What is JotForm?
JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.

At JotForm, we want to make sure that you’re getting the online form builder help that you need. Our friendly customer support team is available 24/7.

We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.


  • Profile Image

    Are form submissions HIPAA compliant?

    Asked by Clarrigan on August 04, 2010 at 05:51 PM

    I am a mental health therapist and wish to use jot forms for clients to submit forms prior to their first appoitment.  Personal health information and Identifying information is on the form. 

    Submissions security secure forms hippa form HIPPA compliant form health information form
  • Profile Image
    JotForm Founder

    Answered by aytekin on August 05, 2010 at 08:46 AM

    Yes, it is possible to use JotForm in a HIPAA compliant way. Our servers already match all criteria since we already care a lot about the security. However, some features of our application is not HIPAA compliant so if you refrain from using those features, I think you should be fine.

    1. Always use SSL (https) version of JotForm site on your browser. Use "https://www.jotform.com" to login to your account, create your forms, look at your submissions and link to your forms.

    2. Edit emails on all forms to make sure no specific information is used on them. We send emails in plain text. So, they are not secure. Only use emails to get alerts to know there is a new submission. Once you receive an email alert, log into the secure JotForm site and then look at the user 

    3. Do not use Reports feature. Since the report URLs are not password protected.

    3. If you use the Reports feature only do it with password protection. That will both ask for a password and it will transfer all data over SSL.

    4. Same for uploads. They are not password protected.

    5. Logout immediate after you are done with the site.

    6. Regularly download submissions and then delete them.

    These are all I can think of right now. But if I think of anything else I will post it here.

     

    Update: Reports now support password protection. So you can use them.

  • Profile Image

    Answered by promusic on May 04, 2012 at 12:45 PM

    Por lo que estoy llegando a entender la seguridad de JotForm fuera de su dominio web no es segura cierto?

     

    Entonces mi pregunta es si accedo a la información de contacto desde el dominio de jotform es segura la conexión o también es vulnerable?

     

    Un saludo

  • Profile Image
    JotForm Support

    Answered by Mike_T on May 04, 2012 at 05:16 PM

    @Promusic,

    That is not correct. You can embed SSL version of your form into your website, in that case all the data will be encrypted. Please check the following tutorial to get the information about how to receive SSL submissions.

    How can I receive SSL Submissions?

    It is also possible to get the licensed JotForm Application and install it on your own server.

    Please feel free to contact us if you need any further assistance.

  • Profile Image

    Answered by guest_22695332303045 on September 26, 2012 at 01:51 PM

    Is the data stored on JotForm servers encrypted though?  That is a HIPPA requirement.  Not only must it be submitted over SSL, but it has to be stored encrypted.

  • Profile Image
    JotForm Support

    Answered by NeilVicente on September 26, 2012 at 02:35 PM

    @guest_22695332303045

    Data stored on our servers are not encrypted, but access to our servers are safeguarded. Data transmission from the person who submits their health information to our servers can be done in an encrypted manner, by using the forms securely.

    JotForm certainly complies with the technical safeguard section of the HIPAA security rule

    Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.

    If you have further question, please feel free to ask.

  • Profile Image

    Answered by loftbazaar on June 10, 2013 at 09:46 PM

    Are uploads not encrypted? So uploads are not HiPAA level secure? Should I ask for uploads in a different matter then?

  • Profile Image
    JotForm Support

    Answered by EltonCris on June 10, 2013 at 10:57 PM

    @loftbazaar

    Please open your question in a separate thread so we can assist you better. This thread is pretty old and it's already resolved. Thank you for your understanding!

  • Profile Image

    Answered by vinvalentino on July 31, 2013 at 05:14 AM

    Encryption is recommended, but not required by HIPAA. If you take common sense measures to ensure that the data is negligently exposed you've pretty much covered your HIPAA bases.

