Key Takeaways
- Gravity Forms is not HIPAA compliant by default: but you can configure it with additional tools, secure hosting, and proper policies to safely collect Protected Health Information (PHI).
- HIPAA-compliant hosting is critical: Choose providers who undergo audits, sign BAAs, and offer strong security features like firewalls, encryption, backups, and physical safeguards.
- Encryption setup must cover: HTTPS for transmission, database encryption for storage, and role-based access controls to limit user access to decrypted PHI.
- Granular access control can be applied with Advanced Permissions: Helps you restrict form/data access by roles, logs activity, enforces MFA, and protects admin accounts.
- Entry Automation: Helps securely handle PHI through scheduled deletions, retention enforcement, field-level data removal, and secure exports — reducing manual risk and ensuring compliance.
- HIPAA documentation and agreements must be maintained: This includes policies/procedures, BAAs, training records, incident logs, and retention of compliance records for at least six years.
- Use specialized plugins and tools: Advanced Permissions, Entry Automation, HIPAA encryption plugins provide an infrastructure to align Gravity Forms with HIPAA safeguards.
If you collect private health information through Gravity Forms, it’s crucial that you know how to protect patient data, avoid violations, and collect protected health information (PHI) securely on WordPress forms. Gravity Forms is not inherently HIPAA compliant, but with careful configuration and supplemental tools, it can help meet HIPAA requirements for handling PHI.
In this article, you’ll learn how to make Gravity Forms HIPAA compliant with our step-by-step guide.
Step 1. Essential HIPAA compliance requirements for Gravity Forms
The first step is to learn the necessary compliance requirements. There’s a lot to know, but here are some essential HIPAA compliance requirements to consider:
Data Encryption
All PHI collected through Gravity Forms must be encrypted both in transit (using SSL/TLS for secure submission) and at rest (in the database). Gravity Forms does not encrypt data at rest by default, so you’ll need to use encryption add-ons or custom code for storage security — which I’ll cover in more detail later on.
Business Associate Agreement (BAA)
A BAA is required with any service provider that handles PHI. Since Gravity Forms does not sign BAAs, you must obtain a BAA from your web host or any third-party add-on managing HIPAA-compliant data isolation or encryption.
User Consent and Privacy Policy
Include clear consent language in all forms explaining data use, sharing, and storage practices. Post a detailed privacy policy on your website describing HIPAA compliance measures. You may want to make the HIPAA policy page separate from your regular privacy page in order to be as clear as possible. Explicit user consent is especially important for any testimonials or communications containing PHI.
Access Controls
Restrict access to PHI collected via Gravity Forms. Only authorized personnel should have database or admin access to sensitive form submissions. You can implement strong user authentication and granular permissions using our Advanced Permissions product.
Audit Logs and Monitoring
Maintain detailed audit logs of who accesses PHI and when. It’s important to regularly monitor access and activity to detect potential security incidents or unauthorized disclosures.
Data Retention and Secure Disposal
Implement retention policies for PHI, ensuring data is held only as long as required and securely deleted or purged when no longer needed, reducing exposure risk. Entry Automation for Gravity Forms helps you do this — and you can set it up to run automatically.
Secure Hosting Environment
Ensure your website is hosted on a HIPAA-compliant environment, featuring required safeguards such as firewalls, regular backups, intrusion detection, and strong physical and technical controls to protect PHI.
On that note, let’s dig a little deeper into hosting!
Step 2. Choose HIPAA-compliant WordPress hosting for Gravity Forms
It’s easy to assume that any reliable web host will be fine your WordPress site — and for most sites, that’s true. However, when you collect PHI on your site, your host needs to meet certain requirements. To find HIPAA-compliant WordPress hosting suitable for use with Gravity Forms, there are certain things to look for.
Look for HIPAA Certification and Audits
Choose hosting providers that have undergone third-party HIPAA/HITECH audits or certifications. This ensures they follow required safeguards for protecting electronic protected health information (ePHI).
Verify Business Associate Agreement (BAA)
As I mentioned before, the host must be willing to sign a BAA, a legal contract required under HIPAA that governs how your data and that of your patients is handled and protected.
Check Security Features
Essential features include:
- Encryption of data in transit and at rest (e.g., SSL/TLS + AES 256-bit encryption)
- Firewalls, malware protection, and intrusion detection/prevention
- Regular backups stored offsite
- Multi-factor authentication and strong access controls
- Audit logging and monitoring of access to PHI
Evaluate Physical and Technical Safeguards
Confirm the host has secure data centers with controls such as biometric access, 24/7 security, fire suppression, and disaster recovery protocols.
