JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.
We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.
Are form submissions HIPAA compliant?Asked by Clarrigan on August 04, 2010 at 05:51 PM
I am a mental health therapist and wish to use jot forms for clients to submit forms prior to their first appoitment. Personal health information and Identifying information is on the form.
Yes, it is possible to use JotForm in a HIPAA compliant way. Our servers already match all criteria since we already care a lot about the security. However, some features of our application is not HIPAA compliant so if you refrain from using those features, I think you should be fine.
1. Always use SSL (https) version of JotForm site on your browser. Use "https://www.jotform.com" to login to your account, create your forms, look at your submissions and link to your forms.
2. Edit emails on all forms to make sure no specific information is used on them. We send emails in plain text. So, they are not secure. Only use emails to get alerts to know there is a new submission. Once you receive an email alert, log into the secure JotForm site and then look at the user
3. Do not use Reports feature. Since the report URLs are not password protected.
3. If you use the Reports feature only do it with password protection. That will both ask for a password and it will transfer all data over SSL.
4. Same for uploads. They are not password protected.
5. Logout immediate after you are done with the site.
6. Regularly download submissions and then delete them.
These are all I can think of right now. But if I think of anything else I will post it here.
Update: Reports now support password protection. So you can use them.
Por lo que estoy llegando a entender la seguridad de JotForm fuera de su dominio web no es segura cierto?
Entonces mi pregunta es si accedo a la información de contacto desde el dominio de jotform es segura la conexión o también es vulnerable?
That is not correct. You can embed SSL version of your form into your website, in that case all the data will be encrypted. Please check the following tutorial to get the information about how to receive SSL submissions.
It is also possible to get the licensed JotForm Application and install it on your own server.
Please feel free to contact us if you need any further assistance.
Is the data stored on JotForm servers encrypted though? That is a HIPPA requirement. Not only must it be submitted over SSL, but it has to be stored encrypted.
Data stored on our servers are not encrypted, but access to our servers are safeguarded. Data transmission from the person who submits their health information to our servers can be done in an encrypted manner, by using the forms securely.
JotForm certainly complies with the technical safeguard section of the HIPAA security rule
Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
If you have further question, please feel free to ask.
Are uploads not encrypted? So uploads are not HiPAA level secure? Should I ask for uploads in a different matter then?
Please open your question in a separate thread so we can assist you better. This thread is pretty old and it's already resolved. Thank you for your understanding!
Encryption is recommended, but not required by HIPAA. If you take common sense measures to ensure that the data is negligently exposed you've pretty much covered your HIPAA bases.
We went through your steps but Internet Explorer is giving us the warning, "Internet Explorer blocked this website from displaying content with security certificate errors."
If this truly was a secure form using https, we shouldn't get this error, correct?
Please open a new thread, provide your form link, webpage URL and if possible screenshots of the error and we will be glad to assist you
I love JotForm because this is an easy tool to use, without having to know any PHP, or Server side scripting languages. That being said, unless they are willing to sign the Business Associate Agreement, and provide a list of their HIPAA Policies and Procedures, I wouldn't risk sending any ePHI through JotForm Submission. (Good Explanation Here...)
Under the HITECH Act and Omnibus Final Ruling, All electronic protected health information(ePHI) at rest must be encrypted with FIPS 140-2 level encryption(This can be found on the NIST Website). Simple physical safeguards, and technical safeguards are not compliant. The company Transmitting, Storing, or Providing a service on behalf of a Covered entity or Business Associate of a covered entity, where ePHI is handled must also sign a Business Associate Agreement(BAA). Once the BAA is signed and the now Business Associate or Sub contractor (Jotform) will be held to the same standards that a health care institution(covered Entity).
Pay special attention to page three center column second paragraph in this hhs.gov/article
In short, YOU AND Jotform is held liable for the housing of ePHI no matter where it is stored in the end(if they sign a BAA or stop claiming to be HIPAA Compliant). Just by using their servers and not getting Compliance Verification, your business will be held liable until you make "Reasonable and Appropriate" measures to safeguard ePHI. They must be 100% HIPAA Compliant. if they only meet 80% of the standards, then they are not HIPAA Compliant. Note the link above (hhs.gov/article pg 3 center column, 2nd paragraph)
Remove any comments sections, or file upload sections where ePHI may be transmitted through the JotForm servers, and remove the risk. Setting appointments should be fine as long as no patient treatment is discussed in combination with a patient identifier. (email addresses and i.p. addresses constitute as a patient identifier)
BE CAREFUL WITH HIPAA. The more simple the submission form, the better in this instance. If you have questions about HIPAA Compliance please feel free to email me at and
DON'T FORGET TO DOCUMENT THE PROCESS OF MAKING THIS HIPAA COMPLIANT.
Audit trails are also required under HIPAA.
I've moved your question here: http://www.jotform.com/answers/563208 so we can address it properly.
We'll be answering it shortly.
Given @Zach 's comment that "unless [JotForm] is willing to sign the Business Associate Agreement, and provide a list of their HIPAA Policies and Procedures, I wouldn't risk sending any ePHI through JotForm Submission" I feel that I need to ask whether JotFrom is willing to do this.
While -this- is a forum thread, it is always best to have your own thread so that not everyone - that might not even want to - receives a message with your question.
Since you already have your own thread Daniel, please ask any further questions that you have on it: http://www.jotform.com/answers/563208 and we would be happy to answer them.