Assuming a developer that is/stays current on relevant security issues creates/manages the site, and a HIPAA compliant (per the regulations) hosting environment is used, forms, uploading, etc. is fine. If you proceed, note that compliance is more than technical. Policies/procedures have to be in place for using/managing the solution as well as incorporating the solution into a risk management program (required). If audited, these other items may be checked.
