top of page

Gravity Forms

HIPAA Compliance Risk:

High

Category:

Forms

Use Case: WordPress form builder used to collect contact details, appointment requests, file uploads, and survey responses


Why it matters:


Gravity Forms is a powerful and flexible WordPress form plugin widely used for contact forms, surveys, appointment requests, and more. However, out of the box, it is not HIPAA compliant.


By default, Gravity Forms stores form submissions in the WordPress database and often sends notification emails in plain text. These behaviors create a significant risk of exposing Protected Health Information (PHI) if the forms are used on healthcare-related websites. Additionally, Gravity Forms does not offer a Business Associate Agreement (BAA), which is required under HIPAA if any PHI is being processed or stored.


Without proper customization and external add-ons, Gravity Forms cannot meet HIPAA standards for data security, access control, and audit logging.


What HHS says:


Per HHS guidance, form data submitted by individuals on health-related websites such as appointment requests or inquiries about symptoms can be considered PHI even when collected through public-facing pages.


HIPAA requires that this data be encrypted, securely stored, and accessed only by authorized personnel. Any service handling such information must also sign a Business Associate Agreement (BAA) a requirement Gravity Forms does not meet.


Recommendation:


If you're using Gravity Forms to collect information related to care, treatment, or health services, we strongly recommend replacing it with a HIPAA-compliant form solution. While some developers attempt to make Gravity Forms more secure through encryption plugins or third-party add-ons, these modifications often fall short of full HIPAA compliance especially without a BAA in place.


For safer handling of sensitive information, use a form service that:

  • Offers a signed Business Associate Agreement

  • Encrypts submissions in transit and at rest

  • Avoids storing sensitive data directly in your WordPress database

  • Provides full access control and audit logs

Still using Gravity Forms for healthcare inquiries? Let’s move you to a secure, HIPAA-compliant solution.

bottom of page