Frequently Asked Questions


Currently the HIPAA Forms plugins is only integrated with Caldera Forms & Gravity Forms.

Caldera Forms is our preferred form builder as it’s free and simple to use.  You can get Caldera Forms for free HERE.

Gravity Forms is a premium paid form builder plugin that can be purchased HERE No additional extensions are needed.

NOTE: When you designate a form as “HIPAA COMPLIANT” the submission process is overridden by our plugin.  Because of this any add-on’s or functionality that relies on the default submit process will not work.

The HIPAA FORMS plugin checks to ensure SSL (https) is enabled and being used.

Any forms set as HIPAA Compliant will be deactivated if the url does not start with https://.

If you’re unable to setup SSL with your current host or if your current host’s cost is too expensive consider a managed hosting (and optional WordPress maintenance package) from Code Monkeys. We automatically issue free SSL certificates to all of our hosting customers. CLICK HERE FOR DETAILS

You can subscribe to our free limited basic option (no credit card required) or purchase an unlimited standard subscription on a monthly, quarterly or annual subscription basis.

While the WordPress plugin is free to install and use, the HIPAA FORMS plugin relies on our API which requires a license key for either our free basic limited option or our unlimited standard paid option.

Forms can only be submitted and viewed from the domain you added to your HIPAA FORMS Service subscription account at the time of checkout.

When a request is made to the HIPAA FORMS Service API it does a check against your license key, domain and if a BAA agreement has been signed.  If any of those things are not valid the API request is denied and an error will be returned specifying what the issue is.

Only one license key and domain is allowed per subscription meaning you can NOT use the same license or domain on more than one website.

This is done as an additional security measure to ensure that even if a license key is stolen form data would not be accessible.

If you need to change the domain associated with your license key you can do so by logging in at, click on the “subscriptions” tab and then click on the subscription ID of the subscription you want to change the domain for.  You can also submit a support ticket or give us a call and we can change the domain for you.

A Business Associate Agreement (BAA) typically is required for companies that are subject to the Health Insurance Portability and Accountability Act (HIPAA) to ensure that protected health information (PHI) is appropriately safeguarded. Failure to manage data privacy risks with non-business associate vendors may lead to both violations of HIPAA and state privacy laws.

The BAA agreement is in place for your protection and forms can not be submitted or viewed until it is in place.

We also recommend that you have a BAA in place with your web designer if they work on the site as a 3rd party contractor.


Default WordPress emails get sent through your host’s domain which often times will be flagged as spam.

We highly recommend installing an email SMTP plugin for WordPress and using the SMTP settings for a legit email address. This will allow wordpress to send emails from the SMTP server instead of from your host.

The HIPAA Web Forms plugin is also compatible with the SendGrid plugin.

If you do NOT see the additional section at the bottom of the form with the HIPAA compliant badge then there is an issue somewhere and the form will NOT be disabled as it will not be HIPAA compliant. A common reason this might happen is if you do NOT have SSL (https://) enabled or if the user is viewing the http:// version of the page. We strongly recommend that you setup a redirect in your .htaccess file or by using a plugin to ensure all pages are served the https:// version of the page. If this is the case the form will be disabled and you should see a warning notice at the bottom of the form instead of the badge.

Another common reason you might not see this section is if your license key has expired. If this is the case you should see a warning notice at the bottom of the form and the form will be disabled. Reactivating your license key will solve the issue and your form will be enabled again.

A less common reason for this would be if another plugin is causing a Javascript/jQuery error or conflict.

Please don’t hesitate to contact us if you need help debugging any errors or experience issues with your forms.


The subscription cost is $55/mo or $600/yr for the API service and plugin, the file upload add-on option is $30/mo or $300/yr. No form data or files are stored on your hosting server so no other special hosting fees are needed.

We do offer an optional one-time setup and form build service if you don’t feel comfortable installing and setting up the plugin or need help creating a form but the majority of our subscribers don’t really need this as long as you can install a plugin and create a form with Caldera or Gravity.

A Business Associate Agreement (BAA) typically is required for companies that are subject to the Health Insurance Portability and Accountability Act (HIPAA) to ensure that protected health information (PHI) is appropriately safeguarded. Failure to manage data privacy risks with non-business associate vendors may lead to both violations of HIPAA and state privacy laws.

You will be unable to use the HIPAA FORMS Service until you have signed the BAA with Code Monkeys LLC (the developers of the service) and will receive a notice to do so within the “submitted forms” tab as well as in the settings tab until it has been signed.

We HIGHLY recommend that you have a BAA in place with your web designer as well if you use a 3rd party contractor for web design service.

Yes, in most cases we will sign your BAA in place of our default agreement.

You can email your signed BAA to us at spencer at We will review it and assuming everything looks good we will sign it and replace the BAA on file for your account.