Assess Support and Compliance Assistance
Good hosts provide HIPAA compliance support, including guidance, managed updates, and rapid incident response.
Consider Specialized HIPAA Hosting Providers
Some providers specialize in HIPAA hosting and offer specifically tailored WordPress environments optimized for compliance.
Recommended HIPAA-Compliant WordPress Hosting Providers:
That’s a lot to look for in a web host! To save you some time, here are some providers who are ready to offer HIPPA compliance:
Atlantic.Net — SOC 2 Type II certified, HIPAA audited, signs BAA, and offers secure WordPress hosting with 100% uptime SLA.
Liquid Web — Undergoes rigorous HIPAA audits, offers locked server cabinets, fully managed hosting, BAA signing, and 24/7 support.
Convesio — Uses Docker containers for site isolation, encryption in transit and at rest, offsite backups, audit logging, and physical data center security.
HIPAA Vault — Fully managed HIPAA-compliant hosting with 24/7 monitoring, encrypted data, malware defense, and fast support.
Rackspace — HITRUST-certified with healthcare compliance expertise and personalized managed services. This certification process involves a rigorous assessment of the organization’s information security controls and practices against industry standards and regulatory requirements, such as HIPAA, ISO 27001, and others.
Step 3. Set up required HIPAA encryption for Gravity Forms data
To set up the required HIPAA encryption for data collected with Gravity Forms, you need to implement encryption for both data in transit and data at rest (stored in the database), as Gravity Forms does not provide this by default.
Here’s what you need to do to achieve HIPAA-compliant encryption for Gravity Forms data:
Enable SSL/TLS for Data Transmission
Ensure your WordPress site uses HTTPS with a valid SSL/TLS certificate. This encrypts data submitted via Gravity Forms during transmission, preventing interception of Protected Health Information (PHI).
Use an Encryption Add-On or Plugin for Data at Rest
Gravity Forms does not encrypt stored data out of the box. You must install third-party plugins or add-ons that enable encryption of form data stored in your WordPress database. Examples include:
- HIPAA Forms plugin by Code Monkeys: Integrates with Gravity Forms to encrypt form submissions, isolate PHI, and offer HIPAA-compliant storage under BAA terms.
- Gravity Forms Encrypted Fields Add-On: Encrypts specific form fields so data is encrypted at the field-level before saving.
Encrypt Database Storage
Use encryption capabilities provided by your hosting environment or database software (such as AES-256 encryption) to encrypt data stored on the server where your WordPress site and Gravity Forms data reside.
Restrict Access and Use Role-Based Controls
Configure WordPress user roles and permissions to limit access to decrypted data to only authorized personnel. Combining encryption plugins with access control ensures PHI is protected.
Use Secure Backup and Retention Practices
Ensure backups are encrypted and stored securely. Implement retention policies to delete data not required to minimize breach risk.
Business Associate Agreement (BAA)
Work with your hosting provider and any third-party services providing encryption to obtain a signed BAA, confirming their HIPAA compliance responsibilities.
Regular Auditing and Monitoring
Enable audit logging that tracks access to encrypted data and decryption events to ensure accountability and traceability in line with HIPAA rules.
Step 4. Configure HIPAA-compliant access controls with Advanced Permissions
To configure HIPAA-compliant access controls with Advanced Permissions for Gravity Forms, you need to set up strict role-based restrictions and granular user access management. Here’s how you can do it:
Use WordPress User Roles and Permissions
To begin with, you can leverage WordPress’s built-in user role system to restrict access to Gravity Forms data. Using Advanced Permissions, you can assign specific roles (e.g., “HIPAA User”) with limited permissions to only those who need access to protected health information (PHI).
Set Form-Level Access Controls
Configure specific forms to be accessible only by authorized users. You can restrict viewing, exporting, or deleting submissions by user roles or even specific individual users.
Enable Audit Logging
You’ll have a clear idea of exactly who has access to private data when you set up users and access rules through Advanced Permissions. Although this does not generate traditional logs like an audit trail, it ensures secure, tracked access permissions enforced by the plugin, which helps you monitor and control who can access sensitive form data.
You can also use the WP Activity Log for Gravity Forms Add-on to log all user actions related to form data access, such as who viewed, edited, or exported PHI. Both methods ensure accountability and help meet HIPAA audit requirements.
