logins
Standard Hosting
Not included
HIPAA Compliant
Included
Audit Logging of Submission Access
Standard Hosting
Not included
HIPAA Compliant
Included
Signed Business Associate Agreement (BAA)
Standard Hosting
Not included
HIPAA Compliant
Included
HIPAA Compliant Hosting Underneath
Standard Hosting
Not included
HIPAA Compliant
Included

HIPAA compliant WordPress forms FAQ

Do WordPress forms need to be HIPAA compliant?
Yes — if a WordPress form collects, transmits, or stores protected health information (PHI), it must be HIPAA compliant. That includes appointment-request forms, patient intake forms, contact forms that ask about symptoms or conditions, and any form a covered entity or business associate uses to gather identifiable health data. A plain marketing form that only collects a name to download a brochure is not in scope, but the moment health context is attached, the form falls under HIPAA's Security and Privacy Rules.
Is Contact Form 7 HIPAA compliant?
No. Contact Form 7 is not HIPAA compliant out of the box. By default it emails submissions in plaintext, can log entries in the database unencrypted, and its developer will not sign a Business Associate Agreement (BAA). You can move toward compliance by pairing it with HTTPS, disabling plaintext email notifications, encrypting stored entries, restricting admin access, and routing data only to BAA-covered services — but Contact Form 7 alone does not make a form HIPAA compliant.
What makes a HIPAA compliant contact form?
A HIPAA compliant contact form encrypts data in transit (TLS/HTTPS) and at rest, avoids sending PHI in plaintext email, enforces access controls and unique logins for anyone who can read submissions, keeps an audit trail of who accessed data, and is backed by a signed BAA from every vendor that touches the data — including the form plugin or service and the hosting provider. The website itself must also run on HIPAA compliant hosting.
Which WordPress HIPAA compliance plugin should I use for forms?
There is no single official HIPAA plugin. Compliance comes from a combination: a form tool whose vendor signs a BAA (some Gravity Forms and Formidable Forms add-ons, or a dedicated HIPAA form service embedded in WordPress), an encryption/SSL layer, and HIPAA compliant hosting underneath. Choose a form solution that supports encrypted storage, BAA coverage, and the ability to suppress PHI in email notifications, then host it on a compliant platform with a signed BAA.

Related: HIPAA compliant WordPress hosting, best HIPAA compliant email, and becoming HIPAA compliant.

Put your forms on compliant ground

We host healthcare WordPress sites on a HIPAA compliant platform with a signed BAA — the foundation every compliant form needs. Free migration included.

Get Started Ask About HIPAA Forms