By the Templateez Team · Licensed Attorney · June 2026

Intake Forms and Data Privacy: What Small Businesses Need to Know

Think about the last intake form you handed a client. What did it ask for? Name, address, phone number. Maybe a date of birth. Insurance information. Social Security number. Medical history. Children's names and ages. Financial account details. Employment records.

Now think about where that completed form ended up. A filing cabinet in your front office? A shared Google Drive folder? An email attachment sitting in your inbox since 2023?

Most small businesses have no idea that the moment a client fills out an intake form, a set of legal obligations kicks in. Not theoretical obligations. Real ones, with real fines and real lawsuits attached. This is not a problem reserved for hospitals and Fortune 500 companies. If you are a solo attorney, a three-person dental office, a general contractor with a clipboard, or an accountant working out of a home office, you are collecting regulated data. And you probably do not have a plan for protecting it.

What Your Intake Form Actually Collects (and Why It Matters)

The reason data privacy matters for intake forms specifically is that they concentrate sensitive information into a single document. A typical personal injury intake collects the client's SSN, date of birth, employer, insurance policy numbers, medical provider names, and a narrative description of the incident. A dental intake form collects medical history, current medications, allergies, and insurance details. A family law intake captures children's names and birthdates, custody arrangements, income, and asset information.

Each of these data points falls into a legal category that triggers specific protections:

• Personally identifiable information (PII) — name, address, date of birth, SSN. Protected under state privacy and breach notification laws in all 50 states.
• Protected health information (PHI) — medical history, diagnoses, medications, insurance data collected in a healthcare context. Protected under HIPAA.
• Financial information — bank account numbers, credit card numbers, income details. Protected under the Gramm-Leach-Bliley Act for financial services, and under PCI DSS if you store card numbers.
• Attorney-client privileged information — anything a prospective or current client tells a lawyer in connection with legal representation. Protected under state rules of professional conduct and evidence codes.
• Children's information — names, ages, school details of minors. Triggers additional protections under COPPA (online) and various state laws (offline).

A single completed intake form can contain data from three or four of these categories simultaneously. That is a significant concentration of risk in one document.

State Privacy Laws That Apply Even to Small Businesses

There is a common misconception that privacy laws only apply to large corporations. That is wrong, and it gets more wrong every year as states pass new legislation.

Breach notification laws exist in all 50 states. Every state requires businesses to notify affected individuals when their personal information is compromised in a data breach. The specific definitions vary (some include medical data, some don't; some have a harm threshold, some don't), but the core obligation is universal. If someone breaks into your office and steals a filing cabinet full of intake forms, you have a notification obligation. If your laptop with client PDFs gets stolen from your car, you have a notification obligation. If your cloud storage gets hacked, same thing.

California's CCPA/CPRA applies to businesses that collect personal information of California residents and meet certain thresholds (annual revenue over $25 million, data on 100,000+ consumers, or 50%+ revenue from selling data). Most solo practitioners and small firms fall below these thresholds. But if you have clients in California and grow past these lines, the law kicks in with rights to deletion, rights to know what you have collected, and rights to opt out of data sales. The trend line matters here: other states (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and more) have passed similar laws with varying thresholds.

Industry-specific state regulations add another layer. Many states have specific data protection requirements for attorneys (through bar rules on client file security), healthcare providers (state-level health data laws that go beyond HIPAA), and financial services providers.

HIPAA: Not Just for Hospitals

If you are a healthcare provider of any kind and you transmit health information electronically, HIPAA applies to you. That includes solo therapists, independent mental health counselors, dentists, chiropractors, optometrists, dietitians, and medical spas. The "I'm too small for HIPAA" belief has gotten small practices into serious trouble.

HIPAA's requirements for intake forms are not about what the form looks like. They are about what you do with the information after it is collected. You need administrative safeguards (policies for who can access PHI, workforce training, sanctions for violations), physical safeguards (locked filing cabinets, restricted access areas, workstation security), and technical safeguards (encryption, access controls, audit logs for electronic PHI).

The penalties are not theoretical. The HHS Office for Civil Rights has settled cases with solo practitioners and small practices for amounts ranging from $10,000 to over $100,000, typically when a breach occurred and the investigation revealed the practice had no written policies, no risk assessment, and no training program. For a deeper look at what HIPAA means for your patient forms specifically, see our HIPAA-compliant intake forms guide.

Attorney-Client Privilege: Your Ethical Obligation

Attorneys have a duty of confidentiality that goes beyond what other businesses face. Under ABA Model Rule 1.6 (adopted in some form in every state), a lawyer must make reasonable efforts to prevent the inadvertent or unauthorized disclosure of information relating to the representation of a client.

This applies from the moment a prospective client fills out an intake form, before any engagement letter is signed. If someone fills out your family law intake describing a custody dispute and you leave that form on your desk where your next client can see it, you have a problem. If you email an intake form to opposing counsel by mistake because you autofilled the wrong address, you have a bigger problem.

The practical implication is that law firms need to treat intake forms with the same level of security as case files. That means encrypted storage, controlled access, and a clear retention and destruction policy. The failure mode is not necessarily a massive data breach — it is the small operational mistakes that lead to bar complaints and malpractice claims. If you are missing critical fields on your legal intake forms, the privacy risk compounds the liability gap from missing intake fields.

