Going Paperless: Fillable Intake & Consent Forms for Therapists

Switching to paperless intake forms is one of the highest-leverage administrative changes a solo therapist can make. Clients complete forms before the first session, you walk in with a full clinical picture, and nobody is filling out a clipboard in the waiting room. The friction is almost entirely on the setup side — choosing the right forms, ensuring HIPAA compliance in how you handle them, and getting them into clients’ hands reliably.

This guide covers the administrative and operational side: which forms to include, what each must contain, how to deliver and collect them in a HIPAA-compliant way, and what to watch for with fillable PDFs specifically. It is not legal advice or clinical supervision.

Which Forms Go in a Paperless Intake Packet

A complete intake packet for a new therapy client typically covers five areas. The 7 Documents Every New Therapy Practice Needs post covers the full list, but from a paperless intake perspective, the forms you need to send before session one are:

Form	Purpose	Required by
Client intake / biopsychosocial	Collects presenting concerns, history, demographics, emergency contact	Clinical best practice; some payers require it on file
Informed consent to treatment	Documents that the client understands and agrees to the therapeutic process	Ethical codes (APA, NASW, ACA) and most state licensing boards
HIPAA Notice of Privacy Practices + acknowledgment	Discloses how PHI is used and collected; client acknowledges receipt	Required by the HIPAA Privacy Rule for all covered entities
Telehealth consent	Documents client consent to video/phone sessions and confirms understanding of limitations	Required by most state boards if you offer telehealth
Financial policy / fee agreement	Sets out your fees, billing practices, cancellation policy, and accepted payment methods	Not legally required but essential for no-show and cancellation situations

If you accept insurance, you will also need a benefits verification form and, eventually, a release of information for coordination of care. Those typically come after the intake rather than before it.

What Each Form Must Actually Contain

Client Intake Form

The intake form is your baseline clinical record for the presenting client. At minimum it should capture:

Full legal name, date of birth, and preferred name/pronouns
Address and emergency contact with relationship and phone number
Referring provider or referral source
Presenting concerns in the client’s own words
Relevant medical history (medications, hospitalizations, chronic conditions)
Mental health history (prior diagnoses, therapy, psychiatric care)
Substance use history
Family and social history summary
Insurance information if applicable

The intake form becomes part of the permanent clinical record. It should be dated and identifiable to the client by name and chart number if you use one.

This is the most legally significant document in the packet. The APA Ethical Principles of Psychologists and Code of Conduct (Standard 10.01) and parallel codes for licensed counselors and social workers all require that informed consent be obtained and documented before therapy begins.

A compliant informed consent form addresses:

Nature of therapy: What to expect in sessions, the voluntary nature of participation, and the client’s right to discontinue at any time
Confidentiality and its limits: What you can and cannot keep confidential — mandatory reporting obligations for abuse and neglect, duty-to-warn if a client presents imminent danger to an identifiable third party, and what happens if records are subpoenaed
Communication policies: How you handle between-session contact, emergency calls, and what to do in a mental health crisis
Fees and billing: Rate per session, what happens if insurance is billed (see HIPAA section below), and consequences of non-payment
Telehealth-specific terms if applicable: platform used, jurisdiction, what happens if the connection drops
Supervision disclosure if applicable: whether you are under supervision and that a supervisor may review records

The signed consent form belongs in the client’s chart and should be retained for the full records retention period — typically 7 years after last contact for adult clients, longer for minors depending on state law.

HIPAA Notice of Privacy Practices

HIPAA requires covered entities to provide a Notice of Privacy Practices to clients at or before the first service delivery and to make a good-faith effort to obtain a written acknowledgment of receipt. The HHS model NPP for individual practices is a reliable starting point.

Your NPP must disclose:

How you use and disclose protected health information (PHI)
Client rights regarding their PHI (access, amendment, restriction requests, accounting of disclosures)
Your legal duties regarding PHI
How to file a complaint with HHS if the client believes their rights were violated
Effective date of the notice

The acknowledgment of receipt is a separate, short document (or a signature line on the NPP itself) that the client signs to confirm they received the notice. Keep the signed acknowledgment in the chart. If a client refuses to sign, note the refusal and keep that notation on file.

HIPAA and Fillable PDFs: What Actually Matters

Running paperless forms does not automatically mean you are HIPAA compliant. The key requirements to understand:

Transmission security. Emailing an unencrypted fillable PDF containing a client’s name, date of birth, and presenting concerns is a HIPAA violation. You need to either (a) use a HIPAA-compliant client portal or form platform, (b) encrypt the PDF before sending, or (c) send the PDF over a platform that has signed a Business Associate Agreement (BAA) with you.

Business Associate Agreements. Any vendor who handles PHI on your behalf must sign a BAA. This includes your email provider if you send or receive PHI via email, your form platform, and your cloud storage provider if you store completed forms there. Google Workspace (Business plans) and Microsoft 365 Business offer BAAs. Standard Gmail, Dropbox, and consumer-tier Google Drive do not.

Access controls. Completed intake forms should be accessible only to authorized staff. Avoid storing completed forms in a shared inbox or a folder that is not access-controlled.

The simplest compliant path for a solo practice: Use a HIPAA-compliant practice management platform that includes a client portal (e.g., SimplePractice, TherapyNotes, TheraNest) and send forms through the portal. The BAA is built in, transmission is encrypted, and signed forms land directly in the chart. If you prefer standalone fillable PDFs, pair them with a HIPAA-compliant form delivery tool (e.g., Hushmail for Healthcare, ShareFile) that has a BAA.

