- wvaldesAsked on October 31, 2016 at 08:10 AM
Great tool. Context of the questions: Using Jotform for healthcare
1. Where is the form data stored? Is that storage guaranteed to be in the US (data sovereignty rules) and HIPAA compliant encrypted transmission?
2. If not, can the data be redirected to a HIPAA compliant server? Amazon, Azure, and Google all offer HIPAA compliant cloud options as do many others.
- JotForm SupportcandyAnswered on October 31, 2016 at 11:26 AM
1. Once, Safe Harbor agreement allowed US companies to keep EU data in data centers in the US. A European court invalidated the Safe Harbor in 2015. This was a big problem for US companies and their customers. As a solution, we decided to keep data of our European users in our new European Servers. The data has kept exclusively in our EU servers in Germany. Please check the following related our user guide about EU Safe forms: https://www.jotform.com/blog/178-EU-Safe-Forms-Our-Solution-to-the-EU-Safe-Harbor-Invalidation
2. Currently, Jotform does not hold a HIPAA Compliance Certificate, nevertheless, you can use Jotform in a HIPAA Compliant way.
Jotform has a very powerful cloud of secure servers.This provides security protection against malicious attacks like SQL injection and denial of service (DOS) attacks. We provide a very high-security level through out our hosting provider's servers for stored data. Moreover, all of our SSL certificates support high-grade 256-bit encryption. In that sense, JotForm certainly complies with the technical safeguard section of the HIPAA security rule:
Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
For a better explanation on how to be HIPAA compliant using Jotform, you must know that data stored on our servers is not encrypted unless you enable the encryption. At any rate, access to our servers is highly safeguarded.
On the other hand, Data transmission from the person who submits their health information to our servers can be done in an encrypted manner, by using the forms securely.
So, to be compliant with HIPAA rules, users must follow these advice:
1. Create encrypted forms, JotForm employees will never have access to the data.
Only you and your representatives will be able to see it using the encryption key. Be sure to store it securely, otherwise, will not be seen or decrypted. Also, be aware that data stored at rest, which was submitted using encryption, cannot be decrypted if you download it.
2. If you do not wish to send data on emails, be sure to edit email notifications in your forms, make sure no specific information is used on them. We send emails in plain text. Only use emails to get alerts to know there is a new submission. Once you receive an email alert, log into the secure JotForm site and then look at the user
3. If you use the Reports feature only do it with password protection. That will both ask for a password, and it will transfer all data over SSL.
4. Same for uploads. They are not password protected.
5. Logout immediate after you are done with the site.
6. Regularly download submissions and then delete them.