HIPAA Enabled Account - Still Encrypted if PHI Button Turned Off?

  • Profile Image
    Asked on June 25, 2020 at 12:48 PM

    I understand that turning on the PHI button causes the fields to not be sent in the notification and autoresponder emails, but does it otherwise behave the same way as the fields that have the button toggled on?

    For example, our email system is also HIPAA compliant and encrypted, so if we chose to turn off the PHI switch on an online form, would that data stay encrypted and sent directly to our email?

    The HIPAA compliance rules we have utilized for emails are that PHI should not be in the Subject line, but PHI may be located in the body of the email (especially if it is a patient-initiated contact).

  • Profile Image
    Answered on June 25, 2020 at 01:55 PM

    We have ensured that there is no data breach for protected health information (PHI) stored via the forms hosted by JotForm. This information can be shared with 3rd party services (including email services) only if you ensure they are HIPAA compliant email services. Even in this case, all data sharing must be done over secure channels. 

    When we send submission data via emails (PHI turned off), we lose control over that data as it can be shared with someone else without even noticing the data breach. 

    That is the reason we send you an email notifying about the submission (PHI turned on) and expect you to log in to Jotform to see your data.


    The email is unencrypted, the link is plain. However, the page you will land (when you clicked view submission link) is protected and requires authentication.