What is JotForm?
JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.
At JotForm, we want to make sure that you’re getting the online form builder help that you need. Our friendly customer support team is available 24/7.
We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.
How can my form be HIPPA compliant?Asked by Meredithliss on January 25, 2015 at 01:03 PM
I already used the embed wizard and "secured" my form and then I copy and embedded the link into my website. I read the forums entitled "HIPPA Compliance" and "How can I receive SSL Submissions". I have a multi-part question.
I set it up to receive email alerts when somebody completes my form to avoid having the form sent to me via unencrypted email. Am I on the right track?
From the "HIPPA Compliance" forum-
You then say that data on your servers is not encrypted, but access is safeguarded. What does this mean? Does this mean it is no longer HIPPA compliant?
You then say that the data transmission from the person who submits their PHI in the form can be sent to your servers in an encrypted way, by using the forms securely. Can you elaborate on this process and explain very clearly?
It sounds like it travels to your servers encrypted, but is not stored encrypted. Does this mean not HIPPA compliant.
You then send me an email alert to view my form. I view it and download to my computer and delete from your server. Is it at risk for invasion during the time it is stored on your server?
You have a bolded sentence:Info systems housing PHI must be protected from invasion. When info flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional. Is jot form a closed system? What are your "sufficient" access controls? Why does encryption become "optional"? I guess "opting-in" is not an option with jot form. Correct?
In the "How Can I Receive SSL Submissions" forum-
You state: if you don't have a secure web browser and you embed a secure form into the webpage, the end user's web browser will report the connection as not being entirely secure. In these instances, it may be better to provide a link to the form using its jotForm URL.
How do I know if I am using a secure web browser? I am simply building my own site using GoDaddy web builder. I have a feeling it is not secure. I don't work for the government or a financial institution. So, I embedded the form onto my site (i think i did). Who is the end user? What do you mean by saying the end user will report the connection as not being secure? Who is telling who that the connection is not secure? Will you be telling my client?
In this case- you can it may be better to provide a link to the form using the jot form URL. I am unclear on the difference between "embedding" my form and providing a link to the form. When I copy and pasted the "link" onto my site, is it considered embedded? or is this providing the Jot Form link? Perhaps it is providing the JotForm link and I am all set. On my webpage, not yet published, it looks like the title of my form is there and clickable (one site is published). Please clarify if this means I embedded it, or if I am providing the link by what I have done.
Ideally, I want there to be a clickable link on my site to my patient form. When my client clicks it, I want them to feel secure that it is safe (and I want it to be truly HIPPP safe). they will submit the form. I will get an alert, go to your site and download it to my computer and delete from your site.
I know I posed a lot of questions. I need to understand this. I wish I can talk to someone about it, but this is your way of communicating. I hope when you write a thoughtful answer to my inquiry, it will help a lot of people
How will I know you answered my question? Can you email me to let me know?
Thanks in advance. I look forward to your response.
Thank you for contacting us.
To be honest with you, it was also difficult to discern which were your actual question/s on the message due to how the message appears as a wall of text.
But after reading on it thoroughly and the with subject/title, I think the details on this thread is the answer you were looking for
Do let us know if you have further inquiry. Try to number the questions also so that we will know them immediately.
I ready the thread you highlighted above, but still need clarifications.
Sorry that my email was long-winded without clear delineation of my questions.
Here are a few specific questions
1. The jotform response above says that jotform has a very powerful cloud of servers whose storage is encrypted, yet the data stored on your servers is not encrypted. It sounds contradictory and I would like for you to elaborate
2. You say the the data is safeguarded, not encrypted. What does it mean to safe guard vs. encrypt?
3. Please explain the difference between embedding my secure form on my website vs. providing a link to my form? Please explain both scenarios and how they would look to the person completing the form?
Thank you very much for your time
No worries! We understand your questions and thank you for the clarifications.
1. The server encryption is to prevent hackers from doing SQL Injection or DDoS or Denial of Service (DoS) kind of an attack. When it says that data is not encrypted, that was meant for or when you're accessing your form data using our non-HTTPS connection and when data is submitted using our non-HTTPS method.
2. Safeguarding, I think this meant for our servers. Encryption means using our SSL certificate to secure or encrypt your form data.
3. The difference is when you embed it, the form is presented or viewable to your website and you give them the link to it. Also, the form would look like a part of your website, meaning, your users won't see the Jotform name on it. Providing the link means, your users must access the form using the link you give.
Let us know if you have any further questions.
Thank you so much.
