Question about HIPAA and completion of forms

  • Profile Image
    Asked on March 29, 2021 at 08:21 PM


    We are using jotform for intake paperwork for our medical practice. We have recently learned from a patient that after they completed their form, a completed copy of the form was sent back to them. Does this happen with Jotform where patients get a copy of their forms sent back to them? Is it an option they check to receive a copy? The paperwork has PHI on it, so we are concerned about the transmission of this paperwork to any email other than our office, including the patient.

    We have since ensured that HIPAA compliance has been completed through Jotform, BAA signed and hope this was an isolated incident. Any further information regarding this would be helpful. Thank you

  • Profile Image
    Answered on March 30, 2021 at 04:19 AM

    We actually did receive a complaint from one of your patients first for which we have contacted you thru email and we have also advised them to contact you directly.

    Previously, by default, forms have a notification email (sent to you) and autoresponder email (sent to the respondent).

    Note that you alone have control over who receives the email as you specify the recipient in it.

    I believe you are already aware of the Email section on your form as I can see the notification email no longer have the default recipient.

    If you do not wish to send an email to your respondents/patients, you can delete the Autoresponder email.


    Note that at the time of the complaint, your account was not yet HIPAA-compliant, as such, there is no way for the system to determine whether fields on your form contain PHI, hence, all data were sent over in the email.

    Since you have now enabled HIPAA-compliance in your account, as long as you keep the field's PHI toggle enabled, then that data will not be sent over thru email.