HIPAA Form Builders: Who Signs a BAA?
Every healthcare practice evaluating a form tool hits the same two questions: "is it HIPAA compliant?" and "will they sign a BAA?" — and the marketing answers blur the difference. We compare Google Forms, Microsoft Forms, JotForm, Cognito Forms, Formstack, and Schweizerform on BAA availability, plan tier, encryption model, and one question most pages skip: can the vendor technically read your PHI at all?
Every healthcare practice that goes looking for an online form tool ends up at the same two questions. The first is "is it HIPAA compliant?" The second is "will they sign a BAA?" Marketing pages answer both with a confident yes, and in doing so they quietly blur the fact that these are two different questions with two different kinds of answer — one about a legal contract, one about a property of your whole compliance programme.
This comparison untangles the two, then goes vendor by vendor through the form builders US practices actually shortlist — Google Forms, Microsoft Forms, JotForm, Cognito Forms, and Formstack — and shows, for each, whether a Business Associate Agreement (BAA) is available, what plan tier it requires, what the encryption model really is, and the question most comparison pages skip entirely: can the vendor technically read your Protected Health Information (PHI) at all? Schweizerform is in the table too, and we are honest about exactly where it does and does not fit.
Who this comparison is for
Practice managers, compliance officers, IT leads, and clinicians choosing a form tool that will touch PHI — and anyone who has typed "cognito forms hipaa compliance baa" into a search bar and wanted a straight answer rather than a sales page.
An honest note up front
Schweizerform is a Swiss-built, Swiss-hosted form builder with a zero-knowledge architecture. We do not currently offer a HIPAA Business Associate Agreement and we are not marketed as a HIPAA vendor. Our positioning is European-first, around the Swiss nFADP and GDPR. We include ourselves in this comparison because the architectural question — can the vendor read your PHI? — is one where we have a genuinely different answer, not because we are pitching a turnkey US HIPAA package. Where you need a BAA, we say so plainly.
What a BAA Actually Is (and What It Is Not)
A Business Associate Agreement is a contract. Under HIPAA, when a vendor creates, receives, maintains, or transmits PHI on behalf of a covered entity, that vendor is a "business associate", and the covered entity must have a BAA in place with it. The BAA obligates the vendor to implement the Security Rule's safeguards, limits how it may use and disclose PHI, requires it to report breaches, and requires it to flow the same obligations down to its own subcontractors that touch PHI.
What a BAA is not: it is not a certificate, it is not a technical control, and it is not the thing that makes you compliant. There is no government body that issues a "HIPAA-compliant" stamp to a product. "HIPAA-compliant" is a property of your whole programme — your Privacy Rule analysis, your Security Rule safeguards, your breach-notification plan, and yes, your BAAs — not a label a product ships with. A vendor can hand you a perfectly valid BAA and still leave your programme non-compliant if the rest of the safeguards are not in place.
The one-sentence version
A BAA is a legal allocation of responsibility between you and a vendor. "HIPAA compliant" describes your entire programme. Asking "will they sign a BAA?" and asking "is it HIPAA compliant?" are not the same question — and a vendor that answers the second when you asked the first is worth a second look.
Required vs Addressable Specifications in 60 Seconds
The Security Rule splits its implementation specifications into two kinds: "required" and "addressable". This single distinction is the source of more bad HIPAA marketing than almost anything else, so it is worth getting straight before any vendor tells you what they do and do not have to do.
- Required means: you must implement it. No discretion.
- Addressable does NOT mean optional. It means: implement the specification, OR document why it is not reasonable in your environment and what equivalent safeguard you put in place instead.
- Encryption — both in transit and at rest — is an addressable specification. Since the 2013 Omnibus Rule and a long line of HHS enforcement actions, regulators treat encryption as the default expectation and have penalised entities that skipped it without a defensible written analysis.
We unpack the Privacy, Security, and Breach Notification Rules in much more depth in our companion article on HIPAA-compliant form collection — this page assumes the basics and focuses on the BAA-and-encryption question specifically. The short version: encryption is not technically mandatory, but in practice you implement it or you write a very good explanation of why you did not.
Who Signs a BAA — Vendor by Vendor
Here is the practical reality for the form tools US practices most often shortlist. For each, the questions that matter are: is a BAA available, on what plan, what is the encryption model, and who can technically reach the plain-text PHI.
