Are form submissions HIPAA compliant?

  • Profile Image
    Asked on August 04, 2010 at 05:51 PM

    I am a mental health therapist and wish to use jot forms for clients to submit mental health forms prior to their first appointment.  Personal health information and Identifying information is on the form. 

  • Profile Image
    Answered on August 05, 2010 at 08:46 AM

    Update (April 19, 2018) HIPAA is available for our Gold and Silver plans. 


    Yes, it is possible to use JotForm in a HIPAA compliant way. Our servers already match all criteria since we already care a lot about the security. However, some features of our application is not HIPAA compliant so if you refrain from using those features, I think you should be fine.

    1. Always use SSL (https) version of JotForm site on your browser. Use "" to login to your account, create your forms, look at your submissions and link to your forms.

    2. Edit emails on all forms to make sure no specific information is used on them. We send emails in plain text. So, they are not secure. Only use emails to get alerts to know there is a new submission. Once you receive an email alert, log into the secure JotForm site and then look at the user 

    3. Do not use Reports feature. Since the report URLs are not password protected.

    3. If you use the Reports feature only do it with password protection. That will both ask for a password and it will transfer all data over SSL.

    4. Same for uploads. They are not password protected.

    5. Logout immediate after you are done with the site.

    6. Regularly download submissions and then delete them.

    These are all I can think of right now. But if I think of anything else I will post it here.


    Update: Reports now support password protection. So you can use them.

  • Profile Image
    Answered on May 04, 2012 at 12:45 PM

    Por lo que estoy llegando a entender la seguridad de JotForm fuera de su dominio web no es segura cierto?


    Entonces mi pregunta es si accedo a la información de contacto desde el dominio de jotform es segura la conexión o también es vulnerable?


    Un saludo

  • Profile Image
    Answered on May 04, 2012 at 05:16 PM


    That is not correct. You can embed SSL version of your form into your website, in that case all the data will be encrypted. Please check the following tutorial to get the information about how to receive SSL submissions.

    How can I receive SSL Submissions?

    It is also possible to get the licensed JotForm Application and install it on your own server.

    Please feel free to contact us if you need any further assistance.

  • Profile Image
    Answered on September 26, 2012 at 01:51 PM

    Is the data stored on JotForm servers encrypted though?  That is a HIPPA requirement.  Not only must it be submitted over SSL, but it has to be stored encrypted.

  • Profile Image
    Answered on September 26, 2012 at 02:35 PM


    Data stored on our servers are not encrypted, but access to our servers are safeguarded. Data transmission from the person who submits their health information to our servers can be done in an encrypted manner, by using the forms securely.

    JotForm certainly complies with the technical safeguard section of the HIPAA security rule

    Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.

    If you have further question, please feel free to ask.

  • Profile Image
    Answered on June 10, 2013 at 09:46 PM

    Are uploads not encrypted? So uploads are not HiPAA level secure? Should I ask for uploads in a different matter then?

  • Profile Image
    Answered on June 10, 2013 at 10:57 PM


    Please open your question in a separate thread so we can assist you better. This thread is pretty old and it's already resolved. Thank you for your understanding!

  • Profile Image
    Answered on July 31, 2013 at 05:14 AM

    Encryption is recommended, but not required by HIPAA. If you take common sense measures to ensure that the data is negligently exposed you've pretty much covered your HIPAA bases.

  • Profile Image
    Answered on October 21, 2013 at 06:52 PM


    We went through your steps but Internet Explorer is giving us the warning, "Internet Explorer blocked this website from displaying content with security certificate errors."


    If this truly was a secure form using https, we shouldn't get this error, correct?


  • Profile Image
    Answered on October 21, 2013 at 08:45 PM

    @ bdiddy

    Please open a new thread, provide your form link, webpage URL and if possible screenshots of the error and we will be glad to assist you

  • Profile Image
    Answered on April 21, 2015 at 10:11 AM

    I love JotForm because this is an easy tool to use, without having to know any PHP, or Server side scripting languages. That being said, unless they are willing to sign the Business Associate Agreement, and provide a list of their HIPAA Policies and Procedures, I wouldn't risk sending any ePHI through JotForm Submission. (Good Explanation Here...)

    Under the HITECH Act and Omnibus Final Ruling, All electronic protected health information(ePHI) at rest must be encrypted with FIPS 140-2 level encryption(This can be found on the NIST Website). Simple physical safeguards, and technical safeguards are not compliant. The company Transmitting, Storing, or Providing a service on behalf of a Covered entity or Business Associate of a covered entity, where ePHI is handled must also sign a Business Associate Agreement(BAA). Once the BAA is signed and the now Business Associate or Sub contractor (Jotform) will be held to the same standards that a health care institution(covered Entity).

    Pay special attention to page three center column second paragraph in this

    In short, YOU AND Jotform is held liable for the housing of ePHI no matter where it is stored in the end(if they sign a BAA or stop claiming to be HIPAA Compliant). Just by using their servers and not getting Compliance Verification, your business will be held liable until you make "Reasonable and Appropriate" measures to safeguard ePHI. They must be 100% HIPAA Compliant. if they only meet 80% of the standards, then they are not HIPAA Compliant. Note the link above ( pg 3 center column, 2nd paragraph)


                                              /***My Recommendations*****/

    Remove any comments sections, or file upload sections where ePHI may be transmitted through the JotForm servers, and remove the risk. Setting appointments should be fine as long as no patient treatment is discussed in combination with a patient identifier. (email addresses and i.p. addresses constitute as a patient identifier)

    BE CAREFUL WITH HIPAA. The more simple the submission form, the better in this instance. If you have questions about HIPAA Compliance please feel free to email me at and


    Audit trails are also required under HIPAA.

  • Profile Image
    Answered on May 02, 2015 at 07:56 PM



    My company requires either form submission info to be sent to our own DB in a HIPAA compliant way, or for our software to be able to access JotForm's DB and retrieve the form submission info from there in a HIPAA compliant way. Is this possible with JotForm? 

  • Profile Image
    Answered on May 02, 2015 at 08:05 PM


    I've moved your question here: so we can address it properly.

    We'll be answering it shortly.

  • Profile Image
    Answered on May 02, 2015 at 08:38 PM

    Given @Zach 's comment that "unless [JotForm] is willing to sign the Business Associate Agreement, and provide a list of their HIPAA Policies and Procedures, I wouldn't risk sending any ePHI through JotForm Submission" I feel that I need to ask whether JotFrom is willing to do this. 

  • Profile Image
    Answered on May 03, 2015 at 04:00 AM

    While -this- is a forum thread, it is always best to have your own thread so that not everyone - that might not even want to - receives a message with your question.

    Since you already have your own thread Daniel, please ask any further questions that you have on it: and we would be happy to answer them.

    Thank you.

  • Profile Image
    Answered on April 13, 2018 at 10:05 AM

    Great news! JotForm now offers HIPAA compliance. This means users in the healthcare industry can use JotForm to collect sensitive patient information through consent and onboarding forms, medical history updates, online bill payments, and prescription refill requests. 

    HIPAA-compliant forms require a Gold pricing plan, which is only $99 a month or a Silver pricing plan, which is $39 a month. A business associate agreement (BAA) is also available upon request.

    For more information about our HIPAA-compliant forms, visit

  • Profile Image
    Answered on April 19, 2018 at 03:06 AM

    Update: HIPAA is available for Silver plan as well.