- masud anwarAsked on April 29, 2014 at 11:59 PM
I just came across a form that would have me submit my health information (HIPAA) and social security, etc PCI and PAN.
And I noticed this form uses "http", not even https. And the terms I described in my subject contains regulation/compliance guidelines on data handling guidelines and I seriously doubt that your website comes close to these.
There are very serious consequences if these very strict guidelines are not followed.
I thought I should bring it your attention.
I will also be contacting me medical facility to raise these concerns.
Thanks and regards,
- CesarAnswered on April 30, 2014 at 12:14 AM
Thank you for your input. Or forms can be used as secure form by prefixing the URL as https://secure. instead of http://form.
Please review the following guide on Secure SSL Submissions:
Do note that JotForm does not hold HIPPA compliance certification. You are still able to use are services in a secure manner as dictated by such compliance, aslong as you limit and controll the submission data generated by your forms.
Please read the following excerpt of thread: http://www.jotform.com/answers/261547
Jotform doesn't have HIPAA Compliance Certificate, but you can use Jotform in HIPAA Compliant way. Please check the below details:
Our servers already match all criteria since we already care a lot about the security. However, some features of our application are not HIPAA compliant so if you refrain from using those features, I think you should be fine.
1. Always use SSL (https) version of JotForm site on your browser. Use "https://www.jotform.com" to login to your account, create your forms, look at your submissions and link to your forms.
2. Edit emails on all forms to make sure no specific information is used on them. We send emails in plain text. So, they are not secure. Only use emails to get alerts to know there is a new submission. Once you receive an email alert, log into the secure JotForm site and then look at the user
3. If you use the Reports feature only do it with password protection. That will both ask for a password, and it will transfer all data over SSL.
4. Same for uploads. They are not password protected.
5. Logout immediate after you are done with the site.
6. Regularly download submissions and then delete them.
Data stored on our servers are not encrypted, but access to our servers is safeguarded. Data transmission from the person who submits their health information to our servers can be done in an encrypted manner, by using the forms securely.
JotForm certainly complies with the technical safeguard section of the HIPAA security rule:
Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
This is originally discussed on thread: http://www.jotform.com/answers/4728.
Do let us know if you need further assistance. Thank you.
- masud anwarAnswered on April 30, 2014 at 12:41 AMhello, while I appreciate the fast response on this subject.
I am now more concerned, HIPAA Compliance is NOT a mere "https" checkbox.
Far from it, did you know that each time a person is exposed to another
person's health-info, without a very narrowly-defined description of "need
to know", it is considered a "single" violation.
Depending on the type of violation, each may carry a fine of 100 to 50000
A repeat occurrence within a single calendar year can nicely bring such
fine to 1.5mil. I am just trying to raise your interest in this VERY
My two cents are, please do familiarize yourself with HIPAA guidelines, and
- CesarAnswered on April 30, 2014 at 12:51 AM
Thank you for you input. It appears most of the response got cut off on our forum. Do note that we are prompting you that our services do not hold HIPPA Compliance Certification. And we do understand that a checkbox to enable SSL settings is only but a fraction of what encompasses security measures.
User's submitted data is not shared with anyone in any way from our end. It is the user's responsibility to maintain submission data secured and not shared with anyone.
For example, by not leaving submission data unattended and not sharing account access.
Again, thank you for your input.