By the Templateez Team · Licensed Attorney · June 2026

Intake Forms for Regulated Industries: When the Government Tells You What to Ask

Most businesses get to decide what their intake forms look like. They sit down, think about what information they need, and build a form that works for their workflow. If they forget a field, they add it later. If a question turns out to be pointless, they drop it. The form evolves based on experience and common sense.

Then there are the regulated industries. Healthcare. Legal. Financial services. Real estate. Contracting. Childcare. In these fields, the government does not care about your preferences. Federal and state regulators have decided what information you must collect, how you must collect it, and what happens to you if you do not. Your intake form is not a business tool — it is a compliance document. And the penalty for getting it wrong is not a missed question. It is a fine, a license suspension, or a malpractice claim that lands on your desk like a brick.

This is a tour of six industries where regulators dictate what goes on your intake form, what the actual requirements are (not the watered-down version), and what happens when you miss them.

Healthcare: HIPAA is the floor, not the ceiling

Every healthcare provider knows HIPAA exists. Most think compliance means having a privacy notice somewhere in the office. It does not. HIPAA’s Privacy Rule requires specific, documented patient authorizations before protected health information can be used or disclosed for purposes beyond treatment, payment, and healthcare operations. That is not a checkbox on your intake form — it is a multi-element authorization that must include the specific information to be disclosed, who is receiving it, the purpose, an expiration date, and the patient’s right to revoke.

But HIPAA authorization is just the starting point. A dental practice intake or any healthcare intake must also capture:

• Consent to treatment — not general consent to “receive services” but informed consent that describes the nature of the treatment, material risks, alternatives, and the consequences of refusing. The specific elements required vary by state, but most medical boards have published guidance that reads like a field specification for your intake form.
• Patient rights acknowledgment — federal law and state regulations require patients to receive a notice of their rights (access to records, right to amend, right to an accounting of disclosures, right to restrict certain uses). Intake is when this must be delivered and acknowledged in writing.
• Insurance assignment of benefits — the patient’s written authorization allowing the provider to bill the insurance carrier directly and receive payment. Without it, technically the carrier owes the money to the patient, not to you.
• Medicare and Medicaid disclosures — if you accept government payers, there are specific disclosures required at intake. The Advance Beneficiary Notice of Noncoverage (ABN) must be provided before delivering services that Medicare may not cover. Medicaid programs have their own state-specific intake requirements that vary from Medicaid Freedom of Choice notices to provider-specific enrollment documentation.
• State-specific consent layers — many states add requirements on top of federal law. Mental health providers in most states must obtain separate, specific consent before beginning psychotherapy, with disclosures about the therapeutic approach, session recording policies, and the limits of confidentiality (mandatory reporting for child abuse, elder abuse, threats of harm). Substance abuse treatment records carry additional protections under 42 CFR Part 2, which restricts disclosure even more tightly than HIPAA.

The penalty structure is not gentle. HIPAA civil penalties range from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation category. State attorneys general can bring additional actions. The HHS Office for Civil Rights publishes a wall-of-shame breach portal, and being listed there is a reputational event that no amount of marketing can undo. Our HIPAA-compliant intake forms guide walks through the specific documentation elements in detail.

Legal practice: ethics rules with teeth

Attorneys do not answer to a federal regulator the way healthcare providers answer to HHS. They answer to state bar associations, which enforce the Rules of Professional Conduct and have the power to suspend or disbar. The ethics rules do not explicitly say “your intake form must contain these fields,” but they create obligations that functionally dictate what the form must capture.

Conflict checking. Rule 1.7 (current client conflicts) and Rule 1.9 (former client conflicts) require an attorney to identify conflicts of interest before accepting representation. This means the intake form must capture not just the prospective client’s name but the adverse party’s name, related parties, corporate affiliations, and any prior attorneys — enough data to run a meaningful conflict check. A personal injury intake that captures the client’s name but not the defendant’s name, the insurance carrier, or the employer (in a workers’ comp matter) has failed the conflict check before it started.

Engagement terms. While not every jurisdiction mandates a written fee agreement for every matter type, most state bars require written engagement terms for contingency fee arrangements (Rule 1.5(c)), and many require written terms for all new representations. The intake form is where the scope of representation, fee structure, retainer terms, and billing practices should be documented — not in a follow-up email three weeks later. Engagement terms should also address how disputes between the firm and the client will be resolved — mandatory arbitration clauses, mediation-first requirements, and fee dispute arbitration programs all have their own regulatory frameworks that affect what the intake form needs to capture. Our guide on intake forms for dispute resolution, mediation, and arbitration covers the procedural requirements that apply when ADR is part of the engagement structure.

Client identification and AML/KYC. Attorneys handling real estate transactions, trust administration, or entity formation are increasingly subject to anti-money laundering scrutiny. FinCEN’s Corporate Transparency Act now requires beneficial ownership reporting for most entities, and attorneys who form those entities need to capture identifying information at intake that they never needed before — government-issued ID numbers, addresses, and dates of birth for beneficial owners. In practice areas touching international transactions or large cash payments, the attorney’s intake form needs to function as a KYC document.

The cost of a missed conflict check is not just a bar complaint. It is withdrawal from the representation (after the client has relied on you), potential malpractice liability, fee disgorgement, and the reputational damage of having a conflict-of-interest finding on your disciplinary record. For a deeper look at what belongs on a law firm intake form, see our guide on compliance-driven intake for financial advisors — the KYC parallels are striking.

Financial services: where every question is a regulatory requirement

If healthcare and legal have regulatory overlays on top of professional judgment, financial services is the industry where the overlay is the product. A financial planning intake is, in practical terms, a regulatory compliance document that happens to also be useful for serving the client.

FINRA suitability and Regulation Best Interest. Broker-dealers and their registered representatives must have a reasonable basis for believing that a recommended transaction or investment strategy is suitable for the customer. Reg BI, which replaced the old suitability standard in 2020, requires consideration of the customer’s investment profile: age, financial situation, tax status, investment objectives, investment experience, investment time horizon, liquidity needs, risk tolerance, and any other information the customer discloses. Every one of those data points must be captured at intake. Not capturing them is not a documentation gap — it is a Reg BI violation.

SEC fiduciary obligations for RIAs. Registered investment advisers have a fiduciary duty to act in the client’s best interest. The practical implication for intake is that the RIA must gather enough information to understand the client’s complete financial picture — assets, liabilities, income, expenses, insurance coverage, estate planning status, outside investments, and financial goals — before making any recommendation. An intake form that captures investment objectives but not existing liabilities is a form that does not support a fiduciary recommendation.

BSA/AML and Customer Identification Program. The Bank Secrecy Act requires financial institutions to maintain a Customer Identification Program (CIP) that verifies the identity of every person opening an account. That means capturing, at intake: legal name, date of birth, address, and a government-issued identification number. For entities, it means capturing the entity’s legal name, formation date, jurisdiction, EIN, and beneficial owners. Failure to maintain a CIP is a federal criminal violation, not a civil penalty. Banks have paid hundreds of millions in BSA/AML fines. Smaller financial services firms are not immune.

FINRA enforcement actions for suitability and Reg BI violations regularly result in fines ranging from $5,000 to over $1 million, plus disgorgement of commissions and customer restitution. The SEC brings civil enforcement actions that can include permanent industry bars. The intake form is where every one of these obligations begins.

Real estate: disclosure obligations that predate the closing

Real estate is one of the few industries where state law dictates not just what you must collect but specific documents you must provide to the other party at defined points in the transaction. Your real estate intake needs to capture the information that feeds those mandatory disclosures.

Agency disclosure. Most states require real estate agents to disclose, in writing, whom they represent in a transaction — the buyer, the seller, or both as a dual agent — at the first substantive contact. This is an intake obligation, not a closing obligation. The specific form is usually prescribed by state law (New York’s Agency Disclosure Form, California’s Agency Relationship Disclosure), and the failure to present it at the right time creates a voidable transaction and disciplinary action.

Lead-based paint disclosure. For any residential property built before 1978, federal law (42 U.S.C. § 4852d) requires the seller or landlord to disclose known lead-based paint hazards, provide an EPA pamphlet, and give the buyer ten days to conduct an inspection. The disclosure must be in the specific EPA-prescribed format. This is not optional. It is not waivable. HUD and EPA can impose fines up to $19,507 per violation (adjusted for inflation), and private plaintiffs can recover treble damages.