Secure Admin Area with MFA and Strong Passwords
Protect WordPress admin accounts with multi-factor authentication (MFA) and enforce strong password policies to prevent unauthorized access to PHI.
Domain and License Restrictions
If using third-party HIPAA plugins, restrict form submission and viewing capabilities to your authorized domain(s) only, ensuring forms and data cannot be accessed from unauthorized sites.
Regularly Review and Update Permissions
Periodically audit user access rights and adjust permissions based on role changes or staff turnover to ensure ongoing compliance.
With Advanced Permissions, you can build a secure, auditable environment in Gravity Forms that aligns with HIPAA’s strict access control requirements.
To explore this setup in more detail, read our post about preventing data breaches in WordPress.
Step 5. Implement secure data handling with Entry Automation
While aiming for HIPAA compliance without overtasking your team, automation is your friend. You can leverage Entry Automation‘s features to manage sensitive data securely and efficiently.
Automate Data Retention and Purging
Use Entry Automation to automatically delete specific form fields containing PHI after a set retention period. This reduces the risk of storing sensitive data longer than necessary, aligning with HIPAA’s data minimization and retention policies.
Conditional Task Scheduling
Schedule tasks to export, archive, or delete form entries on a regular basis (hourly, daily, weekly, or monthly) or immediately upon submission. This ensures PHI is handled consistently and timely without manual intervention.
Field-Level Data Deletion
Instead of deleting entire form entries, you can selectively delete only certain fields that contain sensitive information. This allows you to keep non-PHI data intact while securely removing PHI when it is no longer needed.
Automated Data Export with Secure Delivery
Configure Entry Automation to export data automatically in secure formats (CSV, Excel, JSON, PDF) and email it to authorized recipients or upload it to secure storage locations like Google Drive, Dropbox, or FTP servers. This ensures safe data transfer and limits manual handling of PHI.
Chain Multiple Automated Tasks
Link tasks such as export followed by deletion to create a workflow that keeps data handling tight and compliant, minimizing exposure to sensitive information.
Reduce Administrative Overhead
Automating these processes cuts down on manual errors and administrative delays, which enhances your organization’s overall security posture and compliance with HIPAA administrative safeguards.
Combine with Other Security Practices
For full HIPAA compliance, combine Entry Automation workflows with strong encryption, access controls, secure hosting, and audit logging.
Step 6. Establish required HIPAA documentation and BAAs
To establish the required HIPAA documentation and Business Associate Agreements (BAAs), follow these key steps:
Create and Maintain HIPAA Policies and Procedures
Develop comprehensive written policies and procedures addressing HIPAA privacy, security, breach notification, and administrative safeguards. These documents must be maintained, updated regularly, and accessible to all responsible employees.
Document Business Associate Agreements (BAAs)
Obtain signed BAAs with all vendors, service providers, and partners who have access to protected health information (PHI), including your web host, form providers like Gravity Forms integrations, cloud services, and any third-party software handling PHI. This legally binds them to HIPAA compliance obligations.
Document All HIPAA-Related Activities and Communications
Keep electronic or written records of all HIPAA-related processes, actions, risk assessments, employee training, privacy notices, sanctions, breach investigations, and compliance reviews. These records support demonstrating ongoing compliance.
Maintain Documentation for Minimum Required Retention Period
Retain all HIPAA-related documents and records for at least six years from the date of creation or when they were last in effect, per HIPAA requirements.
Document Employee Training and Access Controls
Record who received HIPAA training, when, and on what content. Also, document user access authorizations and restrictions concerning PHI handling to ensure accountability.
Document Incident Response and Breach Notifications
Keep detailed records of security incidents, breach investigations, notifications made to affected individuals or authorities, and corrective actions taken.
Document Notice of Privacy Practices and Patient Authorizations
Maintain copies of your organization’s Notice of Privacy Practices provided to patients and signed acknowledgments when applicable.
Step 7. Secure your Gravity Forms with our HIPAA compliance tools
Achieving HIPAA compliance in Gravity Forms can be a daunting task. There’s a lot to know about compliance and a long list of tasks you need to accomplish. With careful configuration and supplemental tools, Gravity Forms can help meet HIPAA requirements for handling PHI.
Advanced Permissions will help you lock down form data so only the users you choose have access. And when you need to securely purge data on a regular basis, Entry Automation is the easiest way.
With these add-ons and our step-by-step guide, you now have a solid plan for keeping patient data protected and making your forms HIPAA compliant.