This plugin is released under the GPL license and is open source allowing you to modify the plugin however we strongly recommend against attempting to modify the core functionality of the plugin. The plugin simply acts as an interface to the API service where most of the “under the hood” functionality lives however some functionality such as encryption prior to sending the form data to the API happens within the plugin. Breaking or disabling this encryption process could result in non-encrypted private protected sensitive health information being submitted which would be a HIPAA violation and may lead to both violations of HIPAA and state privacy laws.

While we recommend not modifying the core functionality of the plugin changing the CSS/Styles is totally fine and recommended.

You can also set custom form submission handlers from the HIPAA Forms form settings such as redirecting to another page or to fire a callback Javascript function.

We offer a secure HIPAA compliant file upload add-on option with unlimited uploads and unlimited storage to our service for an additional $30/mo or $300/yr. This option is not available with our basic free subscription.

With our file upload option enabled the basic file upload fields within Caldera or Gravity Forms are over-ridden by our plugin and the files are submitted directly from the browser to our secure encrypted file storage system when the form is submitted.

If files have been uploaded and attached to a submitted form you’ll be able to view those files from within the submitted form interface of the HIPAA Forms dashboard.

Secure generic pre-signed access URLs are generated when you load the submitted form that expire after 1 hour for greater security.

A part of the HIPAA guidelines is that access logs are kept each time someone has access to protected health information.

This allows you to look back through the logs to see who accessed the information during a specific time period in case you suspect a violation of policy or data breach.

This log data is saved in the HIPAA FORMS Service database to ensure the integrity of the data and may be shared with investigators if requested by authorities if a potential data breach or violation is suspected.

Beyond just logging when someone accesses the HIPAA Forms admin dashboard, we also log each time someone interacts with a specific form. This gives you a much more granular way of reviewing the history of a specific form in case of a potential breach or during a self-audit. This log includes the user’s name, ID, date/time and the event such as viewing, archiving, deleting or generating an encrypted PDF version of the form.

No, you only need to have a valid SSL certificate installed and setup (the URL in your address bar should start with https:// and your browser should indicate that the connection is secure).

The reason you do not need a special HIPAA Compliant hosting solution is because the form data is never actually stored on your hosting server.  Even though you build the actual forms on your website the actual for data is not saved on your website.  Instead when a person clicks on a HIPAA Compliant form’s submit button the form data is encrypted and sent through the HIPAA FORMS Service API where it is then stored on a HIPAA Compliant data storage solution where it remains encrypted.  Even when you log into your administrator dashboard with the appropriate credentials and user roles and view the submitted forms the data never actually rests on your hosting server, it is simply pulled from the HIPAA FORMS Service API then decrypted for viewing.

The only way the protected form data can leave the HIPAA FORMS Service is by clicking the “generate PDF” button next to a submitted form in which case you must provide a password which will then be used to access an encrypted and password protected PDF version of the form.  Once the PDF is created and you enter the password you can then print or save the PDF to your hard drive.  While the PDF is encrypted and password protected we HIGHLY recommend only downloading the PDF files to an encrypted hard drive.

If you would feel more comfortable hosting your website on a HIPAA Compliant hosting solution we do offer hosting options.

YES! The plugin allows you to add select fields to your forms to specify a specific clinic/office location which you can than filter by in the admin submitted forms view.

As of version 1.5.5 you can now also specify settings on a per-form basis to set what doctors/users can see specific forms. These new options include “everyone”, “specific users set from the settings” or “selected users set by a select field on a form”. Administrators can always see and manage all of the forms however non-admin users with the HIPAA user role will not be able to see forms that are set specifically for other doctors/users.

Administrators can also “reassign” selected users to another doctor/user just in case the patient selected the wrong person or if the patient is assigned a new doctor.

Probably not.

While we make it simple to build your forms using familiar form builders such as Caldera & Gravity Forms the actual submission process is taken over and handled by our plugin, even if you add a submit button within your form builder our plugin will remove it and replace it with our own if set as a HIPAA compliant form. Since the majority of add-ons for Caldera & Gravity rely on the default submission process within those form plugins most add-ons won’t work.

The default submission process is designed to email the form information or save the form data on your hosting server’s database. Neither of which are secure or HIPAA compliant and could result in hefty fines.

If you need functionality from an add-on one work around is to separate your forms as a “multi-step” form and set your first form to redirect to the other on submit. An example might be that you want to capture form data into a lead capture platform like MailChimp or Constant Contact, in this case you could just take the basic non-health information on the first form using your add-on and then redirect to the HIPAA compliant form to take the health information.

We now allow you to have 2 domains per subscriptions, you can change them at anytime in your HIPAA FORMS Service account.