Google Forms / Google Workspace
Google offers a BAA that covers core Google Workspace services, including Google Forms — but only for paid Workspace accounts, and the administrator has to actively review and accept the BAA in the Admin console. The free, consumer Google Forms product (a personal Gmail account collecting a health questionnaire) is not covered by any BAA, full stop. This is the single most common and most expensive mistake in this whole space: a clinic uses "free Google Forms", assumes that because Google is a serious company it must be fine, and discovers during an audit that the consumer product was never BAA-eligible.
Encryption model: Google encrypts data in transit (TLS) and at rest on its infrastructure, and Google holds the keys. Form responses are readable by Google's systems. Who can technically reach PHI: Google's infrastructure, and any party able to compel Google under US law. Default data location is the United States, configurable on enterprise tiers but with Google retaining processing latitude.
Microsoft Forms / Microsoft 365
Microsoft includes BAA terms for its covered services through its Product Terms and the HIPAA Business Associate Agreement that forms part of its commercial licensing for eligible Microsoft 365 / Office 365 subscriptions. For practices already standardised on Microsoft 365, Microsoft Forms inside a covered tenant can fall within that BAA framework — but, as always, eligibility is tied to the licence and tenant configuration, not to the consumer product, and you must confirm the specific service is in scope.
Encryption model: TLS in transit, encryption at rest with Microsoft-held keys (customer-managed key options exist on some services but the vendor's platform can still process the data). Who can technically reach PHI: Microsoft's platform and parties able to compel it under US law. Data location depends on tenant region settings.
JotForm
JotForm offers HIPAA-enabled accounts with a BAA, available on its higher paid tiers (its Silver, Gold, and Enterprise plans, with HIPAA features unlocked from the upper tiers). When you enable HIPAA mode, JotForm applies additional controls and will sign a BAA. This is a real, usable offering and a common choice for US practices that want breadth of features plus a BAA.
Encryption model: TLS in transit and encryption at rest, with JotForm holding the keys. Who can technically reach PHI: JotForm's servers — and therefore JotForm staff and any party with application-level access or a lawful demand — can read submissions in plain text. The BAA allocates responsibility for that access; it does not remove the access. Data location is primarily the United States, with EU options on higher plans.
Cognito Forms
Cognito Forms is the tool a lot of people are specifically searching for when they type "cognito forms hipaa compliance baa", so it deserves a careful, fair answer. Cognito Forms offers HIPAA features and will sign a BAA on its higher plans (Pro and above, with HIPAA enablement on the upper tiers). It also has a genuinely useful differentiator that most general-purpose builders lack: an "Encrypted Fields" feature, which lets you flag specific fields as encrypted so that those values are stored encrypted at rest rather than in plain text.
This is a real feature and meaningfully better than tools that store everything in the clear. But it is important to understand precisely what it is and is not. Encrypted Fields is server-side, vendor-managed encryption: Cognito holds the key infrastructure, and Cognito's servers see the plaintext during submission processing and decrypt the field when you, the form owner, view the submission. It is not end-to-end encryption. So the honest answer to the search query is: yes, Cognito Forms offers HIPAA features and a BAA on higher plans, and its Encrypted Fields raise the bar on at-rest protection — but Cognito can still technically access PHI, because it holds the keys. The BAA is what allocates legal responsibility for that access.
Cognito Forms, in one line
Yes to a BAA on higher plans; yes to a real Encrypted Fields feature for at-rest protection; but the keys are Cognito's, so Cognito can technically read PHI. "Encrypted fields" and "the vendor cannot read it" are different claims — Cognito offers the first, not the second.
Formstack
Formstack is a compliance-focused enterprise workflow platform (forms, documents, e-signature) that offers a HIPAA-compliant plan with a BAA on its higher tiers. For mid-market and enterprise teams that want forms plus document generation and e-sign under one vendor with a BAA, it is a standard, credible choice.
Encryption model: TLS in transit and encryption at rest, with Formstack holding the keys. Who can technically reach PHI: Formstack's infrastructure, its authorised staff, integrations, and any party with a lawful demand can technically reach the plain-text data. Again, the BAA allocates responsibility; it does not change the fact that the vendor's systems can read the data. Data location is primarily the United States.
