What is JotForm?
JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.
At JotForm, we want to make sure that you’re getting the online form builder help that you need. Our friendly customer support team is available 24/7.
We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.
JotForm Support Manager
Is JotForm HIPAA Compliant?Asked by Jeanette on February 13, 2014 at 06:43 PM
Currently Jotform does not hold a HIPAA Compliance Certificate, nevertheless you can use Jotform in a HIPAA Compliant way.
More details below:
Jotform has a very powerful cloud of secure servers.
This provides security protection against malicious attacks like SQL injection and denial of service (DOS) attacks.
We provide a very high security level through out our hosting provider's servers for stored data
Moreover, all of our SSL certificates support high-grade 256-bit encryption.
In that sense, JotForm certainly complies with the technical safeguard section of the HIPAA security rule:
Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
For a better explanation on how to be HIPAA compliant using Jotform, you must know that data stored on our servers is not encrypted, unless you enable the encryption. At any rate, access to our servers is highly safeguarded.
On the other hand, Data transmission from the person who submits their health information to our servers can be done in an encrypted manner, by using the forms securely
So, to be compliant with HIPAA rules, users must follow these advises:
1. Create encrypted forms, JotForm employees will never have access to the data.
Only you and your representatives will be able to see it using the the encryption key. Be sure to store it securely, otherwise will not be seen or decrypted. Also, be aware that data stored at rest, which was submitted using encryption, cannot be decrypted if you download it.
2. If you do not wish to send data on emails, be sure to edit email notifications in your forms, make sure no specific information is used on them. We send emails in plain text. Only use emails to get alerts to know there is a new submission. Once you receive an email alert, log into the secure JotForm site and then look at the user
3. If you use the Reports feature only do it with password protection. That will both ask for a password, and it will transfer all data over SSL.
4. Same for uploads. They are not password protected.
5. Logout immediate after you are done with the site.
6. Regularly download submissions and then delete them
For further questions, please go open your own thread in our Support Forum and ask your questions there.
Our Support Staff will be glad to assist you
Just so y'all know, there is no HIPAA certification from the government. HIPAA compliance is based on your practices and procedures as it applies to the HIPAA regulations. Keep in mind that these regulations are seen as the absolute minimum, and meeting just the minimum would not be sufficient. So JotForm has a seriously large market that has barely been tapped, review HIPAA regs and get busy!! :)
No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.
JotForm Support Manager
Thank you for your observations, we certainly will review HIPAA regulations and advise better to our users.
As a HIPAA compliance officer in a medical practice, I would love to use JotForm. However, any covered entity that is subject to HIPAA cannot use JotForm if a Business Associate Agreement is not made. Since information is passed and stored through the JotForm servers, JotForm would be considered a Business Associate. JotForm seems to have some great security and meets the needs for HIPAA except for the Business Associate Agreement. If JotForm would reconsider its stance and would sign Business Associate Agreements, I know I would be a customer and I'm sure many other covered entities.
JotForm Support Manager
I want to thank you for your interest in using with JotForm. We'd love the opportunity to welcome you.
However separate agreements are deemed beyond the scope of our business model.
May I suggest that an official documentation be made a permanent section in the user guide so that all matters concerning HIPAA compliance is comprehensively covered instead of referencing a forum thread.
JotForm Support Manager
@Kyle, thank you for the suggestion, this certainly needs to go into a section in the user guide.
man, it sure would be easy for JOT to make a BAA..... No dice on this?
Since we are not officially HIPAA compliant, we cannot sign a BAA. Compliance, for the most part, is up to users to enforce. We do not do so on our end, though our forms can be used in a compliant manner.
Sure wish JotForm would listen to these suggestions.
And what is being stated by JotForm in this thread is contradictory:
1. It is stated that all the tech security is in order for HIPAA compliance (except BAA), AND,
2. JotForm is not technically HIPAA compliance and therefore can't sign a BAA.
Please know what you are or are not and communicate it clearly. And please know the issues of HIPAA compliance -- it is not that scary (many are scared of HIPAA).
Please don't tell people they can use JotForm in a HIPAA compliant manner while HIPAA requires a signed BAA to be compliant to use it and you say you won't or can't sign one.
Thanks! Hopefully JotForm can overcome this small hurdle and have a lot more customers.
We might be able to provide the BAAs in the future, but we cannot provide you with the ETA at this time. As soon as we have any updates on this subject, we will inform our users.
As explained, we do follow industry standard best practices to keep the service secure. For instance, JotForm is a PCI DSS Level 2 Compliant Service Provider.