HIPAA Compliance requires protection of sensitive healthcare data in every possible way. Jotform takes the necessary measures to protect healthcare data while they are stored in Jotform HIPAA Compliance system. However, sharing this data on insecure channels may still result in HIPAA violations.
One of the insecure channels is emails. Only a few specialized email service is providing end-to-end email encryption and using secure communication channels for emails (SSL) is not sufficient to avoid a potential data breach. So, delivering form submission data with Jotform’s Notification or AutoResponder emails is an example of carrying sensitive healthcare data into an insecure medium and causing a HIPAA violation. On the other hand, both emails are crucial for many use-cases and they are just irreplaceable for many Jotform users.
In Jotform HIPAA Compliant accounts, you are still allowed to use Notification and AutoResponder emails. The only thing you should pay attention is not including sensitive healthcare data in them. That is why you need to mark your form fields as “Protected” as described in How to Set PHI Fields on Your Forms. When you get a new submission and if that submission needs to be delivered with an email channel, “Protected” fields will be removed from the email and the email will have only “Not Protected” fields.
Here is an example of Protected/Not Protected fields:
This guide assumes you already know how to set up Notification and AutoResponder emails for your forms. If you need detailed information on them, you can read “Setting up Email Notifications“ and “Setting up an Autoresponder Email” or “Jotform User Guide / Form Emails“ sections.
Here is an example of Notification Email in HIPAA Compliant accounts (note the Protected fields are removed from the email content):
Here is a sample AutoResponder Email in HIPAA Compliant accounts: