Enterprise: Regular Server vs. HIPAA-Friendly Server

When you first features that enable HIPAA compliance, you’ll need to be aware of some initial differences:

• Security
• Integrations
• Approval Workflows
• Emails
• What Else?

Security

With Jotform Enterprise, your data is encrypted at rest by default which is good for PII. The Enterprise solution is completely isolated from the Jotform environment, so nothing is shared with other users. Data is automatically encrypted while being written. Each encryption key is also encrypted with master keys managed by our hosting partner, Google Cloud Platform.

Encryption at rest database, available when you enable HIPAA-friendly features, is one level above that. Our servers get the raw data, and while writing it to the database, we encrypt it with AES256 (every individual submission has a unique key), and every individual AES256 key is also encrypted with the user’s public key (RSA2048). Keys are seamless to users and completely managed by Jotform.

In short, the regular enterprise setup provides disk encryption, whereas HIPAA adds database encryption over it.

Integrations

Compared to the 100+ integrations available for non-HIPAA servers, the number of available integrations goes down to 60+.

Here are the available options:

• 2CheckOut
• ActiveCampaign
• Afterpay
• Airtable
• Apple Pay & Google Pay
• Asana
• Authorize.Net
• AWeber
• BluePay
• BlueSnap
• Box
• Braintree
• Campaign Monitor
• CardConnect
• Cash App Pay
• Chargify
• Clearpay
• ClickUp
• Constant Contact
• CyberSource
• Dropbox
• eCheck.Net
• Egnyte
• Eway
• GoCardless
• Google Calendar
• Google Drive
• Google Sheets
• HubSpot
• iyzico
• Keap
• Keragon
• Klarna (Previously Sofort)
• Mailchimp
• MailerLite
• Make
• Microsoft Teams
• Mollie
• monday.com
• Moneris
• OneDrive
• PagSeguro
• Payfast
• PayJunction
• Paymentwall
• PayPal Business
• PayPal Checkout
• PayPal Invoicing
• PayPal Personal
• Paysafe
• PayU
• Purchase Order
• Salesforce
• SensePass
• Skrill
• Slack
• Square
• Stripe
• Stripe ACH
• Stripe ACH Manual
• Stripe Checkout
• Venmo
• Webhooks
• WorldPay UK
• Zapier
• Zoho CRM
• Zoom

This is because two HIPAA requirements mandate end-to-end data encryption and traceability of each PHI access to a known, unique individual.

Even with these available integrations, maintaining HIPAA-friendly policies is your legal responsibility. For example, If you integrated your form submission data with a Google spreadsheet and made that Sheet available openly to the internet, that would not be a HIPAA-friendly integration.

Approval Workflows

As mentioned above, HIPAA regulations dictate that every single access to PHI (Protected Health Information) needs to be traceable to a unique individual with identifiable login credentials. This may or may not impact your workflows.

For instance, accessing data without a user account like forwarding an edit submission link via email may not work anymore. Suppose you ever build workflows where you have approvers. In that case, those approvers must have their accounts to approve or deny a submission.

Editing submissions is only available to a form owner or another user with access to form submissions, any editing action is only possible within Jotform. 

Emails

One of the insecure channels of sharing PHI data is emails. 

In HIPAA-friendly accounts, you can still use Notification and Autoresponder emails keeping in mind that it is your legal responsibility to use them in a HIPAA-friendly way.  At Jotform, it is possible to select which form fields are collecting PHI data and mark those fields as ‘Protected’.

Information collected with ‘Protected’ fields will be hidden in emails. For more information on how to use PHI fields on forms, please refer to this article:  How to Set PHI Fields on Your Forms

A good example of keeping PHI data protected in emails is provided below:

What Else?

Other important limitations that should be mentioned are:

• File uploads collected with any HIPAA-friendly account can not be available without logging in, so if you expect to download files via emailed file links, please log in to your HIPAA-friendly account.
• When you enable HIPAA-friendly features, you also enable SOC2 compliance and vice versa. Both HIPAA and SOC2 compliances need to operate in this more secure environment. See SOC2 Compliance to learn more.