HIPAA forms for WordPress: A primer

WordPress is the leading web content management system in the world — and for good reason. It’s easy to use (even for beginners), comes with a lot of out-of-the-box functionality, has a robust ecosystem, and is affordable for individuals and businesses.

WordPress is also a highly secure platform. However, if you work in a healthcare-related field, you must ensure that your website follows HIPAA regulations. And if you’re planning on using forms on your site to collect patient data, you need to make sure that level of security extends to those as well.

Below we’ll cover what you need to know about using HIPAA-friendly forms in WordPress, starting with some essential security information and ending with a selection of top form solutions with HIPAA-friendly features.

What HIPAA is and how it relates to websites

The Health Insurance Portability and Accountability Act (HIPAA) stipulates that sensitive patient health information can’t be disclosed to anyone else (barring specific permitted disclosures) without that patient’s express consent and knowledge.

As a result of this law, organizations in the healthcare field — which includes hospitals, clinics, labs, health-tech companies, and more — must implement specific processes, tools, and safeguards to ensure that they never disclose protected health information (PHI) without the patient’s permission.

So what does HIPAA have to do with your website?

If your organization collects any kind of personal health information via its website, then by law you’re required to protect that information and keep it secure.

For example, a healthcare organization such as a massage therapy clinic may have a client intake form on its website that it uses to collect health-related data. If the website experiences a data breach due to poor security measures, patients who’ve filled out that form may find that their personal health information has been released without their consent. For the massage therapy clinic, this could result in a host of legal issues and fines — not to mention a loss of reputation and business.

“It is essential to use HIPAA-friendly forms to ensure patient confidentiality and privacy,” says Evan Tunis, president of Florida Healthcare Insurance. “With the advancement of technology, the risk of data breaches and unauthorized access to sensitive medical information has increased, making it crucial for healthcare providers to have strict protocols in place.

“HIPAA was enacted in 1996 to protect patients’ health information from being disclosed without their consent. Using HIPAA-friendly forms helps healthcare organizations comply with these regulations and maintain the trust of their patients.”

How WordPress aligns with HIPAA principles

To ensure information doesn’t end up in the wrong hands, WordPress offers numerous layers of security features:

• Data encryption: All WordPress sites are encrypted by default and served over SSL.
• Firewalls: WordPress is alerted if there are any attempts to breach its firewalls and access its accounts.
• Continuous monitoring: WordPress monitors all web traffic for any suspicious activity or distributed denial of service (DDoS) attacks.
• Security testing: WordPress tests for potential vulnerabilities on its platform, looking for bugs that can threaten the security of the system.
• Data backup and recovery: If your website loses data because of an event such as a natural disaster or power supply failure, you don’t have to worry as WordPress backs up its system regularly.
• Highly trained security team: WordPress has a dedicated security department that identifies and addresses any kind of security risk.

Here’s an important distinction to note, though: WordPress may not support HIPAA compliance, as the company apparently will not sign a Business Associate Agreement.

However, WordPress’s security features do provide several ways to keep patient data safe. If you want to collect personal health information from your WordPress site without violating HIPAA, the best way to do that is to use a form builder plug-in that enables HIPAA compliance.

What to look for when choosing a WordPress form builder with HIPAA compliance features

“When selecting forms, an organization should consider several factors to ensure that they meet the necessary standards for protecting patient information,” says Tunis. Any form-building tool you’re considering should be strong in the following areas:

• Encryption
• Access controls
• Data storage
• Audit trails
• Secure transmission features

To keep the personal health information you collect on your WordPress site safe, try one of the following form solutions.

1. Jotform

Jotform has many layers of security, including multiple encryption methods, a 256-bit SSL connection, and vulnerability scanning. With Jotform, you can create HIPAA-friendly forms to collect sensitive medical information and then use its WordPress plug-in to embed these forms on your WordPress site.

Jotform comes with hundreds of form templates that are appropriate for nearly every area of healthcare. You can use them as-is or customize them to meet your needs. Unlike WordPress, Jotform offers a signed Business Associate Agreement for HIPAA compliance and can provide it to your organization at your request.

In addition to a free Starter plan, Jotform has four tiers of paid plans starting at $34 per month. The Gold and Enterprise plans offer HIPAA compliance features.

2. Ninja Forms

Ninja Forms is another solid choice. Its website notes that its form solution is HIPAA-friendly as long as your website complies with HIPAA’s security standards. You can also use the premium Formstack Documents (formerly WebMerge)-Ninja Forms integration via Zapier to securely collect, store, and send form responses.

The Ninja Forms drag-and-drop form builder is easy to use. Plus, it enables you to collect payments and files through your forms, export submissions in multiple formats, and send emails from forms.

Ninja Forms has a free plan as well as three tiers of paid plans starting at $99 per year.

3. HIPAAtizer

HIPAAtizer is a WordPress plug-in that can turn existing forms into HIPAA-friendly forms or help you create your own HIPAA-friendly forms. The plug-in can convert PDFs, Microsoft Word documents, or printed forms into online forms, and has the security features necessary to maintain HIPAA compliance.

HIPAAtizer has a free plan as well as three tiers of paid plans starting at $29 per month. It also offers a free plan specifically for developers and web designers; however, this plan doesn’t include HIPAA compliance features.

4. Cognito Forms

Cognito Forms is a great no-code form builder plug-in for WordPress that’s HIPAA-friendly. It offers a number of security features, such as SSL encryption, data encryption, a Business Associate Agreement, and automatic system logoff, to protect your form data. Cognito Forms also comes with dozens of form templates so you can save time when creating your WordPress forms.

Note that the free version of Cognito Forms doesn’t currently offer HIPAA compliance features. Those security features are only available with the Enterprise plan, which costs $99 per month.

5. HIPAA Forms

The HIPAA Forms WordPress plug-in by Code Monkeys is designed to work specifically with Caldera Forms and Gravity Forms. When you use those form builders with this plug-in for WordPress, you can enable HIPAA compliance features for your forms by clicking a checkbox within the plug-in interface.

This encrypts the data submitted through the form and stores it in a HIPAA-friendly storage space. A badge is also added to your form to show that you’re following HIPAA regulations.

The HIPAA Forms plug-in has a number of security measures to protect your form data at rest and during transit, including SSL and asymmetric encryption. You can also get a signed Business Associate Agreement.

In order to use HIPAA Forms, you need a license key from hipaaforms.online, which has a free option for 25 forms per month. The annual paid subscription costs $55 per month and supports unlimited forms.

Jotform: A HIPAA-friendly solution for WordPress websites

Make the business of collecting information easy for your healthcare organization by choosing Jotform’s HIPAA-friendly form plug-in for WordPress.

This form builder has multiple layers of security, from intrusion detection to audit logs. Whether you’re collecting, storing, or transmitting data, Jotform keeps it secure so there’s no chance of any PHI being released without patient consent.

In addition to its HIPAA features, Jotform offers a ton of other useful functionality:

• Thousands of form, survey, and poll templates
• Conditional logic
• In-form calculations
• Multiple embed and sharing options
• And more

Photo by Beyza Yılmaz on Unsplash