What is JotForm?
JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.
At JotForm, we want to make sure that you’re getting the online form builder help that you need. Our friendly customer support team is available 24/7.
We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.
Does JotForm have HIPAA audit controls/audit log functionality?Asked by Andrea on April 01, 2013 at 06:58 PM
One of the HIPAA Technical Safeguard requirements is Audit Controls. Every covered entity must comply with Audit Controls.
§ 164.312(b) Audit controls
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI.
>> There are no specific implementation standards for this rule, but certainly user logging of access (user, time, date) would seem to be the minimum requirement to meet this standard. This is a required (R) standard, not an addressable (A) one. This means, you HAVE to do it :-)
Question 1: Does JotForm log user access of data with timestamp?
Question 2: Does JotForm have accessible audit logs/reports? This is also another required area of HIPAA (examining audit logs on a regular basis).
INFORMATION SYSTEM ACTIVITY REVIEW (R) - § 164.308(a)(1)(ii)(D)
“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports."
>> This is also a required standard, not addressable. Does JotForm have some kind of a report or easily viewable way to see the logs or incorrect password attempts (to identify intrusion attempts?)
Thanks in advance for any information!
1. I have inquired information to our dev team about this. I'll inform you once I heard anything back from them. As far as I remember, we have user logs before but not quite sure if it was for permanent release. I'll let you know for any updates.
2. Might be related with answer 1. Before, it was acccessible via My Accounts page, you will be able to search and find logs but I guess not until now. I'll inform you here once it's re-implemented but I can't promise you anything yet.
3. With regards to invalid login attempts, we do not have this on the user back end unfortunately.
Thank you for asking!
Let me also add regarding HIPPA Compliant, you might find this thread useful: http://www.jotform.com/answers/4728-Are-form-submissions-HIPPA-compliant
We disabled this page temporarily to fix problems but it is now fixed and enabled it back. It is on your Account -> History page.
That activity logging should meet the audit logging requirements. Thanks so much for responding so quickly and getting that Account History page fixed!
If Jotform employees or subcontractors ever have access to PHI (administratively, even), Jotform would need to have a BA agreement with each of those customers. And since the data is not encrypted on your servers, not sure how you can get around not having a BA agreement with each medical customer that stores any PHI?
Hello Andrea. I have forwarded your question on regards to the BA agreement to my higher ups.
Thanks Jeanette, I look forward to the information!
"administrative reasons": If you report a problem on your account a support team member can log into your account and try to re-create the problem. The support team has access to your data and it is not encrypted.
I think you should consider using JotForm Application instead. It is installed on your own servers so we do not have any access to the data:
Note that JotForm Application does not have many features of www.jotform.com such as integrations with 3rd party services. And, we do not plan to add them in the future. You must try out the demo on the link above and see if it suits your needs.
Would you consider signing a business associate agreement for HIPAA purposes? We are a small practice and do not run our own servers but we would like to use your forms for PHI.
Good day! I have forwarded your inquiry to our higher ups.
I request you to open a separate thread with that inquiry so I can further escalate the thread to our higher ups.
Please start a new thread here: http://www.jotform.com/answers/answer.php?.