Frequently Asked Questions


Currently the HIPAA Forms plugins is only integrated with Caldera Forms & Gravity Forms.

Caldera Forms is our preferred form builder as it’s free and simple to use.  You can get Caldera Forms for free HERE.

Gravity Forms is a premium paid form builder plugin that can be purchased HERE No additional extensions are needed.

NOTE: When you designate a form as “HIPAA COMPLIANT” the submission process is overridden by our plugin.  Because of this any add-on’s or functionality that relies on the default submit process will not work.

The HIPAA FORMS plugin checks to ensure SSL (https) is enabled and being used.

Any forms set as HIPAA Compliant will be deactivated if the url does not start with https://.

If you’re unable to setup SSL with your current host or if your current host’s cost is too expensive consider a managed hosting (and optional WordPress maintenance package) from Code Monkeys. We automatically issue free SSL certificates to all of our hosting customers. CLICK HERE FOR DETAILS

You can subscribe to our free limited basic option (no credit card required) or purchase an unlimited standard subscription on a monthly, quarterly or annual subscription basis.

While the WordPress plugin is free to install and use, the HIPAA FORMS plugin relies on our API which requires a license key for either our free basic limited option or our unlimited standard paid option.

Forms can only be submitted and viewed from the domain you added to your HIPAA FORMS Service subscription account at the time of checkout.

When a request is made to the HIPAA FORMS Service API it does a check against your license key, domain and if a BAA agreement has been signed.  If any of those things are not valid the API request is denied and an error will be returned specifying what the issue is.

Only one license key and domain is allowed per subscription meaning you can NOT use the same license or domain on more than one website.

This is done as an additional security measure to ensure that even if a license key is stolen form data would not be accessible.

If you need to change the domain associated with your license key you can do so by logging in at, click on the “subscriptions” tab and then click on the subscription ID of the subscription you want to change the domain for.  You can also submit a support ticket or give us a call and we can change the domain for you.

A Business Associate Agreement (BAA) typically is required for companies that are subject to the Health Insurance Portability and Accountability Act (HIPAA) to ensure that protected health information (PHI) is appropriately safeguarded. Failure to manage data privacy risks with non-business associate vendors may lead to both violations of HIPAA and state privacy laws.

The BAA agreement is in place for your protection and forms can not be submitted or viewed until it is in place.

We also recommend that you have a BAA in place with your web designer if they work on the site as a 3rd party contractor.


Default WordPress emails get sent through your host’s domain which often times will be flagged as spam.

We highly recommend installing an email SMTP plugin for WordPress and using the SMTP settings for a legit email address. This will allow wordpress to send emails from the SMTP server instead of from your host.

The HIPAA Web Forms plugin is also compatible with the SendGrid plugin.

If you do NOT see the additional section at the bottom of the form with the HIPAA compliant badge then there is an issue somewhere and the form will NOT be disabled as it will not be HIPAA compliant. A common reason this might happen is if you do NOT have SSL (https://) enabled or if the user is viewing the http:// version of the page. We strongly recommend that you setup a redirect in your .htaccess file or by using a plugin to ensure all pages are served the https:// version of the page. If this is the case the form will be disabled and you should see a warning notice at the bottom of the form instead of the badge.

Another common reason you might not see this section is if your license key has expired. If this is the case you should see a warning notice at the bottom of the form and the form will be disabled. Reactivating your license key will solve the issue and your form will be enabled again.

A less common reason for this would be if another plugin is causing a Javascript/jQuery error or conflict.

Please don’t hesitate to contact us if you need help debugging any errors or experience issues with your forms.


The subscription cost is $55 per month for the service and plugin, that’s it, no other special hosting fees or anything like that.

We do offer an optional one-time setup and form build service if you don’t feel comfortable installing and setting up the plugin or need help creating a form but the majority of our subscribers don’t really need this as long as you can install a plugin and create a form with Caldera or Gravity.

A Business Associate Agreement (BAA) typically is required for companies that are subject to the Health Insurance Portability and Accountability Act (HIPAA) to ensure that protected health information (PHI) is appropriately safeguarded. Failure to manage data privacy risks with non-business associate vendors may lead to both violations of HIPAA and state privacy laws.

You will be unable to use the HIPAA FORMS Service until you have signed the BAA with Code Monkeys LLC (the developers of the service) and will receive a notice to do so within the “submitted forms” tab as well as in the settings tab until it has been signed.

We HIGHLY recommend that you have a BAA in place with your web designer as well if you use a 3rd party contractor for web design service.


This plugin is released under the GPL license and is open source allowing you to modify the plugin however we strongly recommend against attempting to modify the core functionality of the plugin. The plugin simply acts as an interface to the API service where most of the “under the hood” functionality lives however some functionality such as encryption prior to sending the form data to the API happens within the plugin. Breaking or disabling this encryption process could result in non-encrypted private protected sensitive health information being submitted which would be a HIPAA violation and may lead to both violations of HIPAA and state privacy laws.

