Online forms are not the most exciting piece of technology, but every organization that wants to collect information through its website needs one.
Setting up a web form can be complicated, so companies like Wufoo provide an easier way to build them.
What is Wufoo?
Wufoo describes itself as an “online form builder with cloud storage database,” which allows users to “build custom online forms that you can use to collect data, payments and to automate your workflows.”
Wufoo was launched in 2006 to provide an easy way to create online forms. The startup was part of the Y Combinator program, raising $118,000 before being acquired by SurveyMonkey in 2011 for $35 million.
Wufoo provides ready-to-use templates for registrations, surveys, lead generation, invitations, and more. It highlights the industry solutions it provides specifically for event management, education, and nonprofits.
Healthcare doesn’t appear to be on the shortlist of Wufoo’s specialties, but can covered entities nonetheless safely use its offerings to design and host secure web forms?
What does Wufoo say about HIPAA?
For a healthcare provider, health plan, or healthcare clearinghouse to use Wufoo, Wufoo must be HIPAA compliant and sign a business associate agreement (BAA).
Wufoo has an extensive write-up on its Security page, outlining how Wufoo protects your data via “top security resources, including the deep expertise of our security team and state-of-the-art hardware and networking analysis.”
From 256-bit SSL secured connections to PCI scans to using a SOC 2, Type II audited U.S. data center, Wufoo invokes many industry standards but makes no mention of HIPAA.
Similarly, the Wufoo Help Center reports “0 results for HIPAA.”
(Okay, the integration directory includes Lockbin, which calls itself a “HIPAA compliant messaging service” and says it will sign a BAA with paying customers. But its Wufoo integration relies on Wufoo’s Zapier integration, and that’s too many steps removed to consider it a Wufoo offering.)
Has anyone asked Wufoo about HIPAA?
On Twitter, Wufoo was directly asked, “Is Wufoo HIPAA compliant?”
We’ve previously explored whether you can use SurveyMonkey and be HIPAA compliant. But that’s a different question from whether you can use Wufoo specifically.
In response to an earlier Twitter inquiry, Wufoo directly conceded, “We meet most of the requirements but we’re not 100% HIPAA compliant.”
Apart from a couple of tweets, Wufoo doesn’t have anything to say officially about HIPAA compliance, and related terms are completely absent from its website.
Wufoo’s parent company, SurveyMonkey, offers a standard form BAA that meets the requirements of HIPAA (available upon request), but only to customers of its Enterprise services. And covered entities would be using SurveyMonkey forms, not Wufoo forms.
Therefore we believe Wufoo is not HIPAA compliant.
SEE ALSO: HIPAA Compliant Email: The Definitive Guide