HIPAA Compliance requires protecting sensitive healthcare data in every possible way. However, it is quite common that not all fields in a form contain protected health information. In other words, you may be collecting non-sensitive regular data together with sensitive healthcare data. In Jotform HIPAA Compliant Forms, you can have such mixed content in a single form.
Jotform allows you to mark which fields in your form are used to collect healthcare data and must be “Protected”. This allows Jotform to enable additional services specific to fields.
An important use-case for this feature is Autoresponder and Notification emails. You may know that email communication doesn’t guarantee a sufficient level of data security for HIPAA and any email which is containing protected health information (PHI) is a potential source of a data breach. On the other hand, email is the most important communication channel that keeps many businesses running. In Jotform HIPAA Compliant Forms, you can still use Autoresponder and Notification emails as before. The only difference is we will automatically remove the marked fields’ data from email content.
How to Configure Your Forms for Mixed Content
On your forms, each form element has a PHI toggle. You can use this toggle to switch between states.
- PHI (Protected) – means the data collected with this field is sensitive healthcare data and cannot be used in an insecure medium (like Autoresponder or Notification emails).
- OFF (Not Protected) – means the data collected with this field can be used in an insecure medium.
Since your account is HIPAA compliant, all fields are marked as PHI by default. You can change any of them according to your needs. Please note that marking a field as OFF doesn’t change anything on how Jotform stores your data. Your data is always encrypted even you turn off PHI on them. This setting is just a clue for us to decide if we can use them in emails or 3rd party integrations you might have.
Here is an example email alert, note how protected fields were removed:
Please use this setting with caution and double-check which fields are set as OFF (Not Protected) to avoid HIPAA violations.