JotForm User Guide / HIPAA Compliant Forms /

How to set PHI fields on your forms?

How to set PHI fields on your forms?

HIPAA Compliance requires protecting sensitive healthcare data in every possible way. However, it is quite common that not all fields in a form is contain protected health information. In other words, you may be collecting non-sensitive regular data together with sensitive healthcare data. In JotForm HIPAA Compliant Forms, you can have such mixed content in a single form.


JotForm allows you to mark which fields in your form are used to collect healthcare data and must be “Protected”. This allows JotForm to enable additional services specific to fields.


An important use-case for this feature is AutoResponder and Notification emails. You may know that email communication doesn’t guarantee sufficient level of data security for HIPAA and any email which is containing protected health information (PHI) is a potential source of data breach. On the other hand, email is the most important communication channel that keeps many business running. In JotForm HIPAA Compliant Forms, you can still use AutoResponder and Notification emails as before. The only difference is we will automatically remove the marked fields’ data from email content.


Here is how to configure your forms for mixed content:


On your forms, each form field have a “Protected Field” toggle. You can use this toggle to set which form fields are “Protected” and which are “Not Protected”.




“Protected” means the data collected with this field is sensitive healthcare data and cannot be used in insecure medium (like AutoResponder or Notification emails). “Not Protected” means the data collected with this field can be used in insecure medium.


Since your account is HIPAA compliant, all fields are marked as “Protected” by default. You can change any of them according to your needs. Please note that, marking a field as “Not Protected” doesn’t change anything on how JotForm stores your data. Your data is always encrypted even you mark some of them as “Not Protected”. This setting is just a clue for us to decide if we can use them in emails or 3rd party integrations you might have.


Here is an example Notification email. Please note how protected fields were removed.



Please use this setting with caution and double-check which fields are set as “Not Protected” to avoid HIPAA violations.

Send Comment