Disclaimer: We are not Lawyers and are not providing Legal Advice
Per Health and Human Services Guidance on HIPAA & Cloud Computing, the server hosting the HIPAA Forms plugin is considered a conduit (see more here). Any access to PHI by a conduit is only transient in nature. As such a BAA is not needed with your hosting service. What is needed is a valid SSL certificate installed and setup (the URL in your address bar should start with https:// and your browser should indicate that the connection is secure).
Please consult with your own legal resources for further clarification.
IMPORTANT: While HIPAA Forms is designed to ensure your website is using SSL/HTTPS and will not function under unsecured HTTP, it is the Covered Entity's responsibility to ensure other aspects of your server configuration such as load balancers also operate under HTTPS to remain HIPAA compliant. Your hosting company and/or website administrator should be able to confirm this easily if asked.