- AndreaAsked on April 01, 2013 at 06:58 PM
One of the HIPAA Technical Safeguard requirements is Audit Controls. Every covered entity must comply with Audit Controls.
§ 164.312(b) Audit controls
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI.
>> There are no specific implementation standards for this rule, but certainly user logging of access (user, time, date) would seem to be the minimum requirement to meet this standard. This is a required (R) standard, not an addressable (A) one. This means, you HAVE to do it :-)
Question 1: Does JotForm log user access of data with timestamp?
Question 2: Does JotForm have accessible audit logs/reports? This is also another required area of HIPAA (examining audit logs on a regular basis).
INFORMATION SYSTEM ACTIVITY REVIEW (R) - § 164.308(a)(1)(ii)(D)
“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports."
>> This is also a required standard, not addressable. Does JotForm have some kind of a report or easily viewable way to see the logs or incorrect password attempts (to identify intrusion attempts?)
Thanks in advance for any information!
- JotForm SupportEltonCrisAnswered on April 01, 2013 at 08:47 PM
1. I have inquired information to our dev team about this. I'll inform you once I heard anything back from them. As far as I remember, we have user logs before but not quite sure if it was for permanent release. I'll let you know for any updates.
2. Might be related with answer 1. Before, it was acccessible via My Accounts page, you will be able to search and find logs but I guess not until now. I'll inform you here once it's re-implemented but I can't promise you anything yet.
3. With regards to invalid login attempts, we do not have this on the user back end unfortunately.
Thank you for asking!
- JotForm SupportEltonCrisAnswered on April 01, 2013 at 08:50 PM
Let me also add regarding HIPPA Compliant, you might find this thread useful: http://www.jotform.com/answers/4728-Are-form-submissions-HIPPA-compliant
- JotForm FounderaytekinAnswered on April 02, 2013 at 07:22 AM
We disabled this page temporarily to fix problems but it is now fixed and enabled it back. It is on your Account -> History page.
- sleepdiagnosticsAnswered on April 02, 2013 at 10:21 AM
That activity logging should meet the audit logging requirements. Thanks so much for responding so quickly and getting that Account History page fixed!
- sleepdiagnosticsAnswered on April 02, 2013 at 12:40 PM
If Jotform employees or subcontractors ever have access to PHI (administratively, even), Jotform would need to have a BA agreement with each of those customers. And since the data is not encrypted on your servers, not sure how you can get around not having a BA agreement with each medical customer that stores any PHI?
- jeanettebmzAnswered on April 02, 2013 at 12:50 PM
Hello Andrea. I have forwarded your question on regards to the BA agreement to my higher ups.
- sleepdiagnosticsAnswered on April 02, 2013 at 02:22 PM
Thanks Jeanette, I look forward to the information!
- JotForm FounderaytekinAnswered on April 03, 2013 at 03:29 AM
"administrative reasons": If you report a problem on your account a support team member can log into your account and try to re-create the problem. The support team has access to your data and it is not encrypted.
I think you should consider using JotForm Application instead. It is installed on your own servers so we do not have any access to the data:
Note that JotForm Application does not have many features of www.jotform.com such as integrations with 3rd party services. And, we do not plan to add them in the future. You must try out the demo on the link above and see if it suits your needs.
- cshullAnswered on August 20, 2013 at 01:12 PM
Would you consider signing a business associate agreement for HIPAA purposes? We are a small practice and do not run our own servers but we would like to use your forms for PHI.
- JotForm SupportWelvinAnswered on August 20, 2013 at 04:43 PM
Good day! I have forwarded your inquiry to our higher ups.
- JotForm SupportWelvinAnswered on August 20, 2013 at 04:52 PM
I request you to open a separate thread with that inquiry so I can further escalate the thread to our higher ups.
Please start a new thread here: http://www.jotform.com/answers/answer.php?.