By the Templateez Team · Licensed Attorney · June 2026

How to Handle Sensitive Information on Intake Forms

Every intake form collects at least some information that could hurt somebody if it ended up in the wrong hands. A Social Security number. A list of medications. A disclosure about domestic violence. The details of a bankruptcy filing. A child’s date of birth and school address.

We have a separate guide on data privacy law that covers the legal requirements — HIPAA, state breach notification statutes, the regulatory side of things. This post is different. This is the practical version. How do you actually handle sensitive information day to day, in your office, with your staff, using the forms your clients fill out? Because knowing you are required to protect data and knowing how to protect it are two very different things.

What counts as sensitive information (and why the list is longer than you think)

Most people think of sensitive data as the obvious identifiers — Social Security numbers, credit card numbers, dates of birth. And those are on the list. But if you run a practice that handles intake forms, you are collecting information that goes well beyond financial identifiers.

Here is what qualifies as sensitive on a typical intake form, organized by the kind of damage it could cause if mishandled:

• Identity theft targets: Social Security number, date of birth, driver’s license number, passport number, financial account numbers. These are the obvious ones. One stolen SSN can take a person years to recover from.
• Medical information: Diagnoses, medications, treatment history, mental health conditions, substance use, HIV/STI status, pregnancy. This applies to healthcare providers, obviously, but also to family law attorneys collecting mental health history, criminal defense attorneys documenting substance use, and personal injury firms gathering medical records. Massage therapy and bodywork intake is another area where the sensitivity bar is especially high — practitioners routinely screen for contraindications, injury history, areas of pain, and pregnancy status, all of which require the same level of protection as clinical medical records.
• Financial information: Income, debts, assets, tax returns, credit scores, bankruptcy history. Bankruptcy and family law intake forms routinely collect a full financial picture that would be devastating in the wrong hands.
• Immigration status: Visa type, country of origin, asylum claims, deportation history. An immigration intake form is one of the most sensitive documents in any law practice. A breach could literally endanger someone’s life.
• Domestic violence and abuse disclosures: Current or past abuse, protective orders, safe addresses, shelter locations. This information showing up in the wrong place — including on a shared insurance statement — can put someone in physical danger.
• Criminal history: Arrests, convictions, pending charges, probation/parole status. This carries employment and housing consequences that last decades.
• Children’s information: Names, ages, schools, custody arrangements, medical conditions. Any information about minors carries heightened obligations under both federal law and basic professional ethics.

The point is not to scare you. The point is that if you are running intake forms through your office, you are almost certainly handling multiple categories of sensitive data, and you need to treat the entire intake workflow accordingly — not just the fields where someone types in a nine-digit number.

The first question: do you actually need it?

The single most effective way to protect sensitive information is to not collect it in the first place.

That sounds obvious, but it is surprising how many intake forms ask for data that the practice never uses. The most common offender is the Social Security number. Ask yourself: why do you need it? If you are a healthcare provider billing insurance, you need it. If you are a bankruptcy attorney filing a petition, you need it. If you are running a credit check as part of a financial service, you need it.

But if you are a dental practice that bills through insurance ID numbers (which are usually not SSNs anymore), you probably do not need a full Social Security number on your intake form. If you are a therapist in private practice who does not bill insurance, you almost certainly do not need it. If you are a contractor or home services provider, you have no reason to collect it at all.

Go through every field on your intake form and ask: what do we do with this? If the answer is “nothing, it’s just there because the template included it,” remove it. Every piece of sensitive data you collect is a piece of sensitive data you have to protect, store, control access to, and eventually destroy. If you do not need it for a specific operational or legal purpose, do not ask for it.

For the data you do need, consider whether you need the full version. A date of birth can often be collected as month and year without the day. The last four digits of an SSN are sufficient for most verification purposes. A medication list does not always need dosages. Collect the minimum necessary for the task at hand.

Handling sensitive answers during in-person intake

Digital security gets all the attention, but the most common way sensitive information leaks from an intake form is far less technical: someone says it out loud in a place where other people can hear.

This happens constantly. A receptionist calls across the waiting room: “Mrs. Rodriguez, you left the medications section blank — are you on any psychiatric medications?” A dental assistant reviews an intake form at the front desk, within earshot of three other patients, and asks about the pregnancy checkbox. An attorney’s paralegal calls a client’s cell phone to follow up on an intake form and leaves a voicemail that mentions the nature of the legal matter — which the client’s spouse then hears.

Practical rules for in-person intake handling:

• Never discuss sensitive form answers in a shared space. If you need to follow up on a medical history question, a financial disclosure, or anything involving a diagnosis, legal matter, or family situation, do it in a private room or by phone. Never at the front desk, never in a hallway, never in a waiting room.
• Use a private intake room for form completion. If your clients fill out paper forms on-site, give them a clipboard and a private space. Not a chair next to the reception desk where the person beside them can glance at their answers. A separate room, even if it is small, communicates that you take their privacy seriously and gives them the space to answer honestly.
• Train staff on what not to say out loud. Your front desk should never announce the nature of an appointment, ask about medications or diagnoses in a public area, or reference the specifics of someone’s case where others can hear. Our staff training guide for intake forms covers this in detail, but the core rule is simple: if the information is on the form because it is sensitive, it should not be leaving anyone’s mouth in a public space.
• Be careful with phone follow-ups. When you call a client to clarify something on their intake form, you do not know who is in the room with them. Start with “Is this a good time to discuss your intake paperwork?” before diving into questions about their criminal history or psychiatric medications. If you leave a voicemail, keep it generic: “We have a couple of follow-up questions about your intake form. Please call us back at your convenience.” Do not leave a voicemail that says “We need to discuss the domestic violence section of your intake form.”