Fair housing compliance. The Fair Housing Act prohibits discrimination in housing transactions based on race, color, national origin, religion, sex, familial status, and disability. For intake purposes, this means your form must be designed to not collect certain information. Asking about a prospective buyer’s religion, national origin, family plans, or disability status on an intake form is not just unnecessary — it creates evidence of disparate treatment in a fair housing complaint. Regulated intake is not always about what you must ask. Sometimes it is about what you must not.

Property condition disclosures. Nearly every state requires sellers to complete a property condition disclosure statement, and most real estate agents need to capture enough information at intake to ensure the disclosure is triggered and completed. If a seller tells the agent at intake about a foundation issue and it never makes it onto the disclosure form, both the seller and the agent face liability.

Contractors: permits, licenses, and lien waivers

The construction and trades industries operate under a patchwork of state and local regulations that dictate what a general contractor must document before work begins. Unlike healthcare or financial services, where federal regulators set a national floor, contractor regulations are almost entirely local — which makes them harder to track and easier to violate.

Permit requirements by jurisdiction. Most jurisdictions require building permits for work that affects structure, electrical, plumbing, or HVAC systems. The intake form needs to capture enough information about the project scope to determine whether permits are required — because starting unpermitted work is a violation that falls on the contractor, not the homeowner, in most states. In some jurisdictions, performing work that required a permit but did not have one is grounds for license revocation.

Licensing verification. Many states require contractors to include their license number on contracts, proposals, and even advertising. At intake, the contractor should be documenting not just their own license but also whether the project requires specialized licenses (electrical, plumbing, HVAC, asbestos abatement) and whether subcontractors hold appropriate licenses. A general contractor who subcontracts electrical work to an unlicensed electrician has a licensing problem, even if the general contractor’s own license is current.

Lien waiver language. Mechanic’s lien laws vary dramatically by state, but most require specific notices at specific times. Many states require a preliminary notice within a set number of days of starting work — miss the window, and you lose the right to lien. The intake form must capture the property owner’s legal name and address (for the preliminary notice), the project address, the property description, and the general contractor’s information if the firm is a subcontractor. Some states prescribe the exact language of the preliminary notice, making the intake form a direct input to a legally mandated document.

Insurance and bonding documentation. Many jurisdictions and most commercial property owners require proof of general liability insurance, workers’ compensation coverage, and sometimes surety bonds before work begins. The intake form should capture whether these requirements exist for the specific project, because discovering at the start of demolition that the HOA requires a $2 million umbrella policy is not a scheduling problem — it is a stop-work event.

For a look at the broader documentation picture for contractors managing subcontractors, our post on data privacy considerations for small business intake forms covers how personally identifiable information collected at intake intersects with state privacy laws that now apply to even small contractors.

Childcare and education: protecting children by documenting everything

Childcare licensing is state-regulated, and every state has detailed requirements for what must be in a child’s enrollment file before the child can attend. Unlike most industries, childcare licensing inspectors physically visit facilities and review individual files. A missing form in a child’s file is not a theoretical compliance gap — it is a finding that can result in a citation, a corrective action plan, or facility closure.

Immunization records. Every state requires proof of immunizations for children in licensed childcare, with specific vaccines required by age. The intake form must capture immunization status, upcoming vaccine dates, and whether the family has a medical or religious exemption on file. Some states require a physician-signed exemption form in a specific format. Enrolling a child without immunization documentation — even temporarily, even with a promise to bring the records next week — is a licensing violation in most jurisdictions.

Allergy action plans. Children with food allergies, insect allergies, or medication allergies need physician-signed action plans that specify symptoms, treatment protocols, medication locations, and dosage instructions. This is not a “notes field” item. Licensing standards in most states require a separate, detailed allergy action plan for each known allergy, stored in the child’s file and posted in the classroom. The intake form must flag the allergy and trigger the action plan process.