What to Look for in a Fillable PDF Form

Not all fillable PDFs are created equal. When evaluating or building intake forms:

Fields vs. flat text. A true fillable PDF has interactive form fields — text boxes, checkboxes, dropdown menus — that clients can tab through and complete on any device. A PDF where someone has just left blank lines is not fillable in any useful way on a phone or tablet.

Logical tab order. Fields should tab in reading order (top to bottom, left to right). A broken tab order is confusing on desktop and nearly unusable on mobile.

Signature fields. Consent forms need an actual signature field (not just a text box labeled “signature”) for electronic signatures to carry any legal weight. PDF signature fields are supported natively by Adobe Acrobat and most major PDF readers.

Flat-form compatibility. Some clients will print, sign by hand, and scan back. A well-designed fillable form also works printed. Avoid field layouts that depend on the digital form experience to be readable.

File size. Intake packets can get large. A 20-page intake PDF should still be under 2 MB. Larger files create delivery friction and fail on some portals.

Delivering Forms to Clients Before Session One

The goal is for clients to arrive at the first session with everything signed. Build a workflow that makes this as easy as possible:

Send forms 48–72 hours before the first appointment. Same-day sends get missed or rushed.
Use one link or attachment, not multiple. A four-attachment email with four separate PDFs has a much lower completion rate than a single intake packet or portal invite.
Include a plain-English cover note. Briefly explain what each form is, why you are asking for it, and how to reach you if something is confusing. Clients who understand why they are signing something sign it more readily.
Set a soft deadline. “Please complete these before our session on Thursday” is enough. You do not need to be punitive, but clarity helps.
Have a backup. Keep a printed copy of the packet or a tablet in the office for clients who did not complete the forms in advance. Do not start a first session without signed consent.

Storing and Retrieving Completed Forms

Once a client returns a completed intake packet, the forms belong in the permanent clinical record alongside your progress notes.

Store completed forms in the client’s chart folder (EHR, or a named folder in a HIPAA-compliant cloud storage)
Date-stamp when each form was received and by what method
For consent forms: check that a signature and date are present before filing. An unsigned consent form is not a consent form.
Keep the signed HIPAA acknowledgment separately identifiable within the chart — payers and licensing boards may ask specifically for proof that the NPP was delivered
Do not discard the paper originals until you have confirmed the digital copy is complete and legible

Updating Your Intake Forms Over Time

Forms are not one-and-done. You should review your intake packet when:

Your fee schedule changes (update the financial policy form)
You add telehealth to an in-person-only practice (add or update telehealth consent)
You change your cancellation policy — covered in setting your no-show and late-cancel policy
Your state licensing board issues new guidance on mandatory reporting, telehealth, or recordkeeping
You start accepting insurance (add insurance-specific disclosures and assignment of benefits language to the consent)
A client completes an outdated version — get a fresh signature on the current version at the next session

If you update a consent form mid-treatment, have existing clients sign the updated version. Do not assume a signature from two years ago covers new terms.

Frequently Asked Questions

Is an electronic signature on a fillable PDF legally valid?

Yes. The Electronic Signatures in Global and National Commerce Act (E-SIGN Act) and the Uniform Electronic Transactions Act (UETA), adopted in some form in 47 states, establish that electronic signatures have the same legal effect as wet signatures for most documents including therapeutic consent forms. The signature must be attributable to the client — meaning the form should capture the date, time, and ideally the IP address of the signing. Most HIPAA-compliant form platforms do this automatically.

Best practice is yes. If a client returns after 12 months or more, or if your policies have changed since they last signed, obtain fresh signatures on the consent and financial policy forms. A signature from a prior treatment episode may not cover new terms or a new treatment relationship. This also gives you an opportunity to update their intake information.

Can I use Google Forms for intake?

Standard Google Forms sends data to Google’s servers under a consumer terms-of-service agreement, not a BAA. Using it for PHI (which all therapy intake data is) is a HIPAA violation unless you are using Google Workspace for Healthcare or a Business tier account with an executed BAA with Google. If you have that agreement in place, Google Forms can work. If you do not, use a HIPAA-compliant alternative.

This varies by state and by license type (LCSW, LPC, MFT, psychologist). At minimum, every state licensing board requires documented informed consent to treatment. Most require disclosure of confidentiality limits (mandatory reporting, duty to warn, subpoenas), fee information, and therapist credentials including supervision status if applicable. Check your specific state licensing board’s code of conduct — the Association of State and Provincial Psychology Boards maintains a directory of state board contacts.

How do I handle a client who refuses to sign the HIPAA Notice of Privacy Practices acknowledgment?

HIPAA does not require you to obtain the signature — only to make a good-faith effort to do so. If a client declines to sign the acknowledgment, document the refusal in writing (date, that you presented the NPP, that the client declined to sign) and keep that note in the chart. You can still treat the client. You cannot refuse service solely because a client will not sign the acknowledgment.

Disclaimer: Folio publishes general information about the operational and administrative side of running a private practice. It is not legal, medical, clinical, tax, or compliance advice, and it does not create a professional relationship. Rules vary by state, payer, and profession and change over time. Verify requirements with the primary sources cited, your licensing board, and your own qualified advisors before acting.