- ClarriganAsked on August 04, 2010 at 05:51 PM
I am a mental health therapist and wish to use jot forms for clients to submit mental health forms prior to their first appointment. Personal health information and Identifying information is on the form.
- JotForm FounderaytekinAnswered on August 05, 2010 at 08:46 AM
Yes, it is possible to use JotForm in a HIPAA compliant way. Our servers already match all criteria since we already care a lot about the security. However, some features of our application is not HIPAA compliant so if you refrain from using those features, I think you should be fine.
1. Always use SSL (https) version of JotForm site on your browser. Use "https://www.jotform.com" to login to your account, create your forms, look at your submissions and link to your forms.
2. Edit emails on all forms to make sure no specific information is used on them. We send emails in plain text. So, they are not secure. Only use emails to get alerts to know there is a new submission. Once you receive an email alert, log into the secure JotForm site and then look at the user
3. Do not use Reports feature. Since the report URLs are not password protected.
3. If you use the Reports feature only do it with password protection. That will both ask for a password and it will transfer all data over SSL.
4. Same for uploads. They are not password protected.
5. Logout immediate after you are done with the site.
6. Regularly download submissions and then delete them.
These are all I can think of right now. But if I think of anything else I will post it here.
Update: Reports now support password protection. So you can use them.
- promusicAnswered on May 04, 2012 at 12:45 PM
Por lo que estoy llegando a entender la seguridad de JotForm fuera de su dominio web no es segura cierto?
Entonces mi pregunta es si accedo a la información de contacto desde el dominio de jotform es segura la conexión o también es vulnerable?
- JotForm SupportMike_TAnswered on May 04, 2012 at 05:16 PM
That is not correct. You can embed SSL version of your form into your website, in that case all the data will be encrypted. Please check the following tutorial to get the information about how to receive SSL submissions.
It is also possible to get the licensed JotForm Application and install it on your own server.
Please feel free to contact us if you need any further assistance.
- guest_22695332303045Answered on September 26, 2012 at 01:51 PM
Is the data stored on JotForm servers encrypted though? That is a HIPPA requirement. Not only must it be submitted over SSL, but it has to be stored encrypted.
- JotForm SupportNeilVicenteAnswered on September 26, 2012 at 02:35 PM
Data stored on our servers are not encrypted, but access to our servers are safeguarded. Data transmission from the person who submits their health information to our servers can be done in an encrypted manner, by using the forms securely.
JotForm certainly complies with the technical safeguard section of the HIPAA security rule
Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
If you have further question, please feel free to ask.
- loftbazaarAnswered on June 10, 2013 at 09:46 PM
Are uploads not encrypted? So uploads are not HiPAA level secure? Should I ask for uploads in a different matter then?
- JotForm SupportEltonCrisAnswered on June 10, 2013 at 10:57 PM
Please open your question in a separate thread so we can assist you better. This thread is pretty old and it's already resolved. Thank you for your understanding!
- vinvalentinoAnswered on July 31, 2013 at 05:14 AM
Encryption is recommended, but not required by HIPAA. If you take common sense measures to ensure that the data is negligently exposed you've pretty much covered your HIPAA bases.
- bdiddyAnswered on October 21, 2013 at 06:52 PM
We went through your steps but Internet Explorer is giving us the warning, "Internet Explorer blocked this website from displaying content with security certificate errors."
If this truly was a secure form using https, we shouldn't get this error, correct?
- jeanettebmzAnswered on October 21, 2013 at 08:45 PM
Please open a new thread, provide your form link, webpage URL and if possible screenshots of the error and we will be glad to assist you
- ZachAnswered on April 21, 2015 at 10:11 AM
I love JotForm because this is an easy tool to use, without having to know any PHP, or Server side scripting languages. That being said, unless they are willing to sign the Business Associate Agreement, and provide a list of their HIPAA Policies and Procedures, I wouldn't risk sending any ePHI through JotForm Submission. (Good Explanation Here...)
Under the HITECH Act and Omnibus Final Ruling, All electronic protected health information(ePHI) at rest must be encrypted with FIPS 140-2 level encryption(This can be found on the NIST Website). Simple physical safeguards, and technical safeguards are not compliant. The company Transmitting, Storing, or Providing a service on behalf of a Covered entity or Business Associate of a covered entity, where ePHI is handled must also sign a Business Associate Agreement(BAA). Once the BAA is signed and the now Business Associate or Sub contractor (Jotform) will be held to the same standards that a health care institution(covered Entity).
Pay special attention to page three center column second paragraph in this hhs.gov/article
In short, YOU AND Jotform is held liable for the housing of ePHI no matter where it is stored in the end(if they sign a BAA or stop claiming to be HIPAA Compliant). Just by using their servers and not getting Compliance Verification, your business will be held liable until you make "Reasonable and Appropriate" measures to safeguard ePHI. They must be 100% HIPAA Compliant. if they only meet 80% of the standards, then they are not HIPAA Compliant. Note the link above (hhs.gov/article pg 3 center column, 2nd paragraph)
Remove any comments sections, or file upload sections where ePHI may be transmitted through the JotForm servers, and remove the risk. Setting appointments should be fine as long as no patient treatment is discussed in combination with a patient identifier. (email addresses and i.p. addresses constitute as a patient identifier)
BE CAREFUL WITH HIPAA. The more simple the submission form, the better in this instance. If you have questions about HIPAA Compliance please feel free to email me at and
DON'T FORGET TO DOCUMENT THE PROCESS OF MAKING THIS HIPAA COMPLIANT.
Audit trails are also required under HIPAA.
- DanielAnswered on May 02, 2015 at 07:56 PM
- raulAnswered on May 02, 2015 at 08:05 PM
I've moved your question here: http://www.jotform.com/answers/563208 so we can address it properly.
We'll be answering it shortly.
- DanielAnswered on May 02, 2015 at 08:38 PM
Given @Zach 's comment that "unless [JotForm] is willing to sign the Business Associate Agreement, and provide a list of their HIPAA Policies and Procedures, I wouldn't risk sending any ePHI through JotForm Submission" I feel that I need to ask whether JotFrom is willing to do this.
- BenAnswered on May 03, 2015 at 04:00 AM
While -this- is a forum thread, it is always best to have your own thread so that not everyone - that might not even want to - receives a message with your question.
Since you already have your own thread Daniel, please ask any further questions that you have on it: http://www.jotform.com/answers/563208 and we would be happy to answer them.