- JotForm Support ManagerJeanetteAsked on February 13, 2014 at 06:43 PM
Currently JotForm does not hold a HIPAA Compliance Certificate, nevertheless you can use JotForm in a HIPAA Compliant way.
More details below:
JotForm has a very powerful cloud of secure servers.
This provides security protection against malicious attacks like SQL injection and denial of service (DOS) attacks.
We provide a very high security level through out our hosting provider's servers for stored data
Moreover, all of our SSL certificates support high-grade 256-bit encryption.
In that sense, JotForm certainly complies with the technical safeguard section of the HIPAA security rule:
Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
For a better explanation on how to be HIPAA compliant using JotForm, you must know that data stored on our servers is not encrypted, unless you enable the encryption. At any rate, access to our servers is highly safeguarded.
On the other hand, Data transmission from the person who submits their health information to our servers can be done in an encrypted manner, by using the forms securely
So, to be compliant with HIPAA rules, users must follow these advises:
1. Create encrypted forms, JotForm employees will never have access to the data.
Only you and your representatives will be able to see it using the the encryption key. Be sure to store it securely, otherwise will not be seen or decrypted. Also, be aware that data stored at rest, which was submitted using encryption, cannot be decrypted if you download it.
2. If you do not wish to send data on emails, be sure to edit email notifications in your forms, make sure no specific information is used on them. We send emails in plain text. Only use emails to get alerts to know there is a new submission. Once you receive an email alert, log into the secure JotForm site and then look at the user
3. If you use the Reports feature only do it with password protection. That will both ask for a password, and it will transfer all data over SSL.
4. Same for uploads. They are not password protected.
5. Logout immediate after you are done with the site.
6. Regularly download submissions and then delete them
For further questions, please go open your own thread in our Support Forum and ask your questions there.
Our Support Staff will be glad to assist you
- Ben HigginbothamAnswered on October 15, 2015 at 12:19 PM
Just so y'all know, there is no HIPAA certification from the government. HIPAA compliance is based on your practices and procedures as it applies to the HIPAA regulations. Keep in mind that these regulations are seen as the absolute minimum, and meeting just the minimum would not be sufficient. So JotForm has a seriously large market that has barely been tapped, review HIPAA regs and get busy!! :)
No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.
- JotForm Support ManagerJeanetteAnswered on October 15, 2015 at 11:14 PM
Thank you for your observations, we certainly will review HIPAA regulations and advise better to our users.
- AbeAnswered on October 29, 2015 at 07:07 PM
As a HIPAA compliance officer in a medical practice, I would love to use JotForm. However, any covered entity that is subject to HIPAA cannot use JotForm if a Business Associate Agreement is not made. Since information is passed and stored through the JotForm servers, JotForm would be considered a Business Associate. JotForm seems to have some great security and meets the needs for HIPAA except for the Business Associate Agreement. If JotForm would reconsider its stance and would sign Business Associate Agreements, I know I would be a customer and I'm sure many other covered entities.
- JotForm Support ManagerJeanetteAnswered on October 29, 2015 at 11:25 PM
I want to thank you for your interest in using with JotForm. We'd love the opportunity to welcome you.
However separate agreements are deemed beyond the scope of our business model.
- KyleAnswered on November 15, 2015 at 04:27 PMMay I suggest that an official documentation be made a permanent section in the user guide so that all matters concerning HIPAA compliance is comprehensively covered instead of referencing a forum thread.
- JotForm Support ManagerJeanetteAnswered on November 15, 2015 at 06:26 PM
@Kyle, thank you for the suggestion, this certainly needs to go into a section in the user guide.
- mightyogreAnswered on September 20, 2016 at 12:13 PM
man, it sure would be easy for JOT to make a BAA..... No dice on this?
- JotForm SupportdavidAnswered on September 20, 2016 at 01:55 PM
Since we are not officially HIPAA compliant, we cannot sign a BAA. Compliance, for the most part, is up to users to enforce. We do not do so on our end, though our forms can be used in a compliant manner.
- MarcAnswered on October 10, 2016 at 01:42 PM
Sure wish JotForm would listen to these suggestions.