The Comparison Table
Read the last two columns together. "BAA available" tells you whether a vendor will accept legal responsibility for PHI. "Vendor can technically read PHI?" tells you whether that responsibility is the only thing standing between your patients' data and the vendor's staff. They are different axes, and the difference is the whole point of this page.
| Vendor | BAA available? | Tier required | Encryption model | Vendor can technically read PHI? | Default data location |
|---|---|---|---|---|---|
| Google Forms / Workspace | Yes — paid Workspace only (admin must accept); free Google Forms NOT covered | Paid Workspace editions | TLS + at-rest, Google-held keys | Yes | United States (region options on enterprise) |
| Microsoft Forms / 365 | Yes — via Product Terms / DPA for covered subscriptions | Eligible commercial M365 / O365 | TLS + at-rest, Microsoft-held keys | Yes | Per tenant region |
| JotForm | Yes | Higher paid tiers (Silver / Gold / Enterprise) | TLS + at-rest, JotForm-held keys | Yes | United States (EU on higher plans) |
| Cognito Forms | Yes | Higher plans (Pro and above) | TLS + at-rest; optional per-field "Encrypted Fields", vendor-held keys | Yes — keys held by Cognito | United States |
| Formstack | Yes | Higher / HIPAA tier | TLS + at-rest, Formstack-held keys | Yes | United States |
| Schweizerform | No — not offered, not marketed as a HIPAA vendor | n/a | Zero-knowledge end-to-end encryption (AES-256-GCM, RSA-OAEP-2048), every plan | No — vendor holds no keys, cannot decrypt | Switzerland (Infomaniak) |
Notice the pattern in the second-to-last column: every mainstream BAA-signing vendor answers "yes, the vendor can technically read PHI." That is not a flaw in those products — it is simply how conventional, vendor-held-key encryption works. The BAA is the control that governs that access. The only "no" in that column belongs to the architecture that does not hold keys at all.
A BAA Is Not an Encryption Strategy
This is the section that the comparison table is really pointing at. A BAA and end-to-end encryption (E2EE) both reduce risk, but they do completely different jobs, and they are not substitutes for each other.
A BAA is a legal allocation of responsibility. When a breach happens, the BAA is what determines who must notify whom, who carries which obligations, and how liability is shared between the covered entity and the business associate. It is a paper instrument. It does nothing, by itself, to prevent the breach or to make the exposed data unreadable. Every mainstream vendor that signs a BAA can technically access PHI — their encryption-at-rest uses keys the vendor holds, which means the vendor's systems, staff, integrations, and anyone who can compel them legally can in principle reach the plain text. The BAA says "we promise to handle that access responsibly and to tell you if it goes wrong."
End-to-end encryption is an architectural control. With true zero-knowledge E2EE, the data is encrypted on the respondent's device before it ever reaches the vendor, and the vendor never holds the keys. In a breach, what an attacker — or a subpoena — obtains is ciphertext with no decryption path. The difference is the difference between "allowed to hold readable PHI, and contractually bound to handle it well" and "cannot hold readable PHI at all."
A BAA decides who is responsible when readable PHI is exposed. End-to-end encryption decides whether there is readable PHI to expose in the first place. The strongest programmes do not choose between them — they understand which one each tool actually gives them.
| In a breach scenario | What a BAA does | What E2EE does |
|---|---|---|
| Prevents the data being readable | No — it is a contract, not a control | Yes — exposed data is ciphertext only |
| Allocates legal responsibility | Yes — that is its entire purpose | No — it is a technical property, not a contract |
| Governs the vendor's permitted access | Yes — contractually | Removes the access — vendor holds no keys |
| Affects breach-notification analysis | Defines who notifies whom | Encrypted-to-NIST data may fall outside "unsecured" PHI |
| Answer to "can the vendor read PHI?" | Yes, but they promise to handle it | No — structurally cannot |
Properly encrypted PHI that is breached may fall outside the "unsecured PHI" category under HHS encryption guidance, which can change the breach-notification obligation. That safe-harbour benefit is strongest precisely when the vendor cannot decrypt the data — which is the E2EE case, not the vendor-held-key case.
Where Schweizerform Honestly Fits
Time to be direct about our own product, because the whole value of this page depends on it. Schweizerform does not offer a HIPAA Business Associate Agreement, and it is not marketed as a HIPAA vendor. If your procurement checklist has a hard line that reads "vendor must sign a BAA", Schweizerform does not satisfy that line today, and we will not pretend otherwise.
What Schweizerform does have is the architectural property the entire "vendor can technically read PHI?" column is about. Every submission — including file attachments — is encrypted in the respondent's browser using AES-256-GCM, with the per-submission key wrapped by the form's RSA-OAEP-2048 public key. The owner's private key is protected by a Master Key derived from their Access Code, which never leaves their device. Our servers, hosted exclusively in Switzerland on Infomaniak, store ciphertext only. We hold no keys. We cannot decrypt submissions — not for support, not for analytics, not under a Swiss lawful request. That changes the risk conversation: there is no readable PHI on our side for a BAA to allocate responsibility over, because there is no readable PHI on our side at all.