While we recommend not modifying the core functionality of the plugin changing the CSS/Styles is totally fine and recommended.

We do not currently support the ability to submit files however we are currently working on a secured solution for this.  We hope to have a file upload option rolled out later this year (2018).

A part of the HIPAA guidelines is that access logs are kept each time someone has access to protected health information.

This allows you to look back through the logs to see who accessed the information during a specific time period in case you suspect a violation of policy or data breach.

This log data is saved in the HIPAA FORMS Service database to ensure the integrity of the data and may be shared with investigators if requested by authorities if a potential data breach or violation is suspected.

No, you only need to have a valid SSL certificate installed and setup (the URL in your address bar should start with https:// and your browser should indicate that the connection is secure).

The reason you do not need a special HIPAA Compliant hosting solution is because the form data is never actually stored on your hosting server.  Even though you build the actual forms on your website the actual for data is not saved on your website.  Instead when a person clicks on a HIPAA Compliant form’s submit button the form data is encrypted and sent through the HIPAA FORMS Service API where it is then stored on a HIPAA Compliant data storage solution where it remains encrypted.  Even when you log into your administrator dashboard with the appropriate credentials and user roles and view the submitted forms the data never actually rests on your hosting server, it is simply pulled from the HIPAA FORMS Service API then decrypted for viewing.

The only way the protected form data can leave the HIPAA FORMS Service is by clicking the “generate PDF” button next to a submitted form in which case you must provide a password which will then be used to access an encrypted and password protected PDF version of the form.  Once the PDF is created and you enter the password you can then print or save the PDF to your hard drive.  While the PDF is encrypted and password protected we HIGHLY recommend only downloading the PDF files to an encrypted hard drive.

If you would feel more comfortable hosting your website on a HIPAA Compliant hosting solution we do offer hosting options.

YES! The plugin allows you to add select fields to your forms to specify a specific clinic/office location which you can than filter by in the admin submitted forms view.

As of version 1.5.5 you can now also specify settings on a per-form basis to set what doctors/users can see specific forms. These new options include “everyone”, “specific users set from the settings” or “selected users set by a select field on a form”. Administrators can always see and manage all of the forms however non-admin users with the HIPAA user role will not be able to see forms that are set specifically for other doctors/users.

Administrators can also “reassign” selected users to another doctor/user just in case the patient selected the wrong person or if the patient is assigned a new doctor.

Probably not.

While we make it simple to build your forms using familiar form builders such as Caldera & Gravity Forms the actual submission process is taken over and handled by our plugin, even if you add a submit button within your form builder our plugin will remove it and replace it with our own if set as a HIPAA compliant form. Since the majority of add-ons for Caldera & Gravity rely on the default submission process within those form plugins most add-ons won’t work.

The default submission process is designed to email the form information or save the form data on your hosting server’s database. Neither of which are secure or HIPAA compliant and could result in hefty fines.

If you need functionality from an add-on one work around is to separate your forms as a “multi-step” form and set your first form to redirect to the other on submit. An example might be that you want to capture form data into a lead capture platform like MailChimp or Constant Contact, in this case you could just take the basic non-health information on the first form using your add-on and then redirect to the HIPAA compliant form to take the health information.

We now allow you to have 2 domains per subscriptions, you can change them at anytime in your HIPAA FORMS Service account.

The answer to this question depends on HOW you handle a staging version of the website.You are only able to submit and view forms from within the domain associated with your license key. If your staging version in under a subdomain of that domain you will be fine, the root domain is all that matters. However if your staging version is under a different domain you will only be able to use the service from staging OR live, not both at the same time.

If you are “pre-launch” we would recommend setting the domain on your HIPAA FORMS Service account to your staging server domain first. Then once you are ready to go live simply switch the domain to the live domain.

We understand that this can be frustrating to developers that do not have a staging version under the same root domain as we’re developers ourselves. We are exploring possible solutions to this for future releases to help with this issue.

If you need help or would feel more comfortable having someone from our team set the plugin up or even help build your forms we can definitely help.  We charge a one time $100 fee for setup which includes ONE form build.  Additional form builds will incur an additional charge.  You can purchase the setup package HERE


If you don’t have a web designer/developer currently or if you’re a web designer that needs some custom development help we would love to have a conversation to see if we might be a good fit.

We do however want to maintain a good relationship with other web designers and developers that recommend our service since they are paramount to our success.  In order to protect those relationships we may turn down requests that would have us replacing the current designer/developer without a very good reason.

Visit Code Monkeys LLC for more information on our web design and development services and to start the conversation.