And what is being stated by JotForm in this thread is contradictory:
1. It is stated that all the tech security is in order for HIPAA compliance (except BAA), AND,
2. JotForm is not technically HIPAA compliance and therefore can't sign a BAA.
Please know what you are or are not and communicate it clearly. And please know the issues of HIPAA compliance -- it is not that scary (many are scared of HIPAA).
Please don't tell people they can use JotForm in a HIPAA compliant manner while HIPAA requires a signed BAA to be compliant to use it and you say you won't or can't sign one.
Thanks! Hopefully JotForm can overcome this small hurdle and have a lot more customers.
- JotForm SupportMikeAnswered on October 10, 2016 at 03:43 PM
We might be able to provide the BAAs in the future, but we cannot provide you with the ETA at this time. As soon as we have any updates on this subject, we will inform our users.
As explained, we do follow industry standard best practices to keep the service secure. For instance, JotForm is a PCI DSS Level 2 Compliant Service Provider.
- JotForm SupportdavidAnswered on December 15, 2016 at 03:50 PM
Please disregard the link provided by the previous user. They have no affiliation to JotForm at all and their posts will be removed.
- SteveAnswered on January 18, 2017 at 05:53 PM
has there been any progress made on JotForm deciding to sign BAAs? i've been shocked to find there aren't any event registration companies that will take this one step - it appears to be a huge untapped market. you've already done all the hard work of dealing with encryption, keeping PHI out of emails, etc, but until you will sign a BAA it's all for naught.
- JotForm Support ManagerJeanetteAnswered on January 18, 2017 at 05:56 PM
Please send me your BAA and also the plan you are thinking to acquiring and we will this into consideration.
- JotForm Support ManagerJeanetteAnswered on January 18, 2017 at 05:57 PM
I will be contacting you via email.
- Bruce KittleAnswered on February 02, 2017 at 11:06 AM
I would very much like a copy of your BAA please. I too am in the health profession and cannot use Jott form without it. Take a quick look at this industry and the projections for it in this decade and they are astronomical. You can't afford to drag your feet on this issue. The health related industry could be the biggest customer you ever have.
- JotForm SupportdavidAnswered on February 02, 2017 at 11:11 AM
@Bruce If you wouldn't mind forwarding your BAA to our support email along with any other details, we will see what we can do for you.
- JotForm SupportdavidAnswered on February 02, 2017 at 11:12 AM
Apologies, I should have included the support email address:
- carlygoldAnswered on February 09, 2017 at 06:12 PM
Google shares their BAA- I believe it is part of their terms of service. I'm sending a link to their language to the support address you list.
The JotForm customer has the responsibility to use the service in a compliant manner utilizing encrypted forms etc.
Your market would expand immensely if you added a BAA!!
- Steve DouglasAnswered on March 07, 2017 at 01:06 PM
Thank you for this thread and information. I , too, am seeking solutions to online form usages for a large group of Medical and Dental Clinics, in SW Missouri. I will e-mail you our BAA and see if it is possible for us to work something out.
We switched to JotForm , from WuFoo, in October of 2016 and could not be happier. Your forms and services are exactly what we have needed, with the exception of HIPAA compliance. We have been so satisfied with your site. Thank you.
- JotForm SupportdavidAnswered on March 07, 2017 at 02:22 PM
@Steve we will see what we can do about the BAA you sent as soon as we get to your email. We may be offering a subscription level in the future that includes a BAA and SLA if needed. We may be holding off on signing agreements until that time but I am not 100% sure.
- FrannyAnswered on April 14, 2017 at 12:30 PM
David, our company be willing to pay a subscription fee if a BAA was available to sign. The sooner the better :)
- AndrewAnswered on April 21, 2017 at 03:41 PM
I have multiple clients who are looking to use HIPAA compliant form submissions for their websites. This would be great to have as they would not need a dedicated server if JOTFORM was handling the actual form. The form could travel through Jotform even on the individual pages and save a butt load of money vs having to pay for a dedicated server to keep the information safe.
There is a lot to HIPAA like your server should be under lock and key and only authorized access. Please let me know ASAP if you are still signing the agreements and I can let my clients know.
- AIDANAnswered on May 24, 2017 at 05:29 PM
We will address your issue in this new thread: https://www.jotform.com/answers/1153976