Gravity Forms, a widely used WordPress plug-in designed to create online forms, has stated that it can be HIPAA-compliant, but it does not come pre-configured with HIPAA compliance features. Instead, it offers functionalities that can be used to develop forms that adhere to HIPAA standards, as long as users take specific precautions and comply with essential security protocols.
According to Gravity Forms, data collected through its plug-in is stored in tables within the user's WordPress database, which is hosted by the user’s chosen hosting provider. Gravity Forms then uses the existing infrastructure provided by WordPress to ensure that the collected data is securely stored within the user’s database environment. This approach ensures that the data remains under the user’s control and within the parameters of their selected hosting provider.
Keep in mind that Gravity Forms states, “By default, [t]he data collected by Gravity Forms is not encrypted during storage. If required, encryption of data at rest would need to be provided by an add-on or the custom code.” Because Gravity Forms has stated that it does not host or store collected form data on your behalf and that it does not sign Business Associate Agreements, you must do this with your website host or data services provider.