The honest Schweizerform position
For US covered entities: a zero-knowledge architecture means the vendor never possesses readable PHI, which is a meaningfully different risk posture from a vendor-held-key BAA model. But that is an architectural argument, not a turnkey HIPAA package, and a BAA may still be a hard procurement requirement for you. If it is, you should evaluate vendors who offer a BAA as part of their core product, and you should make that call with your own HIPAA-compliance counsel. We would rather you choose clearly than be surprised later.
There is also a second audience this page should not lose. For healthcare and health-adjacent organisations outside the US — in Switzerland, the EU, and the wider EEA — HIPAA is simply not the operative framework. The relevant regimes are the Swiss nFADP and GDPR (including the Article 9 rules for special-category health data). That is home turf for Schweizerform: Swiss hosting, Swiss jurisdiction outside US CLOUD Act reach, no US sub-processors in the submission data path, and zero-knowledge encryption on every plan including the free tier. For those buyers, the BAA question is a red herring, and the encryption-and-sovereignty question is the one that matters.
A Decision Framework
Run these five steps in order and the vendor question usually answers itself.
Determine if you are a covered entity or business associate
HIPAA only applies if you are a US covered entity (most providers, health plans, clearinghouses) or a business associate acting for one. A Swiss clinic or an EU research group is governed by nFADP and GDPR, not HIPAA. Get this right first; it decides whether the BAA question even applies to you.
Classify the form data
Is what the form collects actually PHI (individually identifiable health information created or received in your covered capacity), or is it general personal data, or non-identifiable? Apply minimum-necessary while you are here: drop fields that exist out of habit rather than need. The classification sets the bar for everything downstream.
Decide your path: BAA-required or E2EE-preferred
If you are a US covered entity handling PHI, a BAA with every vendor that touches that PHI is non-negotiable — that is the BAA-required path, and it points you at Google Workspace, Microsoft 365, JotForm, Cognito Forms, or Formstack on the appropriate tier. If your priority is that no vendor can read the data at all — common for whistleblower-grade, cross-border, or sovereignty-driven workloads — that is the E2EE-preferred path, and it points you at a zero-knowledge architecture.
Verify vendor claims in writing
Do not accept a marketing badge. For a BAA path: confirm the BAA covers the specific product and plan tier you will use (free Google Forms is the classic trap), and get it executed before any real submission flows. For an E2EE path: confirm the keys are genuinely client-held and the vendor cannot decrypt — "encrypted fields" with vendor-held keys is not the same claim as zero-knowledge.
Document the decision
Write down which path you chose and why, which framework applies (HIPAA, nFADP, GDPR), what the vendor signed or what the architecture guarantees, and how the data classification supports it. If a regulator or auditor ever asks, the documented reasoning is what turns a defensible choice into a demonstrable one.
The Bottom Line
"Is it HIPAA compliant?" and "will they sign a BAA?" are two questions, and the honest mainstream answer is consistent across Google Workspace, Microsoft 365, JotForm, Cognito Forms, and Formstack: yes, a BAA is available on the appropriate paid or enterprise tier, and yes, the vendor can still technically read your PHI, because that is how vendor-held-key encryption works. The BAA is the control that governs that access. For US covered entities, that model is well-trodden and often exactly right — just verify it covers the specific product and plan you actually use.
The point this page exists to make is that a BAA is not an encryption strategy. It allocates responsibility for readable PHI; it does not make the PHI unreadable. End-to-end zero-knowledge encryption is the architectural alternative — the vendor cannot read PHI at all — and that is a genuinely different posture, even though, in Schweizerform's case, it comes without a BAA and is not a turnkey US HIPAA package. Choose the path that matches your obligations, verify the claim in writing, and document why.
If you are a US covered entity that needs a BAA, choose a vendor whose core product offers one and confirm it covers your plan. If your priority is that no vendor — not even ours — can read the data, Schweizerform's zero-knowledge architecture, Swiss hosting, and native EN / DE / FR / IT are worth a closer look, especially for nFADP- and GDPR-governed healthcare workloads outside the US.
Disclaimer: This comparison is general information and marketing content, not legal, regulatory, or compliance advice. Competitive details for Google, Microsoft, JotForm, Cognito Forms, and Formstack (BAA availability, plan tiers, HIPAA features, encryption behaviour, data location) reflect publicly available information at the time of writing and may change — verify current details directly with each vendor before making procurement or compliance decisions. Schweizerform does not offer a HIPAA BAA and is not marketed as a HIPAA vendor. US HIPAA programme decisions should be reviewed by qualified US healthcare-compliance counsel. All product and company names are trademarks of their respective owners and are used here for factual comparison only.