Jotform HIPAA Compliance

November 29, 2021

Learn how Jotform not only complies with HIPAA, but builds a better, more secure environment to mitigate your risk and help you prove compliance with HIPAA. We did the hard work so you don’t have to, and you can inherit a lot of the work that we’ve done in terms of audits. Our HIPAA-compliant API, platform, and data integration service simplify compliance for you.

By the way, it’s very easy to switch to HIPAA compliance in Jotform, learn how to do that with this video.

In an effort to be transparent, we go into a good amount of detail on this page. As a lead-in, below is a high-level summary of our major architecture, our guiding principles, and how it maximizes our security.

Need
Jotform Approach
Encryption
All data is encrypted in transit, end to end, and at rest. Log data is also encrypted to mitigate the risk of ePHI stored in log files.
Minimum Necessary Access
Access controls always default to no access unless overridden manually.
System Access Tracking
All-access requests and changes of access, as well as approvals, are tracked and retained.
PHI Segmentation
All customer data is segmented. Additionally, all platform customers have a dedicated overlay network (subnet) for additional network segmentation.
Monitoring
All network requests, successful and unsuccessful, are logged, along with all system logs. API PHI requests (GET, POST, PUT, DELETE) log the requestor, location, and data changed/viewed. Additionally, alerts are proactively sent based on suspicious activity. OSSEC is used for IDS and file integrity monitoring.
Auditing
All log data is encrypted and unified, enabling secure access to full historical network activity records.
Minimum Risk to Architecture
Secure, encrypted access is the only form of public access enabled to servers. All API access must first pass through Jotform AWS firewalls. To gain full access to Jotform systems, users must log in via 2-factor authentication through VPN, authenticate to the specific system as a regular user, and upgrade privileges on the systems temporarily as needed.
Vulnerability Scanning
All customer and internal networks are scanned regularly for vulnerabilities.
Intrusion Detection
All production systems have intrusion detection software running to proactively detect anomalies.
Backup
All customer data is backed up every 24 hours. Seven (7) days of rolling backups are retained.
Disaster Recovery
Jotform has an audited and regularly tested disaster recovery plan. This plan also applies to customers, and they inherit this from us.
Documentation
All documentation (policies and procedures that make up our security and compliance program) is stored and versioned using Google Docs.
Risk Management
We proactively perform risk assessments to assure changes to our infrastructure do not expose new risks to ePHI. Risk mitigation is done before changes are pushed to production.
Workforce Training
Despite not having access to the ePHI of our customers, all Jotform workforce members undergo HIPAA and security training regularly.

See the details of how we comply with HIPAA below. These are mapped to specific HIPAA rules. There’s a lot here but again, we are taking on this responsibility so that our customers don’t have to. Controls marked with a (Req) are Required. Controls marked with an (A) are Addressable. In our environment, controls outlined below are implemented on all infrastructure that processes, stores, transmits, or can otherwise gain access to ePHI (electronically protected health information).

To download details of Jotform HIPAA Compliance, please check here.

Was this guide helpful?
Contact Support:

Our customer support team is available 24/7 and our average response time is between one to two hours.
Our team can be contacted via:

Support Forum: https://www.jotform.com/answers/

Contact Jotform Support: https://www.jotform.com/contact/

Send Comment:

Jotform Avatar
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Comment:

Podo CommentBe the first to comment.