How to Create a HIPAA Compliant Forms for Your Healthcare Practice (with Templates)

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a national standard in the U.S. put in place to protect Protected Health Information (PHI) of US residents. PHI is any information that can identify a patient and relates to health, treatment, or payment, for eg: full name, social security number, medical record number, insurance ID, etc (detailed list below.) 
HIPAA lays out privacy and security rules that governs a) who can access and share Protected Health Information (PHI) b) how digital patient data is stored, transmitted, and accessed. 

In this blog, we help you and your healthcare practice team:

• Understand the technicalities and legalities of HIPAA
• Share a detailed list of 18 identifiers that come under ePHI
• Create forms for your practice that follow HIPAA rules
• Get you access to ready-to-use HIPAA compliant form templates
• Checklist of HIPAA validation compliance for your team before a form goes live

Why HIPAA compliance is so important for healthcare practices

1 in 2 patients fear data breaches in the US, and only 4 in 10 trust healthcare providers with their information. So, don’t think of HIPAA regulations as red tape or legal jargon. This level of compliance protects your patients’ privacy and your practice’s reputation. 

A HIPAA compliant healthcare form:

• Reduces the risk of accidental disclosure
• Supports safe digital workflows
• Demonstrates professionalism to patients and partners
• And prevents costly investigation

Penalties 

We can’t talk about HIPAA, and not mention what violations can lead to. Yes, they’re major. HIPAA violations can lead to civil enforcement actions, government audits, and - in the more serious cases - criminal charges. The level of penalty depends on a few factors, which we go into deep detail in this article titled Penalties for HIPAA Non Compliance, but fines start from anywhere between $137 to $68,928 per penalty. 

What Makes a Form HIPPA Complaint

A HIPAA compliant form is any paper or digital form that collects, stores, transmits, or otherwise touches PHI or ePHI (electronic Protected Health Information) while meeting HIPAA requirements. It goes beyond the fields of a form, a compliant form is defined by the controls around it. 

Those controls fall into three safeguard categories under the HIPAA Security Rules:

Administrative safeguards

Policies that govern how PHI/ePHI is managed within your healthcare practice administratively:

• Clear intake and consent policies that define how patient data is collected and shared.
• Role-based access and staff training to ensure safe handling of PHI and ePHI.
• Incident response and breach plans on how to detect and handle data breaches.
• Signed Business Associate Agreements (BAAs) to ensure all vendors handling PHI are HIPAA-compliant.

Physical safeguards

Controls that protect the physical systems and locations where PHI / epHI is stored or accessed:

• Secure storage for paper forms (locked cabinets)
• Controlled access to workstations and server rooms where ePHI is stored
• Policies and secure disposal of devices that store ePHI, such as hard drives and USBs.

Technical safeguards

Technology protections for ePHI:

• Encryption of ePHI data in transit and at rest
• Access Control through unique user IDs and authentication so only authorized personnel can access ePHI
• Audit controls like logs and activity monitoring to record access to ePHI
• Integrity controls to ensure ePHI is not altered or destroyed in an unauthorized manner.
• Secure integrations (EHR, patient portals) with signed BAAs

Additionally, the HIPAA Privacy Rule defines when and how PHI can be used or shared, and this is where consent and patient rights come into play. It includes:

• Patient Authorization: Before sharing or using PHI for non-treatment purposes (like marketing, research, or external data sharing), a provider must obtain the patient’s written consent.
• Notice of Privacy Practices (NPP): Patients must be informed, in clear language, about how their data will be used, stored, and shared.
• Right to Access and Amend: Patients have the right to view their medical records and request corrections if something is inaccurate.
• Minimum Necessary Rule: Even with consent, only the minimum necessary amount of PHI should be disclosed for a given purpose.
• Revocation of Consent: Patients can withdraw their authorization at any time, and the provider must respect it moving forward.
• All of this comes together and makes a HIPAA-compliant online forms, and makes an organization a HIPAA compliant organization.

All of this comes together and makes a HIPAA-compliant online forms, and makes an organization a HIPAA compliant organization.

Detailed list of what constitutes ePHI

If you’ve been wondering, what ePHI is, then here’s the official list of 18 identifiers that make health information personally identifiable under HIPAA - meaning it becomes Protected Health Information (PHI):

1. Name
2. Address (any geographic subdivision smaller than a state, including street, city, county, or ZIP code)
3. All elements of dates (except year) related to an individual — birth date, admission date, discharge date, death date, etc.
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate or license numbers
12. Vehicle identifiers and serial numbers (including license plate numbers)
13. Device identifiers and serial numbers
14. Web URLs
15. IP addresses
16. Biometric identifiers (like fingerprints, voiceprints)
17. Full-face photos and comparable images
18. Any other unique identifying number, code, or characteristic that can identify the individual

Examples of forms that need to be HIPAA compliant

Any form that collects the above, or can be linked to the aforementioned list of Protected Health Information (PHI) must be HIPAA compliant. As a healthcare practice, you obviously deal with countless forms that collect this data. Here are some common examples:

• Patient intake/registration forms
• Medical history and screening forms
• Consent and authorization forms
• Telehealth consent and documentation forms
• Referral forms and inter-provider communications
• Billing/payment authorization forms
• Patient feedback/satisfaction surveys that include health details
• Employee health or incident forms that include PHI

If a form collects no identifiable health-related data and cannot be linked to a person, like a survey asking, “How was your visit today?” without requesting personal details or health information, then it isn’t covered by HIPAA. But be cautious: small changes can make a form fall under HIPAA.

