When you first features that enable HIPAA compliance, you’ll need to be aware of some initial differences:
- Security
- Integrations
- Approval Workflows
- Emails
- What Else?
Security
With Jotform Enterprise, your Data is encrypted at rest by default (good for PII)
The Enterprise solution is completely isolated from the Jotform environment, so nothing is shared with other users. All data (user’s forms/submissions etc.) is automatically encrypted at rest while being written to the physical disks. Each encryption key is also encrypted with master keys managed by Google Cloud Platform (our hosting partner).
Encryption at rest database, which is available when you enable HIPAA-friendly features, is one level above that (required for PHI)
Our servers get the raw data, and while writing it to the database, we encrypt it with AES256 (every individual submission has a unique key), and every individual AES256 key is also encrypted with the user’s public key (RSA2048). Keys are seamless to users and completely managed by Jotform.
In short, the regular enterprise setup provides disk encryption, whereas HIPAA adds database encryption over it.
Integrations
Compared to the 100+ integrations available for non-HIPAA servers, the number of available integrations goes down to less than 20:
This means any existing integration not on this list will be disabled. This is because of two HIPAA requirements that mandate end-to-end data encryption and traceability of each access of PHI to a known, unique individual.
And even with these available integrations, it is your legal responsibility to maintain HIPAA-friendly policies. For example, If you integrated your form submission data with a Google spreadsheet, and then made that Sheet available openly to the internet, that would not be a HIPAA-friendly integration.
Approval Workflows
As mentioned above, HIPAA regulations dictate that every single access to PHI (Protected Health Information) needs to be traceable to a unique individual with their own identifiable login credentials. This may or may not impact your workflows.
For instance, the methods based on accessing data without a user account (forwarding an ‘edit submission’ link via email) may not work anymore. Likewise, if you ever build workflows where you have approvers, those approvers will need to have their own accounts to approve/deny a submission by editing it in a system directly (submissions page).
Editing submissions is only available to a form owner or another user who has access to form submissions, any kind of editing action is only possible within our system.
Emails
One of the insecure channels of sharing PHI data is emails.
In HIPAA-friendly accounts, you can still use Notification and AutoResponder emails keeping in mind that it is your legal responsibility on using them in a HIPAA-friendly way. At Jotform, it is possible to select which form fields are collecting PHI data and mark those fields as ‘Protected’.
Information collected with ‘Protected’ fields will be hidden in emails. For more information on how to use PHI fields on forms, please refer to this help article: How to Set PHI Fields on Your Forms
A good example of keeping PHI data protected in emails is provided below:
What Else?
Other important limitations that should be mentioned are:
- File uploads collected with any HIPAA-friendly account can not be available without logging in, so if you are expecting to download files via emailed files links, please make sure to log in to your HIPAA-friendly account.
- When you enable HIPAA-friendly features, you are also enabling SOC2 compliance and vice versa. Both HIPAA and SOC2 compliances need to operate in this more secure environment. Check out our page on SOC2 compliance to learn more.
Send Comment:
1 Comments:
More than a year ago
What is a NULL widget on a form?