What is JotForm?
JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.

At JotForm, we want to make sure that you’re getting the online form builder help that you need. Our friendly customer support team is available 24/7.

We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.

  • Profile Image

    Does JotForm have HIPAA audit controls/audit log functionality?

    Asked by Andrea on April 01, 2013 at 06:58 PM

    One of the HIPAA Technical Safeguard requirements is Audit Controls. Every covered entity must comply with Audit Controls. 

    § 164.312(b) Audit controls

    Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI.

    >> There are no specific implementation standards for this rule, but certainly user logging of access (user, time, date) would seem to be the minimum requirement to meet this standard. This is a required (R) standard, not an addressable (A) one. This means, you HAVE to do it :-)

    Question 1: Does JotForm log user access of data with timestamp? 

    Question 2: Does JotForm have accessible audit logs/reports? This is also another required area of HIPAA (examining audit logs on a regular basis). 


    INFORMATION SYSTEM ACTIVITY REVIEW (R) - § 164.308(a)(1)(ii)(D)

    “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports."

    >> This is also a required standard, not addressable. Does JotForm have some kind of a report or easily viewable way to see the logs or incorrect password attempts (to identify intrusion attempts?)

    Thanks in advance for any information!


  • Profile Image
    JotForm Support

    Answered by EltonCris on April 01, 2013 at 08:47 PM

    Hi Andrea,

    1. I have inquired information to our dev team about this. I'll inform you once I heard anything back from them. As far as I remember, we have user logs before but not quite sure if it was for permanent release. I'll let you know for any updates.

    2. Might be related with answer 1. Before, it was acccessible via My Accounts page, you will be able to search and find logs but I guess not until now. I'll inform you here once it's re-implemented but I can't promise you anything yet.

    3. With regards to invalid login attempts, we do not have this on the user back end unfortunately.

    Thank you for asking!

  • Profile Image
    JotForm Support

    Answered by EltonCris on April 01, 2013 at 08:50 PM

    Let me also add regarding HIPPA Compliant, you might find this thread useful: http://www.jotform.com/answers/4728-Are-form-submissions-HIPPA-compliant


  • Profile Image
    JotForm Founder

    Answered by aytekin on April 02, 2013 at 07:22 AM

    We disabled this page temporarily to fix problems but it is now fixed and enabled it back. It is on your Account -> History page. 


  • Profile Image

    Answered by sleepdiagnostics on April 02, 2013 at 10:21 AM

    Thank you!

    That activity logging should meet the audit logging requirements. Thanks so much for responding so quickly and getting that Account History page fixed!


  • Profile Image

    Answered by sleepdiagnostics on April 02, 2013 at 12:40 PM

    I also have a more specific question on Jotform's internal controls for Jotform employees access to data. Since I'm assuming that JotForm doesn't sign Business Associate agreements with Covered Entities (I am assuming this), I can only find this disclaimer, "We will not access your data for non-administrative reasons." under your Privacy Policy. 

    What are "administrative" reasons that Jotform would access data? With this vaguely worded Privacy Policy, it doesn't seem that medical providers could use this product without a Business Associate Agreement that spells out exactly what is being accessed, when, where, how, etc. by Jotform.

    If Jotform employees or subcontractors ever have access to PHI (administratively, even), Jotform would need to have a BA agreement with each of those customers. And since the data is not encrypted on your servers, not sure how you can get around not having a BA agreement with each medical customer that stores any PHI?

  • Profile Image

    Answered by jeanettebmz on April 02, 2013 at 12:50 PM

    Hello Andrea. I have forwarded your question on regards to the BA agreement to my higher ups.

  • Profile Image

    Answered by sleepdiagnostics on April 02, 2013 at 02:22 PM

    Thanks Jeanette, I look forward to the information!

  • Profile Image
    JotForm Founder

    Answered by aytekin on April 03, 2013 at 03:29 AM

    "administrative reasons": If you report a problem on your account a support team member can log into your account and try to re-create the problem. The support team has access to your data and it is not encrypted. 

    I think you should consider using JotForm Application instead. It is installed on your own servers so we do not have any access to the data:



    Note that JotForm Application does not have many features of www.jotform.com such as integrations with 3rd party services. And, we do not plan to add them in the future. You must try out the demo on the link above and see if it suits your needs. 

  • Profile Image

    Answered by cshull on August 20, 2013 at 01:12 PM

    Would you consider signing a business associate agreement for HIPAA purposes?  We are a small practice and do not run our own servers but we would like to use your forms for PHI.


  • Profile Image
    JotForm Support

    Answered by Welvin on August 20, 2013 at 04:43 PM


    Good day! I have forwarded your inquiry to our higher ups. 


  • Profile Image
    JotForm Support

    Answered by Welvin on August 20, 2013 at 04:52 PM


    I request you to open a separate thread with that inquiry so I can further escalate the thread to our higher ups.

    Please start a new thread here: http://www.jotform.com/answers/answer.php?.