I strongly doubt Contact Form 7 will sign a BAA but even if they do my bigger concern is how you will actually use those forms in a secure HIPAA compliant way?
I’m one of the developers for the HIPAA Forms plugin for WordPress which as far as I know is the only real HIPAA compliant form solution for WordPress forms.
Remember that passing form information over regular email is not secure and always an immediate violation. This violates the “in transit” aspect of HIPAA.
If you aren’t passing the data via email but are saving that data to your hosting server you have to have a BAA with your hosting company and your server/database has to be secure meaning the database needs to be encrypted and if you allow files to be uploaded the hard drive has to be encrypted. This is the “data at rest” aspect of HIPAA.
There’s other aspects to consider as well but these are the main 3 things to cover, unbroken chain of BAA agreements for all involved, securing data in transit and securing data at rest.
