HIPAA Compliance requires the protection of sensitive healthcare data in every possible way. Jotform takes the necessary measures to protect healthcare data while they are stored in the Jotform HIPAA Compliance system. However, sharing this data on insecure channels may still result in HIPAA violations.
One of the insecure channels is emails. Only a few specialized email services are providing end-to-end email encryption and using secure communication channels for emails (SSL) is not sufficient to avoid a potential data breach. So, delivering form submission data with Jotform’s Notification or Autoresponder emails is an example of carrying sensitive healthcare data into an insecure medium and causing a HIPAA violation. On the other hand, both emails are crucial for many use-cases and they are just irreplaceable for many Jotform users.
Protected Health Information (PHI)
In Jotform HIPAA Compliant accounts, you are still allowed to use Notification and Autoresponder emails. The only thing you should pay attention to is not including sensitive healthcare data in them. That is why you need to mark your form fields as “Protected” as described in the “How to Set PHI Fields on Your Forms“ guide.
When you get a new submission and if that submission needs to be delivered with an email channel, “Protected” fields will be removed from the email and the email will have only “Not Protected” fields.
This guide assumes you already know how to set up Notification and Autoresponder emails for your forms. If you need detailed information on them, you can read the “Setting up Email Notifications“ and “Setting up an Autoresponder Email“ guides or check the “Jotform User Guide – Form Emails“ page.