Every organization, and certainly every business, needs a website. It's a more complicated prospect for covered entities like healthcare providers, health plans, and healthcare clearinghouses, which will want to set up a HIPAA compliant website. While some of the most popular website hosting companies are not HIPAA compliant, it's possible to address HIPAA concerns by making sure your webhost doesn't handle, process, or store protected health information (PHI). For example, instead of accepting information from customers and clients through your website, you can use secure online forms provided by other companies like Formstack.
Founded in 2006, Formstack bills itself as a "no-code workplace productivity platform." The company's mission is to provide "a better way" to capture data and automate repetitive work. Today, the company has over 250 employees between offices in Colorado Springs and Indianapolis, and serves over 27,000 organizations, including Netflix, Twitter, and the National Hockey League. The Formstack platform includes web forms, document management, digital signatures, and integrations with other popular business tools like Microsoft, Salesforce, HubSpot, PayPal and Stripe. The company's signature offering is an easy-to-use online form builder with a drag-and-drop interface, conditional logic (providing different information or forms based on the information provided), accessible and mobile responsive designs, and analytics. Formstack also says it uses "the highest levels of form security," including 256-bit SSL, data encryption, PGP email encryption, password protection, and invisible reCAPTCHA.
Formstack answers this question directly. "Formstack offers an Enterprise level solution that is compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)," the company says. "Forms can collect Electronic Personal Health Information (ePHI) with HIPAA and HITECH compliant encryption technology." In addition to data encryption, the company has implemented access controls, auditing, and logging, and it is willing to sign a business associate agreement (BAA). Its HIPAA compliant form offerings, first introduced in 2016, can also pass protected health data to HIPAA compliant tools from other vendors, including Salesforce, Dropbox, PayPal, Stripe, and Google Drive. Formstack points out that it is only ensuring HIPAA compliance within the limited role it plays in your business, and that customers have to ensure that their entire system meets HIPAA security requirements. But to help customers understand the big picture, Formstack outlines Best Practices for Healthcare Forms. In addition to HIPAA compliant forms, Formstack offers other HIPAA compliant solutions, including document management and electronic signature services.