Jotform is an online form-building company that allows organizations to collect registrations, applications, orders, and payments. The company provides several form templates for its clients and a drag-and-drop creation tool for straightforward customer use.
Is Jotform HIPAA compliant? Yes, Jotform can be HIPAA compliant for certain plan levels.
See also: Collect patient data securely with Paubox Forms
Will Jotform sign a business associate agreement (BAA)
Yes, Jotform will sign a business associate agreement (BAA); more information on how to receive a BAA can be found here, and a version can be found here.
Jotform only signs a BAA with customers who sign up for its HIPAA compliant Gold or Enterprise plans. Once enabled or upgraded, HIPAA user accounts and the organization’s forms are marked with a HIPAA compliance badge. At that point, a BAA can be requested directly from an organization’s Jotform account.
What does the Jotform BAA cover?
The Jotform BAA covers the protected health information (PHI) of its healthcare clients who use its HIPAA-compliant forms. According to the BAA, “Jotform shall not, and shall ensure that its directors, officers, admin users, employees, contractors do not, use or disclose [PHI] created, maintained, or transmitted for the customer in any manner that would violate HIPAA. Jotform acknowledges and agrees that it will not use or disclose PHI other than as permitted or required by this HIPAA BAA or as required by law.”
Included with the Jotform BAA are HIPAA-related administrative, physical, and technical safeguards, subcontractor BAAs, and requests for restrictions from healthcare clients. Such measures ensure the security of PHI through Jotform. The BAA covers:
- The overall protection of PHI
- PHI segmentation
- Auditing, logging, and scanning
- Backups every 24 hours
- Notifications of PHI use or disclosure and security incidents
- Notifications of the breach of unsecured PHI
- Access by HHS requests
What does the Jotform BAA exclude?
Jotform only signs a BAA with its Gold or Enterprise customers. Its other plans are excluded from its BAA, and only Enterprise customers can customize an agreement.
Jotform further states that customers must always use HIPAA-enabled accounts; any other use is strictly prohibited and not covered by the BAA. What this means is that the customer:
- Must only copy forms to other HIPAA-enabled accounts
- Agrees that Jotform is not responsible for PHI once it is exported
- Acknowledges that PHI shared via Jotform abides by its terms of services and regulations
- If using third-party integrations, enters into agreements with those business associates before using or disclosing PHI
Within the BAA, Jotform adds, “Jotform is a tool for securely collecting complex information using customizable forms. Jotform is not an electronic health record or other medical record system and should not be used to maintain a Designated Record Set or relied upon directly to provide patient care. Information collected via Jotform must be transferred into an appropriate system of record (for example, an electronic health record) in accordance with appropriate processes to assure confidentiality, accuracy and availability before being used for patient care.”
Conclusion
Jotform can be HIPAA compliant for its Gold or Enterprise customers, but not users on a lower plan.
Learn more: HIPAA Compliant Email: The Definitive Guide
FAQs
What is a business associate agreement?
A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).
HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.
Who does HIPAA apply to?
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.