Website Embedded Form HIPAA Compliant

  • Profile Image
    Asked on June 25, 2020 at 12:40 PM

    If I embed a form in a public website for potential healthcare patients to contact us, does that information pass through anywhere other than Jotform, my email, or any integrations I have?

    For example, does it go through any portion of my website hosts servers?

  • Profile Image
    Answered on June 25, 2020 at 01:41 PM


    Thank you for your message.

    In this case, if the form is embedded in your website or if you are using the direct form link all the information will be stored in your Jotform account, in regards of the emails you are going to receive a notification but, the information will be encrypted due to the HIPAA compliance requirements.

    The recommended integration is Google Sheets since it is HIPAA compliance.

    If you need any further assistance, please let us know. We will be happy to help.

  • Profile Image
    Answered on June 25, 2020 at 01:54 PM

    Thank you.

    To clarify, what do you mean the information will be encrypted/under what circumstances?

    If the PHI switch is turned off, will all of the information in the emails still be encrypted?  Or, are they only encrypted if the PHI switch is turned on?

    By encryption, do you just mean that the information will not show up in the emails, but only in Drive/Sheets?

    To me, if Jotform's account servers are set up to be HIPAA compliant, and my email system is HIPAA compliant, that will fulfill my compliance requirements.

  • Profile Image
    Answered on June 25, 2020 at 03:12 PM


    Thanks for your questions!

    HIPAA forms look just like any other online form. You can still embed them into your web pages or send their URLs by email. Their main difference is how they store and transfer data. Jotform's HIPAA Forms, encrypt the data right on your form and then transfer and store the data encrypted. The HIPAA form data is stored in our HIPAA compliant servers which are separated from the Internet using multiple levels of protection and firewalls, and the encrypted data is stored in encrypted databases.

    Thus, if you embed a form in a public website for potential healthcare patients to contact you, still data would be only sent to the Jotform and connected integrations/email notifications. There won't be any connection in terms of data transfer with our forms and host website's server, thus be assured none of the information would be sent outside of JotForm.

    Now about your question about PCI:

    Since your account is HIPAA compliant, all fields are marked as “Protected” by default. You can change any of them according to your needs. Please note that marking a field as “Not Protected” doesn’t change anything on how Jotform stores your data. Your data is always encrypted even you mark some of them as “Not Protected”. This setting is just a clue for us to decide if we can use them in emails or 3rd party integrations you might have.

    For instance, below Email field is set as Not Protected, and Are you currently taking any medication as Protected:

    Here is an example Notification email. Please note how protected fields were removed:

    Thus, as HIPAA Compliance is enabled on your account, all your data would be always encrypted. PHI fields on your forms just give you the ability to make some fields in notification emails visible as by default they are hidden and can be accessed from your account's submission page.

    Briefly, as far as HIPAA is enabled on your account, all your forms and data will meet HIPAA requirements.

    Related guide:

    Please check and let us know if you have any further questions.

    Thank you in advance!