- Rob ReinhardtAsked on November 15, 2015 at 12:30 PM
This and the associated article contain inaccuracies. It doesn't appear that a Covered Entity cannot currently be HIPAA compliant while using JotForm's services to transmit Electronic Protected Health Information (ePHI).
1) JotForm acknowledges they will not sign a Business Associate Agreement. This is required by HIPAA
2) JotForm acknowledges that they do not encrypt the data on their servers. This is required by HIPAA.
I'm intrigued by their new encryption features since they report they never have access to the data. There's some question as to whether this would allow them to qualify for the conduit exception. However, since the presence of the data on their servers is probably not sufficiently "transient", I'm skeptical that would apply. Which means the BAA would still be required.
- JotForm Support ManagerJeanetteAnswered on November 15, 2015 at 12:49 PM
1) I've consulted this with my higher ups, please send me the BA and we will review it to see if this can be signed.
2) That acknowledgement was made back in 2014, nowadays we have released the encryption feature which allows to transfer and store data in an encrypted format. Moreover, all of our forms embed codes are now SSL by default see more info here.
- Rob ReinhardtAnswered on November 15, 2015 at 07:00 PM
Thank you for the update! I'm curious about this as much for my clients and audience as for myself, so this goes beyond just sharing my own BAA. Please drop me an email as I'd like to discuss this in more detail if possible.
- jsAnswered on November 30, 2015 at 01:29 PM
HIPAA does not require encryption:
However encryption is very beneficial. To paraphrase HHS: "Entities that secure health information through encryption are relieved from having to notify in the event of a breach of such information."
- JotForm SupportdavidAnswered on November 30, 2015 at 02:43 PM
Thank you for the additional information. If you require any assistance with anything, let us know and we will be happy to help.
- Rob ReinhardtAnswered on November 30, 2015 at 03:06 PM
You are correct that, in many cases, HIPAA does not rigidly require encryption. However, if you read the entire entry from your link, it does say that it is "Addressable", which is HIPAA's way of saying that, if it's reasonable to do so, then you should. If you decide, through your risk assessment, that encryption is not required, the onus is on you to prove why it isn't necessary. In situations like we're talking about here, it's much easier to simply say it's required, because most experts don't think it's viable to come up with a reason it's not reasonable to do so these days.
Here's an article that explains it more thoroughly. http://blog.algonquinstudios.com/2013/06/19/is-encryption-required-by-hipaa-yes/ And here: https://www.hipaa.com/transmission-security-encryption-what-to-do-and-how-to-do-it/
As you note, the Breach Notification Rule alone is a solid reason for making sure encryption is used wherever possible.
- Randy DownsAnswered on April 04, 2016 at 04:52 PM
I am curious if the HIPAA BAA form can be signed. My client would love to use jotform but needs the agreement.
- JotForm SupportdavidAnswered on April 04, 2016 at 06:11 PM
Since we are not officially HIPAA compliant, we cannot sign a HIPAA business associated agreement. It is possible to use our forms in a HIPAA compliant manner, however, we are not certified.
- Rob ReinhardtAnswered on May 10, 2016 at 09:41 AM
I continue to see JotForm representatives say things like "it is possible to use our forms in a HIPAA compliant manner." I believe it is very important that you clarify that statement for your readers. This means that users who need to comply with HIPAA cannot collect ANY Protected Health Information through JotForms. There is no way for them to comply with HIPAA while collected PHI through JotForm because JotForm acknowledges not complying with HIPAA and that they will not sign a BAA (both things required for compliance).
- JotForm SupportdavidAnswered on May 10, 2016 at 11:41 AM
Thank you for the additional feedback. I believe that we have made it clear that we are not officially HIPAA compliant and that any compliance is up to the user. We do what we can to allow for compliant usage but we do fall short in being able to sign a business agreement. The steps laid out in this thread, which I believe you are referring to:
I strongly suggest any organization do their own due diligence to ensure their are using any software within their organizations legal requirements. If you do not believe JotForm meets the standards laid out by HIPAA and that you cannot use our forms and you data in a compliant manner, I would not recommend using our forms.