The answer to this question depends on HOW you handle a staging version of the website.You are only able to submit and view forms from within the domain associated with your license key. If your staging version in under a subdomain of that domain you will be fine, the root domain is all that matters. However if your staging version is under a different domain you will only be able to use the service from staging OR live, not both at the same time.

If you are “pre-launch” we would recommend setting the domain on your HIPAA FORMS Service account to your staging server domain first. Then once you are ready to go live simply switch the domain to the live domain.

We understand that this can be frustrating to developers that do not have a staging version under the same root domain as we’re developers ourselves. We are exploring possible solutions to this for future releases to help with this issue.

We currently do not have the ability to export form data or logs to CSV or spreadsheet format however we are currently working on this and hope to have this option released soon.

If you need help or would feel more comfortable having someone from our team set the plugin up or even help build your forms we can definitely help.  We charge a one time $100 fee for setup which includes ONE form build.  Additional form builds will incur an additional charge.  You can purchase the setup package HERE


If you don’t have a web designer/developer currently or if you’re a web designer that needs some custom development help we would love to have a conversation to see if we might be a good fit.

We do however want to maintain a good relationship with other web designers and developers that recommend our service since they are paramount to our success.  In order to protect those relationships we may turn down requests that would have us replacing the current designer/developer without a very good reason.

Visit Code Monkeys LLC for more information on our web design and development services and to start the conversation.

What's Next?

  • Ability to export forms and logs to CSV
  • Ability to create a non-password protected PDF version of forms
    (Must check a box stating you understand this should only be done if you have an encrypted hard drive)
  • Design improvements including better mobile design/layout
  • Ability to have more than 1 drag ‘n draw signature on a form
  • Further integration with Caldera & Gravity Forms’ advanced fields

We’re just starting development on a brand new patient portal product that will integrate with our existing HIPAA Forms product.

Just like the HIPAA Forms plugin, our patient portal system will allow you to install a plugin on your WordPress website.

You patients will then be able to create a free account and log into your portal where they’ll be able to view their submitted forms, complete unfinished forms that have been saved, view messages/files/documents from you and will even allow real-time instant messaging between you and the patient.

You’ll also have the ability to accept and manage appointments from your website through our portal.

Looking farther into the future we’re also exploring the potential for adding a video “e-visit” platform into the portal as well.

While a patient portal is nothing new, the way we’re approaching this concept is.

First and foremost our portal system will be the ONLY HIPAA compliant turn-key patient portal system with a plugin interface built specifically for WordPress and focused on small to mid-sized healthcare providers. This means it will be simple to install & setup, simple for both you and you staff to use as well as your patients and most importantly it will be much more affordable than other solutions currently on the market.

We’re also taking a very unique approach to the patient side of the portal system. While traditional portals are closed systems that only give patients access to the specific healthcare provider that hosts the portal, our system allows the patient to view and manage all of their healthcare providers from one location.

The best way to think about it is as 2 separate stand-alone systems that integrate together. Once a patient registers a free account with us they’ll be able to log into their portal from our stand-alone system as well as from your portal on your website. You as a healthcare provider control and manage what information and communications you want the patient to access, and the patient controls what information and data that want you to access.

Now, let’s say the patient sees another healthcare provider totally unrelated to you. If that healthcare provider also uses our portal system they’ll be able to log into their portal with their same credentials and since much of their information is already stored within their account they can choose to share that information with the other healthcare provider with a simple click of a button. This will greatly simplify and speed up the new patient onboarding process. This doesn’t mean that they can share everything they have within your portal though, you’ll be able to specify what can be shared and what must remain private between only you and the patient.

But what if a patient goes to a healthcare provider that doesn’t use our portal system? Since the patient account stands on it’s own they’ll be able to give a healthcare provider access to their portal and still choose what information and communication they wish to share with that provider. Obviously they wouldn’t be able to schedule/manage appointments or any of the other things required by the provider-side portal but it will still add efficiency and simplification for both the patient and the provider.

But what about the relationship between the patient’s multiple healthcare providers? Wouldn’t it make sense if these multiple healthcare providers could connect with each other and communicate/collaborate within the same system and same interface? Maybe you’re a general family physician and they’re seeing a specialist for something, shouldn’t all 3 of you be connected and able to communicate and collaborate together in real time? We believe the answer is “yes” and our system will make this possible.

What we’re building will bridge the gaps that exist currently between patients and multiple healthcare providers whether you’re a hospital, dentist, a general physician, a specialist, a therapist, a pharmacist or an optometrist. It will enable you as a healthcare provider to get a more complete picture of a patient’s over-all healthcare more efficiently and empowering you to make better decisions more quickly as it relates to a patient’s care.

Our goal is to have an initial MVP (minimal viable product) released for our patient portal system by June 2019.