Is Google Forms HIPAA Compliant?

HIPAA compliance depends on the product (Google Forms) as well as how that product is used (You):

1. Product: Google Forms version that you use must have security and privacy features such as data encryption during transit and at rest, audit logs, access controls and sharing permissions necessary safeguards to protect PHI.

2. Process: You must define the purpose of the form, identify and limit the PHI that has to be collected in the form. You should also define how the collected PHI is handled, who has access to it and report if there is any data breach.

Additionally, you must also train your co-workers who handle PHI about the HIPAA regulations and how to use the product to ensure HIPAA compliance.

Step 1: Upgrade to a HIPAA-eligible Google Workspace plan

Google Forms created using a personal account (@gmail.com) cannot be made HIPAA compliant, because Google does not offer a BAA for consumer accounts. You can upgrade to a paid Google Workspace plan that supports HIPAA compliance, such as Business Starter, Business Standard, Business Plus, or any Enterprise plan. The free and individual editions do not qualify.

Step 2: Sign Google's Business Associate Agreement (BAA)

If you subscribe to the Google Workspace platform, sign the Business Associate Addendum with Google, and set up access control for your accounts to meet HIPAA requirements. To review and accept the BAA,

1. Login to the admin console using the administrator account for your Google Workspace

2. In the Admin console, click on the menu icon > click Account > click Account settings

3. In the Account settings page, click Legal and Compliance > click Security and Privacy Additional Terms

4. Click Google Workspace/Cloud Identity HIPAA Business Associate Amendment to review the amendment

5. Click Review and Accept > answer all three questions to confirm that you are a HIPAA covered entity or Business associate of the covered entity

6. To accept the HIPAA BAA, click OK .

Step 3: Configure your forms for the HIPAA Privacy Rule

The HIPAA Privacy Rule outlines the permitted uses and disclosures of protected health information (PHI). When using Google Forms to collect PHI, you should follow these steps:

• Limit PHI collection. You must set up your Google Forms to collect only the minimum necessary PHI. You should avoid asking for sensitive information unless it is required for the specific purpose of the form.

• Set data retention and deletion rules. If you must collect sensitive patient data, establish clear data retention policies and procedures for the collected PHI. Ensure that the data is permanently removed from Google Forms and the linked Google Sheets when it is no longer needed.

• Provide a notice of privacy practices. Provide a notice that informs the individuals about their privacy rights and how they may exercise these rights, how their medical information may be used and disclosed. You can create a section for this including notice in Google Forms or publish it on your website and add the link in Google Forms used to collect PHI.

• Get consent & authorization. Setup your google forms to get consent for use and disclosure of PHI to carry out treatment, payment and health care operations.

The HIPAA Security Rule defines the administrative, physical and technical safeguards to protect the PHI. When using Google Forms to collect PHI, you should follow these steps:

• Use individual logins and MFA. Implement user authentication and access controls to prevent unauthorized individuals from accessing PHI. Require each team member to sign in with their own account and turn on two-step verification. Never use a shared login, or system access and activity cannot be tracked by user.

• Implement access controls. Share your Google Forms and the linked Google Sheets with only the authorized individuals to restrict access to the collected PHI. Unlike Google Forms, Google Sheets provides granular access control features. Set up proper user authentication, permission levels, and access restrictions to protect data confidentiality by using Google Sheets to share data with your team.

• Keep PHI out of titles and file names. Never put patient information in the form's title or in the name of the linked Sheet, since these are easy to expose accidentally.

• Turn off response receipts. The Security Rule does not expressly prohibit the use of email for sending e-PHI, but recommends implementing policies and procedures to restrict access. Since Google Forms response receipts feature does not allow you to customize the content, you should enable this option only if it is absolutely required.

• Never prefill PHI. Google Forms allows you to prefill answers by passing values via url parameters. You must not use this feature to prefill PHI as it will be exposed.

Step 5: Train your workforce

Compliance is ongoing, not a one-time setup. Train everyone who handles PHI on the HIPAA rules and on using these forms correctly: setting appropriate permissions and visibility, keeping PHI out of titles and prefill links, and knowing how to report a suspected breach. Refresh that training periodically.

You've signed the BAA, configured your forms for the Privacy and Security Rules, and trained your staff. Even then, most of those safeguards are workarounds. You give features up rather than securing them. The problem with these restrictions is that they limit the features you can use and degrade patient experience. Several gaps remain that Google Forms cannot close on its own:

• Lost functionality, not secured functionality. Turning off receipts and avoiding prefill protects PHI by removing useful features. There is no native way to email a response or prefill a known patient's details without exposing PHI.

• No field-level permissions. Access is all-or-nothing: anyone with edit access to the form or its linked Sheet sees every response, so the "minimum necessary" standard is hard to enforce.

• No e-signature or consent capture. There is no built-in way to collect a signed acknowledgment of privacy practices or authorization for use and disclosure.

• No versioning, or patient PDF. No audit trail for edited responses, and no patient-facing PDF copy of what was submitted.

• Add-ons sit outside Google's BAA. Google's BAA does not cover Marketplace add-ons, so any add-on that touches PHI must provide its own BAA with your organization.

Beyond compliance, these show up constantly in healthcare and have no native solution in Google Forms: 

File uploads force patients to sign in. Google Forms' file-upload question requires the respondent to sign in with a Google account, so collecting an insurance card, prescription, or photo ID means every patient needs a Google login, which many do not have or will not use. 

Authorizations cannot be scoped per patient. A release or authorization is usually valid for a specific person and a set period, but Forms cannot limit a form that way. Staff end up copying the form for each patient and naming the copy after them, putting the patient's name (PHI) in the file title, the exact practice Privacy Rule warns against. 