  • Profile Image

    Answered by bdiddy on October 21, 2013 at 06:52 PM

    aytekin,

    We went through your steps but Internet Explorer is giving us the warning, "Internet Explorer blocked this website from displaying content with security certificate errors."

     

    If this truly was a secure form using https, we shouldn't get this error, correct?

    bdiddy

  • Profile Image

    Answered by jeanettebmz on October 21, 2013 at 08:45 PM

    @ bdiddy

    Please open a new thread, provide your form link, webpage URL and if possible screenshots of the error and we will be glad to assist you

  • Profile Image

    Answered by Zach  on April 21, 2015 at 10:11 AM

    I love JotForm because this is an easy tool to use, without having to know any PHP, or Server side scripting languages. That being said, unless they are willing to sign the Business Associate Agreement, and provide a list of their HIPAA Policies and Procedures, I wouldn't risk sending any ePHI through JotForm Submission. (Good Explanation Here...)

    Under the HITECH Act and Omnibus Final Ruling, All electronic protected health information(ePHI) at rest must be encrypted with FIPS 140-2 level encryption(This can be found on the NIST Website). Simple physical safeguards, and technical safeguards are not compliant. The company Transmitting, Storing, or Providing a service on behalf of a Covered entity or Business Associate of a covered entity, where ePHI is handled must also sign a Business Associate Agreement(BAA). Once the BAA is signed and the now Business Associate or Sub contractor (Jotform) will be held to the same standards that a health care institution(covered Entity).

    Pay special attention to page three center column second paragraph in this hhs.gov/article

    In short, YOU AND Jotform is held liable for the housing of ePHI no matter where it is stored in the end(if they sign a BAA or stop claiming to be HIPAA Compliant). Just by using their servers and not getting Compliance Verification, your business will be held liable until you make "Reasonable and Appropriate" measures to safeguard ePHI. They must be 100% HIPAA Compliant. if they only meet 80% of the standards, then they are not HIPAA Compliant. Note the link above (hhs.gov/article pg 3 center column, 2nd paragraph)

     

                                              /***My Recommendations*****/

    Remove any comments sections, or file upload sections where ePHI may be transmitted through the JotForm servers, and remove the risk. Setting appointments should be fine as long as no patient treatment is discussed in combination with a patient identifier. (email addresses and i.p. addresses constitute as a patient identifier)

    BE CAREFUL WITH HIPAA. The more simple the submission form, the better in this instance. If you have questions about HIPAA Compliance please feel free to email me at and

    DON'T FORGET TO DOCUMENT THE PROCESS OF MAKING THIS HIPAA COMPLIANT. 

    Audit trails are also required under HIPAA.

    zach@proponentit.com

  • Profile Image

    Answered by Daniel  on May 02, 2015 at 07:56 PM

    Hi,

     

    My company requires either form submission info to be sent to our own DB in a HIPAA compliant way, or for our software to be able to access JotForm's DB and retrieve the form submission info from there in a HIPAA compliant way. Is this possible with JotForm? 

  • Profile Image

    Answered by raul on May 02, 2015 at 08:05 PM

    @Daniel

    I've moved your question here: http://www.jotform.com/answers/563208 so we can address it properly.

    We'll be answering it shortly.

  • Profile Image

    Answered by Daniel  on May 02, 2015 at 08:38 PM

    Given @Zach 's comment that "unless [JotForm] is willing to sign the Business Associate Agreement, and provide a list of their HIPAA Policies and Procedures, I wouldn't risk sending any ePHI through JotForm Submission" I feel that I need to ask whether JotFrom is willing to do this. 

  • Profile Image

    Answered by Ben on May 03, 2015 at 04:00 AM

    While -this- is a forum thread, it is always best to have your own thread so that not everyone - that might not even want to - receives a message with your question.

    Since you already have your own thread Daniel, please ask any further questions that you have on it: http://www.jotform.com/answers/563208 and we would be happy to answer them.

    Thank you.