HIPAA Compliance Hidden Email Content

  • Profile Image
    HeartlandPharmacy
    Asked on July 18, 2018 at 03:20 PM

    I have recently upgraded my account to be HIPAA Compliant. My client currently has 9 locations to choose from on their form. I need assistance in 2 areas:

    1. I am having issues setting up conditional logic on the backend. I am trying to send a notification email to the appropriate location when it is selected on the form. I need them to only receive emails when it applies to their own location. 

    2. I need the recipient to receive an email with all the information included, but right now, all info is "Hidden to protect your privacy." How can I adjust this so that each location can easily access all form details without having jotform credentials??

     

    Also, out of the information listed on the form, does that need to be protected/hidden at this time? Is showing the date of birth HIPAA compliant on the form?

    Screenshot
  • Profile Image
    DonaldHag
    Answered on July 18, 2018 at 05:37 PM

    Set the fields as not protected in HIPAA form and they will be shown in the email.

    Refer to this guide: https://www.jotform.com/help/504-How-to-use-Notification-and-AutoResponder-emails-in-HIPAA-accounts

    1531949628hipaa protected fields.png

    The way the data is handled after it is received on the emails at the location has a large part in determining whether the form remains HIPAA Compliant or not.

    Also, you can use a HIPAA compliant mail service if you want.

     

  • Profile Image
    HeartlandPharmacy
    Answered on July 19, 2018 at 03:37 PM

    Thank you for your help! Could you also elaborate on this comment:


    "The way the data is handled after it is received on the emails at the location has a large part in determining whether the form remains HIPAA Compliant or not."

  • Profile Image
    DonaldHag
    Answered on July 19, 2018 at 05:02 PM

    Apologies for providing a statement without clear elaboration.

    What that statement meant is that HIPAA Compliance is primarily about how medical form data is secured. JotForm HIPAA compliance takes care of the data from when the user fills it in up to when the data is viewed in the submissions. This is done by encrypting the data and storing it securely on a separate server that complies with HIPAA standards. Refer to this guide: https://www.jotform.com/help/506-JotForm-HIPAA-Compliance

    Once the data is viewed in the submissions the responsibility is still on your organization to ensure that the data is viewed by the right individuals meant to have access.

    As regards the above issue, it happens that you could have a form that contains Healthcare data combined with other data that is not designated as healthcare data such as email, phone number, address etc.

    With such a setup, non-healtcare data can be made visible in the email submission as the form will still be HIPAA compliant.

    However, healthcare data has to remain protected and as such not displayed in email submissions for form to be HIPAA compliant.

    Refer to this guide: https://www.jotform.com/help/518-How-to-set-PHI-fields-on-your-forms

  • Profile Image
    HeartlandPharmacy
    Answered on July 20, 2018 at 11:35 AM

    Thank you so much. That is extremely helpful. Do you know, if a patient is switching pharmacies, is their date of birth considered PHI? 

  • Profile Image
    DonaldHag
    Answered on July 20, 2018 at 12:39 PM

    Yes, their date of birth is considered PHI. You have to do de-identification to make this data available. i.e. the data you make visible in the email should contain information that cannot be used to directly identify the user when combined and attach them to the health information provided. 

    Here is a useful resource on HIPAA: https://www.hhs.gov/hipaa/index.html

    To be on the safer side, it's better to encrypt all the data. This will ensure you are compliant with no worries. 

    For more specific customizations, you may have to read through the HIPAA regulations act and confirm that your organization is following the right procedures to secure patient data.