No clinical scoring. Validated assessments like the PHQ-9, GAD-7, AUDIT etc weight each answer and map the total to a severity band. Google Forms offers only right/wrong quiz grading, not weighted scoring, so it cannot calculate these results and staff are left to calculate them manually using Google Sheets.

No data shared across multiple forms. Intake usually means several forms in sequence, patient intake, an assessment, and a release authorization, and Google Forms cannot pass data between them. Patients re-enter the same name, email, and details on each one, which wastes time and invites errors. 

No scheduling or reminders. Some assessments must be repeated on a schedule (a PHQ-9 every two weeks, for example) to track progress over time. Google Forms cannot send a form on a recurring cadence or chase patients who do not respond, so staff have to remember to resend it and follow up by hand. 

Closing these gaps is where a purpose-built tool comes in. There are two options to do it with Formesign, depending on whether your forms already live in Google Forms or you are starting fresh. Both of these options are backed by our own BAA and SOC 2 Type II attestation.

There are two methods, and they suit different teams.

1. Already built your forms in Google Workspace with a BAA and trained staff on them? Add the Formesign HIPAA form add-on and keep working where you are.

2. Starting fresh, or built your form with a personal account? Import the Google Form into Formesign's HIPAA-compliant workspace via its URL.

Your form stays in Google Forms; the add-on bolts compliance onto it. Mark fields as PHI to mask them in notification emails, Sheets exports, and prefill links, set field-level permissions (editable, read-only, or hidden), collect e-signatures for consent and authorization, and keep versioned audit logs of response edits, closing the gaps above without changing your workflow.

1. Install the Formesign - HIPAA form add-on

2. Mark fields as PHI: Open your form in Google Forms > click the add-on icon > select Formesign - HIPAA form > click Check HIPAA compliance and follow the prompts to complete the check.

3. Get consent: Click the add-on icon > select Formesign - HIPAA form > click Add e-signature and follow the prompts to add a signature option to your form for consent and authorization.

4. Collect responses: Use the Formesign share link to collect responses from your patients, or use the email option that builds a secure prefill automatically, filling in the patient's name and email without exposing them in the URL.

Paste your existing Google Forms URL into Formesign and the form is rebuilt inside Formesign's HIPAA-compliant, BAA-backed workspace, with PHI masking, field permissions, e-signatures, and audit logs included from the start. Best when you are setting up new intake or consent forms, or have built your form with a personal account.

1. New form: create your form using Formesign's prebuilt templates and customize it to your needs. 
2. Import form: open Formesign - HIPAA form import option › paste your Google Forms URL, click Make my form compliant, and follow the prompts to create your HIPAA compliant form in Formesign. 
3. Collect responses: use the Formesign share link to collect responses from your patients, or use the email option that builds a secure prefill automatically, filling in the patient's name and email without exposing them in the URL.

Whichever route you choose, Formesign also closes the clinical-workflow gaps above:

Patient file uploads without a login. Formesign converts the Google Forms file-upload field into an HTML upload, so patients can attach insurance cards, prescriptions, or ID without a Google account. Files are stored in Formesign's HIPAA-compliant Google Cloud infrastructure by default, with the option to sync them to your own Google Drive (keep that Drive under your Workspace BAA so the synced files stay covered). 

Dated, per-patient authorizations from one form. Use formulas to set the authorization period automatically, TODAY() for the start date and TODAY().add(2, "years") for the expiry, and add fields that capture each patient's details at submission. A single form then serves every patient, each submission carrying its own validity window. No copying a form per patient, and no patient names in file titles.

Automatic assessment scoring. Assign weighted points to each answer and Formesign sums them into a total and maps it to a severity band, scoring instruments like the PHQ-9, GAD-7, and AUDIT without manual tallying.

Connected forms, entered once. Link your intake forms so that submitting one shows a thank-you message with a link to the next, and the shared answers carry forward automatically instead of being re-typed. Overlapping details like name and email are passed through secure prefill links, so they are never exposed in the URL. 

Scheduled forms and reminders. Set a form to go out on a recurring cadence (daily, weekly, or monthly) and Formesign emails the link automatically each cycle, with follow-up reminders to anyone who has not completed it in time. This makes periodic, measurement-based assessments like a biweekly PHQ-9 run on their own.

At a glance, here is how Google Forms compares with the Formesign HIPAA form across the compliance safeguards and clinical workflows covered above.

Is Google Forms HIPAA compliant by default?

No. It can be made compliant only on a paid Google Workspace plan with a signed BAA and correct configuration. HIPAA compliance ultimately depends on both the product and how you use it.

Can Google Forms be made HIPAA compliant?

Yes. You need a Google Workspace plan that supports HIPAA (Business Starter or above, or Enterprise), a signed Business Associate Agreement accepted in the Admin console, and proper configuration of access controls, sharing settings, and staff training to meet HIPAA requirements

Is the free version of Google Forms HIPAA compliant?

No. Google does not offer a BAA for free consumer (gmail.com) accounts, so the free version cannot lawfully be used to collect, store, or transmit PHI.

Can I use Google Forms for patient intake forms?

Only under a signed BAA with properly configured safeguards. Because patient intake almost always involves PHI and Forms lacks field-level access controls and response-level audit logs, many organizations add a dedicated add-on or use a purpose-built tool for intake.

Is emailing Google Forms responses HIPAA compliant?

Not by default. Notification and receipt emails contain the full response, including any PHI, so if one reaches a mailbox not covered by a BAA, that is an impermissible disclosure. To email responses safely, mask or remove PHI from the message, or disable email notifications entirely.