I still need more clarification
1. How can I be sure that I am using the HTTPS version?
2. Do you encrypt the stored data?
3. Description of issue: As per the "How can I receive SSL Submissions?" thread- I followed directions using embed wizard. I checked the box to make my form secure. Your forum response implies that by checking this box, it changes over to https (secure).
But down at the bottom of the thread you reveal: "If you don't have a secure web server and you embed a secure form into the webpage, the end user's web browser will report the connection as not being entirely secure. In these instances, it may be better to provide the link to the form using its jotform URL."
I would like the form to be accessible on my website. When I copied and pasted the "link" into my website I was hoping that it was secure.
Specific Question A): It sounds like to be secure, I should be emailing my client a random, complicated link to the form vs. embedding on my site. Is this correct?
Specific question B) How would I know if I had a secure web server?
1. How can I be sure that I am using the HTTPS version?
Follow this user guide: -How-can-I-receive-SSL-Submissions
2. Do you encrypt the stored data?
I think you must be referring to the transported data.. like the email and the form.
The answer is No.
They are not encrypted and are just plain text. So if anyone gain access to your account/email, they can easily read the content/data. This is why we also recommend not to put any confidential or sensitive data on the form/email (i.e. userid, username, password, account ids', credit card accounts.. etc)
What the description meant was..
if the website is using http (meaning it is not using secure protocol or https), when you embed a secure URL form (using https://secure.jotform) then, the end-user will encounter a prompt message from the browser they are using that the website is not entirely secure. Obviously because the website is just http while there is a content (the form) that was using https
Specific Question A):
I have explained it simlar on #3
Specific question B)
It usually is a separate offering/purchase from web hosting service providers. You easily know it if your website URL is using https (i.e. https://www.yourwebsite.com). You can inquire for this also from the support of your web hosting provider.
I am trying to figure out if I can somehow make my form HIPPA secure.
If I choose to not embed the form on my site and take the safer route by providing the link to my customer through email, is this HIPPA compliant?
Please be noted that just using your form's SSL direct URL will not make it 100% HIPPA complaint. You may like to take a look at the HIPPA rules where there are other other requirements as well.
As far as the technical safeguard rule of HIPPA is concerned, we are certainly complaint.
If I decide to make my site a https site (SSL), can jotform be HIPPA compliant?
I think so because aside from the secure URL of the form, you're also securing your website by having an SSL certificate installed onto it. That will make everything a HIPPA compliant.
That is good news. It took a lot of back and forth to get the answer I was seeking. There are a lot of questions about HIPPA compliance on this forum. The current forum answers are not very clear. I would revise them and clearly let the audience know the direct path to gain HIPPA compliance which would include having an SSL certificate.
Thanks for everything.
Glad that we could help and answer your questions. Should you need any further information, please do not hesitate to contact us.
Thank you and you're welcome!
A few more HIPPA related questions-
In you forum response- is Jotform HIPPA compliant-
You recommend to regularly download submissions and then delete them (number 6).
1. Once I view and download the form, how do I delete from your site?
2. How quickly would I need to delete the submitted form from your site to be HIPPA compliant?
3. While stored on your servers, is the form vulnerable and therefore not considered HIPPA compliant until I download and delete?
#1 You can manually delete the submission/s using the delete button on the upper right or the Delete All option in the grid below
You can use the JotForm Auto Delete Submission App.
Take Note: Deleted submissions are permanently gone and cannot be restored.
#2 When you delete the submission/s then they are deleted at once. There is no delayed time involved
#3 It was explained on at the very start...
In that sense, JotForm certainly complies with the technical safeguard section of the HIPAA security rule:
Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
What are on the server are compliant. The optional (that could not be compliant) is during the transport process over the network. If the communication is not using SSL or not encrypted, it is vulnerable to intrusion.
If you are not putting any sensitive information on your form like SSN, credit card numbers, etc.. there is no need to download and delete the submission data at all.
This and the associated article contain inaccuracies. It doesn't appear that a Covered Entity cannot currently be HIPAA compliant while using JotForm's services to transmit Electronic Protected Health Information (ePHI).
1) JotForm acknowledges they will not sign a Business Associate Agreement. This is required by HIPAA
2) JotForm acknowledges that they do not encrypt the data on their servers. This is required by HIPAA.
I'm intrigued by their new encryption features since they report they never have access to the data. There's some question as to whether this would allow them to qualify for the conduit exception. However, since the presence of the data on their servers is probably not sufficiently "transient", I'm skeptical that would apply. Which means the BAA would still be required.