Language barriers add another layer of difficulty to all of this. When a client cannot fully express themselves in English — or when staff cannot confirm they understood a sensitive disclosure correctly — the risk of miscommunication around private information goes up significantly. If your practice serves multilingual clients, our guide on intake forms for bilingual and multilingual clients covers how to handle translation, interpreter protocols, and form design so that language gaps do not become privacy gaps.

Secure storage: paper and digital

Once the form is filled out, it needs to go somewhere safe. The specifics depend on whether you are working with paper forms, digital PDFs, or both, but the principles are the same: limit access, lock it down, and know where everything is.

Paper forms

• Locked filing cabinets. Not a desk drawer. Not a filing cabinet that happens to have a lock that nobody uses. A locked cabinet, in a room that is itself locked or access-controlled when unattended. Intake forms should never sit in an open tray on someone’s desk overnight.
• No intake forms left on printers, copiers, or fax machines. This is the most common paper-based data breach in small practices. Someone prints a copy of an intake form, gets distracted, and it sits on the printer tray for three hours where anyone walking by can read it. If you print intake forms, walk to the printer immediately. Better yet, use a pull-print system where the document does not print until you badge in at the machine.
• Shred, do not trash. When paper forms reach the end of their retention period, they go through a cross-cut shredder, not into a recycling bin. Use a shredding service if volume warrants it, but verify their certificate of destruction.

Digital forms and PDFs

• Password-protected PDFs. Every completed intake form stored digitally should be in a password-protected file. This is not about preventing a sophisticated hack — it is about ensuring that if a laptop is stolen, a USB drive is lost, or someone accidentally emails the wrong attachment, the file does not open on the other end without credentials.
• Encrypted drives. Full-disk encryption on every computer and external drive that stores intake data. This is a one-time setup that protects everything on the machine. BitLocker on Windows, FileVault on Mac — both are built in and free. If you are not using them, turn them on today.
• Cloud storage with access controls. If your intake forms live in Dropbox, Google Drive, OneDrive, or a practice management system, make sure the folder permissions are set so that only the people who need access have it. Do not store intake forms in a shared folder that the entire office can browse. Create a subfolder with restricted permissions for completed intake documents.
• No intake forms in email. Email is not a secure storage system. If a client emails you a completed intake form, download it to your secure storage, confirm receipt, and delete the email. Do not leave completed intake forms sitting in your inbox or sent folder for years.

Who on your staff should have access

Not everyone in your office needs to see every intake form. The principle is called “minimum necessary access” and it is simpler than it sounds: each person gets access to the information they need to do their job, and nothing more.

In a typical small practice, that looks like this:

• Front desk / reception: Needs to verify that the form is complete. Does not need to read the substance of medical history, financial disclosures, or case details. Train them to check for blank fields without reading the content.
• The professional handling the matter: Full access. The attorney, doctor, therapist, or contractor who will be working with this client needs the complete form.
• Billing / insurance staff: Needs the insurance and financial sections. Does not need the clinical or legal substance sections.
• IT / administrative: Needs access to maintain the storage systems. Should not be reading the content of individual forms unless troubleshooting a specific technical issue.

In a larger office, this maps to role-based access controls in your practice management software. In a small office, it means having a conversation with your team about what they should and should not be reading, and setting up your filing system — physical or digital — so that the structure itself limits casual access.

When a client discloses something unexpected

Sometimes the most sensitive thing on an intake form is something the client was not even asked about. They write it in a margin. They mention it in the “anything else we should know” field. They say it during the intake interview and you realize the form did not have a place for it.

The two most important categories here are disclosures that trigger mandatory reporting obligations.

Domestic violence

A client filling out a family law intake form discloses that their spouse has been physically abusive. This changes the entire trajectory of the case — protective orders, safety planning, custody implications — but it also requires immediate practical steps. Does the client have a safe place to go? Is the abuser likely to find out about this consultation? Is the contact information on the form a phone number or address that the abuser has access to?

If your intake form collects a home address and phone number, and the client is fleeing domestic violence, that address might be the one place they do not want documented. Ask whether the contact information on the form is safe for correspondence. Some practices use a “safe contact” field specifically for this purpose — a separate phone number or email that only the client monitors.

Child abuse or neglect

In every U.S. state, certain professionals are mandatory reporters — they are required by law to report suspected child abuse or neglect to child protective services. The list of mandatory reporters varies by state but almost always includes healthcare providers, therapists, social workers, and teachers. In some states, attorneys are mandatory reporters; in others, the attorney-client privilege creates an exception.

