Contact Form 7

Use Case: Website contact form plugin for collecting user-submitted messages, often including names, emails, phone numbers, and custom inquiries

Why it matters:

Contact Form 7 is a popular WordPress plugin used to create simple contact and inquiry forms. While powerful and flexible, it lacks key privacy and security features required for handling Protected Health Information (PHI) under HIPAA.

By default, Contact Form 7 sends submitted form data via plain email and does not provide encryption at rest or in transit, nor does it offer audit controls, secure data storage, or any HIPAA-specific configurations. This creates a high risk when used to collect health-related inquiries, appointment requests, or condition-specific messages.

Additionally, Contact Form 7 does not offer a Business Associate Agreement (BAA) making it unsuitable for use in HIPAA-covered environments.

What HHS says:

According to HHS guidance, any data that connects an individual to a healthcare inquiry, provider, or condition even when submitted through a public webpage can be considered PHI and must be protected under HIPAA.

HIPAA requires safeguards such as access controls, secure transmission, proper storage, and a Business Associate Agreement with any vendor handling PHI. Contact forms that collect or transmit sensitive health-related information without these protections may result in impermissible disclosures.

Recommendation:

If your website uses Contact Form 7 to collect appointment requests, symptom descriptions, or other messages that could include PHI, we strongly recommend replacing it with a HIPAA-compliant form solution.

Look for a form provider that:

• Signs a Business Associate Agreement (BAA)

• Encrypts data in transit and at rest

• Stores submissions securely (or avoids storage altogether)

• Provides access controls and audit logs

• Meets your state and federal privacy requirements

Even basic contact forms should be treated with caution in healthcare, as users often share more information than expected.