Using Google Forms for patient intake
An honest, step-by-step look at what it actually takes to use Google Forms under HIPAA — and where it still falls short for a therapy practice.Plenty of small practices reach for Google Forms because it is free, familiar, and fast. The honest answer to “Is it HIPAA compliant?” is this: it can be part of a compliant workflow, but only if you do real work to get there — and even then it has structural gaps you should understand before you trust it with client data. This guide walks through exactly what it takes, and is upfront about where Google Forms falls short for therapy intake.
A BAA is necessary, not sufficient
Google does offer a Business Associate Addendum (BAA), and Google Forms iscovered under it — it is included as part of Google Drive in Google's “HIPAA Included Functionality” list, alongside Docs, Sheets, and Slides. You may see older articles claiming Forms is “excluded”; the current position is that it is covered as part of Drive when you are on an eligible paid plan with an accepted BAA.
But signing the BAA does notmake your setup compliant. The BAA is a legal contract that assigns responsibility — it does not configure anything, and it does not add the access controls, audit trails, or safeguards that HIPAA's Security Rule requires. Compliance is the combination of an eligible plan, an accepted BAA, correct configuration, and your own administrative and physical safeguards (policies, training, risk analysis, access reviews). Skip any layer and you are not compliant, BAA or not. Misconfigured forms are one of the most common causes of HIPAA violations.
Step-by-step: getting Google Forms HIPAA-ready
Get on an eligible paid Google Workspace plan
A free @gmail.com account can never be HIPAA compliant — there is no BAA for consumer accounts. You need paid Google Workspace. Business Starter and Business Standard can technically sign the BAA, but they lack Vault and advanced security and retention controls. Business Plus or an Enterprise plan is the realistic floor for a defensible setup, because it adds Vault for retention and eDiscovery, stronger endpoint management, and Data Loss Prevention.
Accept the BAA in the Admin console
Sign in with a super administrator account, then go to Admin console → Account → Account settings → Legal and compliance → Security and Privacy Additional Terms. Open the Google Workspace/Cloud Identity HIPAA Business Associate Amendment, click Review and Accept, answer the three covered-entity questions, and confirm. Save a screenshot of the acceptance screen for your compliance records — electronic acceptance is as legally binding as a signed paper agreement.
Lock down organization-wide sharing
In the Admin console, restrict Drive external sharing so response spreadsheets cannot be shared outside your organization, and disable "anyone with the link" sharing for the org unit that handles intake.
Build the form with "minimum necessary" in mind
Only collect the PHI you actually need. Avoid open-ended free-text fields that invite over-disclosure, and make sure responses flow only into your controlled Workspace environment.
Control where responses land — and who sees them
Send responses to a single, access-controlled Google Sheet. Understand the core limitation here: anyone with editor access to that sheet can see every response. There is no per-field or per-record role separation. Share the sheet with the smallest possible number of named staff who have a documented need to access intake data.
Keep notifications and receipts internal
Disable response receipts to respondents and any notification that emails response data to personal or external addresses. Emailed response summaries are a classic uncontrolled disclosure of PHI.
Disable risky add-ons
Third-party Forms and Sheets add-ons are not covered by Google’s BAA. Restrict Marketplace add-on installation organization-wide and remove any add-on that touches response data.
Turn on Data Loss Prevention
On Business Standard and above, configure DLP rules under Security → Data protection to detect and flag PHI patterns leaving your environment.
Set retention and recovery
Use Vault (Business Plus and Enterprise) to define retention and legal hold on the response data, and document your data lifecycle so it can be explained in an audit.
Do the non-technical HIPAA work
A BAA and configuration do not replace a documented risk analysis, written policies, workforce training, periodic access reviews, and a breach response plan. These administrative and physical safeguards are your responsibility, not Google’s.
Where Google Forms still falls short
Even fully configured, Google Forms was not built for clinical intake. Be honest with yourself about the residual risk you are accepting:
No per-response audit trail. Workspace logs file-level access, not "who viewed this specific patient’s intake." That is a gap in an OCR audit.
No role-based or minimum-necessary enforcement. Editor access means all responses. You cannot scope access by sensitivity or by patient.
No field-level encryption. Google can technically access the data. This is not a zero-knowledge system — you are trusting Google’s controls and your own configuration.
No built-in consent capture or identity-bound e-signatures. Intake and consent workflows need more than a checkbox to stand up to scrutiny.
Receipts and add-ons leak easily. The default conveniences are exactly the things that cause uncontrolled disclosures.
None of this means Google Forms is unusable. It means you are accepting real residual risk and taking on all of the configuration and oversight burden yourself.
The honest comparison
Here is every step above, side by side with what the same task looks like on a platform built for mental health intake.
| Step to handle therapy intake | Google Forms | Soli Forms |
|---|---|---|
| Choose / upgrade to an eligible paid plan | Required (Business Plus or Enterprise, realistically) | Not needed — built for healthcare |
| Locate and accept a BAA | Manual, super-admin, Admin console | Included with every paid plan |
| Configure org-wide sharing restrictions | Manual admin work | Default |
| Restrict who can see responses | Not possible per-record — all or nothing | Role-based access built in |
| Prevent receipts / notifications leaking PHI | Manual | Encrypted by design |
| Disable non-covered add-ons | Manual admin work | Not applicable |
| Per-response audit trail | Not available | Built in |
| Field-level / zero-knowledge encryption | Not available | Default — encrypted on device |
| Consent capture & identity-bound e-signatures | Build it yourself | Built in |
| Retention / eDiscovery | Extra plan tier + configuration | Built in |
| Your own policies, training, risk analysis | Still required | Still required |
Bottom line
Google Forms can be one piece of a compliant workflow if you are disciplined about every step above and you accept its structural limits. Soli Forms removes most of that checklist because it was designed for mental health intake from the start — encrypted on the device, role-aware, audit-logged, with a BAA included on every paid plan.
This article is educational and is not legal advice. Consult a qualified HIPAA professional about your specific practice before relying on any tool to handle protected health information.