How to create a HIPAA compliant form- A 5 step guide

Now let’s get into the practical side, how to actually create a HIPAA-compliant online form for your healthcare practice. First things first, you won’t be able to do this without a HIPAA form builder.

 Step 1. Choose a HIPAA-ready platform and sign a BAA

Use form builders like MakeForms that explicitly support HIPAA, and will sign a BAA. Yes, if you use an external vendor for your data collection, like a form builder, cloud storage, or email gateway, it’s part of the HIPAA regulations to get a signed BAA before sharing ePHI with them.

Step 2. Ensure consent and privacy notices are clearly visible

• Add a short privacy notice explaining how the data will be used and who will access it.
• Add consent language where required
• Provide an option for anonymous submission if appropriate.

Here’s a sample privacy line:
“By submitting this form you consent to [Practice Name] collecting and storing the health information provided for treatment, payment, and healthcare operations. Your information will be stored securely and accessed only by authorized staff.”

HIPAA form builders like MakeForms, have provisions to add these checkboxes into your forms, very easily. We also have secure healthcare form templates that are HIPAA compliant, ready to be deployed.

Step 3. Secure submission and storage

• For electronic forms: enforce HTTPS, enable encryption in transit and at rest, and require authentication for staff access. (If you use a form builder that is HIPAA complaint - like MakeForms - this is all built-in)
• For paper forms: use locked, access-controlled storage and limited distribution.

Step 4. Integrate with workflow securely

If form responses move into an EHR, CRM, or billing system, use secure, documented integrations and ensure the receiving system is covered by a BAA. Your HIPAA compliant form builder should ideally have this feature available. (We certainly do, at MakeForms.)

Step 5. Test and review

Run a privacy/security test: submit test PHI and review access logs, check encryption settings, and test breach response steps. Review forms annually or when laws/processes change. (If you use a form builder that is HIPAA complaint - like MakeForms - you don’t need to worry about encryption settings)

Ready-to-Use HIPAA-Compliant Form Templates

To make things easier, we’ve got 3 HIPAA compliant form templates you can customize for your healthcare practice right away. 
1) HIPAA compliant patient intake form
2) HIPAA-compliant Telehealth Consult Form 
3) HIPAA compliant Medical History form

1. Patient Intake Form (HIPAA Compliant Template)

Purpose: To collect basic patient details for registration and treatment.
Safeguards included: Consent notice, minimal PHI collection, privacy statement.

2. Telehealth Consent Form (HIPAA Compliant Template)

Purpose: To obtain patient consent for telemedicine services.
Safeguards included: Consent clause, encryption statement, patient rights.

3. Medical History Form (HIPAA Compliant Template)

Purpose: To collect relevant medical background for safe diagnosis and treatment.
Safeguards included: Limited PHI fields, privacy statement, explicit consent.

HIPAA Compliant forms ready to deploy? WAIT.

Before you get ready to put a form into circulation, it’s best practice to go through a quick HIPAA Compliance Validation Checklist that we’ve made just for you.
First, the good news - a LOT of the safeguards are actually built into form builders like MakeForms. So this part of the validation checklist you don’t even need to worry about. 

What MakeForms Handles for You

• Encryption: All form data is encrypted in transit (TLS) and at rest.
• Access controls: Supports role-based access, MFA, and user authentication.
• Audit logs: Tracks form access and activity for monitoring and compliance.
• Backups: Secure, encrypted backups with regular restore testing.
• Infrastructure security: HIPAA-compliant servers, patch management, and vulnerability monitoring.
• BAA availability: MakeForms provides a Business Associate Agreement upon request.

Here’s What You Need to Check as an Admin

As healthcare form creators and admins, you are still responsible for how PHI is collected, shared, and stored within your organization. So this is your compliance checklist.

• Data minimization: Ensure the form is only collecting PHI you actually need.
• Privacy and consent language: Ensure privacy notices, consent checkboxes, and links to your HIPAA policy are clearly visible.
• Access permissions: Adjust who can create, edit, and view form responses before the form goes live.
  Secure integrations: Only connect HIPAA-compliant tools or those covered by a BAA to your workflow.
• Data retention: Set clear rules for how long you keep PHI and how it’s deleted.
• Staff awareness: Regularly train team members on how to handle PHI and recognize breaches.
• Incident response: Know the steps and contacts for reporting any potential data exposure.

Final Tips for HIPAA-compliant healthcare forms

1. Start with small wins: convert one form (intake or telehealth consent) to a HIPAA-compliant workflow first.
2. Make the vendor checklist non-negotiable: no BAA, no PHI.
3. Document everything: audits love paperwork, have policies, training records, and vendor BAAs ready.
4. When in doubt, get counsel: for high-risk processes or breach questions, consult compliance/legal experts.

Makeforms is 100% HIPAA compliant

Staying HIPAA compliant can be easier than it sounds. Let MakeForms handle the tech side while you focus on creating forms, team training, and patient trust. Together, we keep patient data safe and your practice protected.