PCI Considerations: Payment Info on Forms

If your intake form collects credit card numbers, you are subject to PCI DSS (Payment Card Industry Data Security Standard). This is not a government regulation; it is an industry standard enforced by the card networks through your payment processor. But the consequences of non-compliance are real: fines from your processor, increased transaction fees, and personal liability if card data is stolen.

The simplest advice here is: do not collect full credit card numbers on intake forms. If you need payment information at intake, collect only the last four digits as a reference and process actual payments through a PCI-compliant payment processor (Square, Stripe, your POS system). An accounting intake form that captures a client's bank name and last four digits of the account is appropriate. An intake form that captures a full 16-digit card number and CVV is a liability.

Practical Steps for Protecting Client Data

The good news is that protecting intake form data does not require an enterprise security budget. It requires consistent practices.

Encrypted storage. If you store completed intake forms digitally (and you should — digital is safer than paper when done right), encrypt them. On a Mac, enable FileVault. On Windows, enable BitLocker. For cloud storage, use a provider that encrypts at rest (Google Workspace, Microsoft 365, Dropbox Business all do). Password-protect sensitive PDFs. The point is not to make the data impossible to access — it is to make it inaccessible if the device or account is compromised.

Limited access. Not everyone in your office needs access to completed intake forms. Your receptionist needs to hand out blank forms and collect completed ones. Your paralegal or nurse needs to review them. Your billing person needs specific fields. But the cleaning crew, the intern, and the other tenants in your shared office suite do not. Implement role-based access for digital files and physical lock-and-key for paper forms.

Retention policies. Decide how long you keep completed intake forms, write it down, and follow it. Attorneys typically need to retain client files for 6-7 years after matter closure (varies by state). Healthcare providers need to retain medical records for 7-10 years (varies by state; some states require longer for minors). A general contractor might need project files for the statute of repose period (6-12 years depending on the state). After the retention period expires, destroy the records.

Secure disposal. When the retention period is up, shred paper forms (cross-cut, not strip-cut). For digital files, do not just delete them — use secure deletion that overwrites the data, or destroy the storage media. "I deleted it from my desktop" is not secure disposal when the file is still sitting in your recycling bin, your cloud backup, and your old laptop in the closet.

Incident response plan. Write a one-page plan that answers: who do we contact if client data is lost or stolen, what is our notification timeline under state law, and who makes the decision to notify. You do not need a 50-page playbook. You need to know what to do in the first 72 hours.

Why Fillable PDFs Give You More Control Than Cloud Forms

Here is a data privacy advantage of fillable PDF intake forms that does not get discussed enough: you control the file.

When a client fills out a form on JotForm, Typeform, IntakeQ, or any other cloud platform, that client's data lives on that company's servers. You have a contractual relationship with the platform (and, for healthcare, you should have a BAA), but you do not control the infrastructure. If the platform gets breached, your clients' data is exposed. If the platform changes its privacy policy, your clients' data is affected. If the platform goes out of business, you may have a scramble to export your data before it becomes inaccessible. We covered this tradeoff in detail in our intake forms vs. CRM software comparison.

With a fillable PDF, the data stays wherever you put it. On your encrypted local drive. In your secured file server. In your locked filing cabinet if you print it. You are not dependent on a third party's security practices, you are not paying a monthly subscription for the privilege of storing your own client data on someone else's computer, and you are not subject to a SaaS company's terms of service that might grant them rights to your data that you did not carefully read.

This does not mean PDFs are automatically more secure. A PDF sitting unencrypted on a shared desktop is less secure than a properly configured cloud platform. The advantage is control: you decide the security posture, and you are not outsourcing that decision to a company whose incentives may not align perfectly with yours.

What to Put in Your Privacy Notice

If you collect personal information on intake forms, you should have a privacy notice. This does not need to be the 8,000-word document that tech companies publish. For a small business, a one-page privacy notice should cover:

• What you collect — list the categories (contact information, medical history, financial information, etc.)
• Why you collect it — to provide services, for billing, for legal compliance
• How you protect it — encrypted storage, limited access, retention and destruction policies
• Who you share it with — list categories (insurance companies, referring providers, courts if subpoenaed)
• How long you keep it — your retention period, stated clearly
• How to contact you — a phone number or email for privacy-related questions

For healthcare providers, this overlaps with the HIPAA-required Notice of Privacy Practices, which has its own content requirements. For attorneys, your engagement letter typically covers confidentiality obligations. For other businesses, a standalone privacy notice is a best practice even if not legally required in your state — yet. The trajectory of privacy legislation makes it likely that more states will require privacy notices from smaller businesses in the coming years.

The Bottom Line

Every intake form is a privacy event. The moment a client writes down their Social Security number, their medical condition, their children's names, or their bank account number, you have taken on an obligation to protect that information. The law does not care that you are a five-person firm, a solo practitioner, or a one-truck operation. It cares whether you took reasonable steps to safeguard the data.

Reasonable steps are not expensive. Encrypt your devices. Lock your filing cabinets. Limit who can access client files. Have a written retention policy. Know your state's breach notification requirements. And use intake forms that collect what you need and nothing more — because the less sensitive data you hold, the less you have to protect.