HIPAA compliant medical forms
Formsite offers HIPAA-enabled accounts for Enterprise service level customers collecting protected healthcare information (PHI). We will enter into a Business Associate Agreement (BAA) with your organization stating our HIPAA compliance enabling you to collect PHI using Formsite forms.
HIPAA compliance security
We provide the features necessary to compliantly collect PHI. Use these features, when appropriate, to maintain HIPAA compliance.
- Email: Use our Secure Email feature to send any PHI. It is not compliant to use standard email to send PHI data.
- Login credentials: Enable two-factor authentication for maximum account protection.
- Exported results and Attachments: Be sure to handle exported data in a HIPAA compliant manner once you have the data stored locally.
- Integrations: Only integrate with HIPAA compliant third parties for which you also have a BAA in place. We transmit all data securely, but it is your responsibility to have a BAA in place with any third party that receives data from Formsite.
- Results Reports should not be used to share PHI. PHI should be shared with other Users via a sub-user account. Only disclose results to authorized recipients.
- Copying forms: Forms that contain PHI should only be copied to another HIPAA compliant account.
- “Secure Form” is enabled for all forms. This security setting requires your form to use https and also warns you when you may be about to do something insecure such as email PHI via non-secure email. This setting cannot be disabled. See the Secure Form area on the Security documentation page.
- “Require login to access files” is enabled for all forms. This setting requires that you be logged in to access uploaded files. This setting cannot be disabled. See the Secure results files area on the Security documentation page.
HIPAA compliant accounts are only supported at our Enterprise level of service. It is not possible to downgrade your account to a lower level of service once it has been designated a HIPAA-enabled account. If you terminate service with us, data collected in your account will be deleted and your account will become inaccessible after 30 days. Once this happens, we won’t be able to reinstate your account. You would need to establish a new account if you want to continue with a HIPAA compliant account.