It is imperative that you perform security and risk assessments on the form provider’s product alongside the BAA. Require your forms provider to sign a BAA: If your forms provider is handling PHI on your behalf, then they are acting as a BA and therefore need to sign a BAA.Nevertheless, make sure that the email is encrypted and stored in encrypted servers through a HIPAA compliant third party These notifications shouldn’t contain any PHI. Vet the emails: Many form providers will also include email notifications for submitted forms.Protect any reporting or analytics: The strength of most platforms is their ability to compile data for reporting and analytics, but this data must also be protected in some way if it involves PHI.If there is a way to enable encryption, either through the provider or some settings, then do it. All data transmitted like this must be encrypted during its travel with technology like SSL or SFTP (or some comparable and compliant technology). Guarantee encrypted data storage and transmission: If a patient submits a form, then that data will usually go somewhere like a remote database.Some ways to ensure your form provider is HIPAA compliant include: How that works, however, will depend on the features of the services offered by the provider. Likewise, the form provider can also become HIPAA compliant. Since digital and web HIPAA compliant forms are technical tools used by healthcare providers, they can be designed to be HIPAA compliant like anything else. How Can I Ensure That My Current Form Provider Is Compliant? A non-compliant form could jeopardize PHI and put your healthcare organization in non-compliance, with penalties up to $50,000 per incident and potential jail time.
#Jotform security software#
This states that reasonable, proper encryption and security software must be in place to protect any data at rest and in transit.
The form must be secured by proper controls as defined by HIPAA’s Security Rule.Several rules and guidelines govern the necessary steps to secure a form: As such, any information entered into that form must remain private and protected from unauthorized access. This data can include medical records, notes from doctors, correspondence between patients and doctors and patient payment and billing information.Īny primary provider of healthcare services (the “Covered Entity” or CE) or a partner provider (the “Business Associate” or BA) that handles PHI in any capacity is regulated under HIPAA and must abide by the regulation’s reporting, security, and administrative rules.Īny personal data a patient enters into a digital form can be considered PHI. Briefly, HIPAA regulations define PHI as any data that can be used to identify an individual patient as part of the healthcare process.