Authorized pickup lists. Licensing standards universally require facilities to maintain a current list of persons authorized to pick up each child. The list must include government-issued ID requirements, and staff must verify identity against the list at every pickup. Children may not be released to unauthorized individuals under any circumstances, including to a parent whose custody rights have been restricted by court order. The intake form must capture the authorized list, the unauthorized list, and any court orders governing custody or access.

Photo and media consent. Separate from general marketing consent, most licensing frameworks require specific, written parental consent before a child’s image can be used in any context — including internal documentation, social media, and facility websites. COPPA (the Children’s Online Privacy Protection Act) adds a federal layer for any online use of a child’s image or information. The intake form needs granular consent options, not a single blanket checkbox.

Medication administration authorization. Most states classify even sunscreen and diaper cream as medications that require written parental authorization before staff can apply them. The authorization must specify the product, dosage, frequency, and duration. Each medication gets its own authorization. Facilities that apply sunscreen to thirty children on a July afternoon without thirty signed sunscreen authorizations on file are out of compliance thirty times over.

Childcare is, in many ways, among the most heavily regulated intake environments of all — the combination of licensing inspections, immunization mandates, allergy protocols, and custody documentation creates a compliance surface that rivals healthcare. Our guide to intake forms for childcare, daycare, and after-school programs breaks down the enrollment documentation requirements in detail.

The cost of getting it wrong

The penalties across these industries share a common feature: they escalate. A first violation may produce a warning or a small fine. A pattern of violations, or a single violation that results in harm, produces consequences that can end a career or a business.

• Fines — HIPAA fines up to $1.5 million per violation category per year. FINRA fines that regularly exceed $100,000 for suitability violations. EPA lead paint disclosure fines above $19,000 per violation. State licensing fines that vary but accumulate quickly when each missing file is a separate violation.
• License suspension or revocation — bar discipline for attorneys who miss conflict checks. Medical board actions for providers who fail to obtain informed consent. Contractor license revocation for unpermitted work. Childcare facility closure for repeated licensing violations. In every case, losing the license means losing the ability to earn a living in the profession.
• Malpractice and liability exposure — a missing intake field that leads to harm creates a negligence claim almost by definition. The standard of care in every regulated industry includes proper intake documentation. Failing to meet it is not a judgment call that gets the benefit of the doubt — it is a deviation from the standard that the plaintiff’s expert will flag in the first paragraph of the expert report. Our post on the liability gap from missing intake fields covers this dynamic in depth.
• Criminal exposure — BSA/AML violations carry criminal penalties. Medicaid fraud (which can include billing for services without proper intake documentation) is a federal crime. Operating a childcare facility without a license, or continuing to operate after license revocation, is a criminal offense in most states. These are not hypothetical — they are prosecuted.

Why regulation-aware templates matter

Here is the problem with building your own intake forms in a regulated industry: you have to know the regulations to know what the form needs. And the regulations are not collected in one convenient location. They are scattered across federal statutes, federal agency regulations, state statutes, state agency regulations, local ordinances, licensing board guidance, and case law interpreting all of the above.

A dentist who builds an intake form from scratch has to know HIPAA’s authorization elements, their state’s informed consent requirements, Medicare disclosure rules if they accept Medicare, OSHA bloodborne pathogen documentation if they employ staff, and whatever their malpractice carrier requires for defensibility. An attorney has to know conflict-checking obligations under their state’s version of the Rules of Professional Conduct, fee agreement requirements by matter type, trust account disclosure rules, and CTA beneficial ownership requirements if they form entities.

Nobody gets all of this right on a blank page. People get it right by starting with a template that was built by someone who already did the regulatory research — who read the statutes, reviewed the licensing requirements, studied the enforcement actions, and designed the form fields to match. Not a generic form with spaces for name and phone number. A form built for the specific industry, with the specific fields that the specific regulators require.

That is what distinguishes a regulation-aware intake form from a contact card with pretensions. The contact card collects information. The regulation-aware form collects compliance.

---

Related reading:

• HIPAA-Compliant Intake Forms: A Complete Guide
• Intake Forms and Data Privacy for Small Businesses
• Client Intake for Financial Advisors: Compliance Edition
• The Liability Gap: What Happens When Your Intake Form Is Missing Key Fields