What is JotForm?
JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.
At JotForm, we want to make sure that you’re getting the online form builder help that you need. Our friendly customer support team is available 24/7.
We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.
Questions about HIPAAAsked by Rob Reinhardt on November 15, 2015 at 12:30 PM
This and the associated article contain inaccuracies. It doesn't appear that a Covered Entity cannot currently be HIPAA compliant while using JotForm's services to transmit Electronic Protected Health Information (ePHI).
1) JotForm acknowledges they will not sign a Business Associate Agreement. This is required by HIPAA
2) JotForm acknowledges that they do not encrypt the data on their servers. This is required by HIPAA.
I'm intrigued by their new encryption features since they report they never have access to the data. There's some question as to whether this would allow them to qualify for the conduit exception. However, since the presence of the data on their servers is probably not sufficiently "transient", I'm skeptical that would apply. Which means the BAA would still be required.
JotForm Support Manager
1) I've consulted this with my higher ups, please send me the BA and we will review it to see if this can be signed.
2) That acknowledgement was made back in 2014, nowadays we have released the encryption feature which allows to transfer and store data in an encrypted format. Moreover, all of our forms embed codes are now SSL by default see more info here.
Thank you for the update! I'm curious about this as much for my clients and audience as for myself, so this goes beyond just sharing my own BAA. Please drop me an email as I'd like to discuss this in more detail if possible.
HIPAA does not require encryption:
However encryption is very beneficial. To paraphrase HHS: "Entities that secure health information through encryption are relieved from having to notify in the event of a breach of such information."
Thank you for the additional information. If you require any assistance with anything, let us know and we will be happy to help.
You are correct that, in many cases, HIPAA does not rigidly require encryption. However, if you read the entire entry from your link, it does say that it is "Addressable", which is HIPAA's way of saying that, if it's reasonable to do so, then you should. If you decide, through your risk assessment, that encryption is not required, the onus is on you to prove why it isn't necessary. In situations like we're talking about here, it's much easier to simply say it's required, because most experts don't think it's viable to come up with a reason it's not reasonable to do so these days.
Here's an article that explains it more thoroughly. http://blog.algonquinstudios.com/2013/06/19/is-encryption-required-by-hipaa-yes/ And here: https://www.hipaa.com/transmission-security-encryption-what-to-do-and-how-to-do-it/
As you note, the Breach Notification Rule alone is a solid reason for making sure encryption is used wherever possible.
I am curious if the HIPAA BAA form can be signed. My client would love to use jotform but needs the agreement.
Since we are not officially HIPAA compliant, we cannot sign a HIPAA business associated agreement. It is possible to use our forms in a HIPAA compliant manner, however, we are not certified.
I continue to see JotForm representatives say things like "it is possible to use our forms in a HIPAA compliant manner." I believe it is very important that you clarify that statement for your readers. This means that users who need to comply with HIPAA cannot collect ANY Protected Health Information through JotForms. There is no way for them to comply with HIPAA while collected PHI through JotForm because JotForm acknowledges not complying with HIPAA and that they will not sign a BAA (both things required for compliance).
Thank you for the additional feedback. I believe that we have made it clear that we are not officially HIPAA compliant and that any compliance is up to the user. We do what we can to allow for compliant usage but we do fall short in being able to sign a business agreement. The steps laid out in this thread, which I believe you are referring to:
I strongly suggest any organization do their own due diligence to ensure their are using any software within their organizations legal requirements. If you do not believe JotForm meets the standards laid out by HIPAA and that you cannot use our forms and you data in a compliant manner, I would not recommend using our forms.