If a client discloses information on an intake form that suggests a child is being abused or neglected — directly or indirectly — you need to know your state’s mandatory reporting law before that form hits your desk. This is not a “we will look into it later” situation. In most states, the reporting obligation kicks in as soon as you have reasonable suspicion, and the timeline for reporting is measured in hours, not days.

What this means for your intake process:

• Know your obligations before the form exists. Are you a mandatory reporter in your state? For what? Under what circumstances does the attorney-client privilege or doctor-patient privilege apply, and when does it not? This is a question for your own legal counsel, not a blog post, but you need the answer before you design your intake form.
• Have a protocol. If an intake form contains a disclosure that may trigger reporting, who on your team handles it? What is the reporting process? How do you document the disclosure and your response? Work this out before it happens, not in the moment.
• Inform the client. Many professionals include a brief statement in their intake materials explaining the limits of confidentiality, including mandatory reporting. This is not about discouraging disclosure — it is about informed consent. The client should know before they write something on a form that certain disclosures may require you to involve outside agencies.

Redaction before sharing

At some point, someone outside your office is going to need information from an intake form. An attorney needs to share medical history with an expert witness. A therapist needs to send treatment notes to a referring physician. A contractor needs to share project details with a subcontractor or permit office.

Before any intake form leaves your possession — physically or digitally — review it for information the recipient does not need.

• Social Security numbers: Almost never needed by third parties who are not processing insurance claims or tax documents. Redact them.
• Full dates of birth: Usually the year or “over/under 18” is sufficient for third-party purposes. Redact the full date unless specifically required.
• Financial details: A subcontractor does not need to see your client’s income or assets. A consulting expert does not need to see account numbers. Share only the sections relevant to their role.
• Unrelated medical history: If you are sending a medical intake form to a specialist for a knee injury referral, the specialist needs the orthopedic history, not the psychiatric medication list. Redact what is not relevant.
• Domestic violence and safety information: Never share safe contact details, shelter addresses, or protective order information with anyone who does not have an operational need for it and a legal obligation to protect it.

For paper forms, use proper redaction tape (not a marker — marker can be read through with a light or a scanner). For digital PDFs, use a redaction tool that actually removes the underlying data, not one that just draws a black box over it. A black box in a PDF can often be selected, copied, and pasted to reveal the text underneath. Adobe Acrobat’s redaction tool permanently removes the content. Free PDF readers that draw rectangles do not.

Retention and destruction

Sensitive information does not become less sensitive over time. An intake form sitting in your filing cabinet from 2019 contains the same SSN, the same medical history, and the same domestic violence disclosure it did when it was filled out. The question is: how long do you need to keep it?

Retention periods vary by profession, state, and the type of information:

• Medical records: Most states require 7–10 years from the last date of service, longer for minors (typically until the minor turns 18 plus the standard retention period).
• Legal files: State bar rules vary, but a common standard is 7 years after the matter closes. Some categories (real estate, estate planning) may warrant longer retention.
• Tax-related documents: 7 years from the date the return was filed, per IRS guidelines.
• General business records: Varies, but 3–7 years is typical unless a specific regulation applies.

When the retention period expires, destroy the records. Not “move them to the basement.” Not “transfer them to an old hard drive in the closet.” Destroy them. Cross-cut shredding for paper. Secure deletion software for digital files (not dragging to the recycle bin — that does not delete anything). Certificate of destruction from a third-party service if you want documentation that the destruction actually happened.

Build a destruction schedule. Once a year, review your retained intake forms and destroy the ones that have passed their retention window. This is not optional housekeeping — holding sensitive data longer than necessary increases your liability exposure with zero benefit. If you do not need it anymore, get rid of it.

Putting it all together

Handling sensitive information on intake forms comes down to five practices that are not complicated but do require deliberate attention:

1. Collect only what you need. Remove fields that do not serve a specific purpose. Collect the minimum version of each data point that serves your operational need.
2. Protect it in the moment. Private rooms for intake, no sensitive discussions in shared spaces, careful phone follow-ups. The biggest leak risk is human, not technical.
3. Lock it down in storage. Locked cabinets, encrypted drives, password-protected files, access limited to the people who actually need it.
4. Redact before sharing. Every time an intake form leaves your possession, strip out what the recipient does not need.
5. Destroy it when you are done. Set retention periods, follow them, and securely destroy records on schedule.

None of this is exotic or expensive. It is just discipline applied consistently. The practices that get in trouble with sensitive information are rarely the ones that got hacked by a sophisticated attacker — they are the ones that left an intake form on a printer, stored ten years of client files on an unencrypted laptop that got stolen from a car, or discussed a patient’s diagnosis in a waiting room because it was faster than walking to the back office.

Your intake forms are the front door of your client relationship. They also hold some of the most sensitive information your practice will ever touch. A good HIPAA-compliant intake process and solid data privacy practices are not just legal checkboxes — they are how you earn the trust that makes someone comfortable handing you their Social Security number, their medical history, or their worst secrets in the first place. And knowing how to spot red flags in client answers is part of the same diligence — paying attention to what your forms tell you, not just filing them away.

Handle that trust carefully. It is the foundation everything else is built on.