HIPAA compliant medical forms
Formsite offers HIPAA-enabled accounts for Enterprise service level customers collecting protected healthcare information (PHI). We will enter into a Business Associate Agreement (BAA) with your organization stating our HIPAA compliance enabling you to collect PHI using Formsite forms.
How to get started
- Upgrade your account to an Enterprise level account. Other than the cost of maintaining an Enterprise level account, there is no additional cost.
- Request a Business Associate Agreement (BAA) from us and then return it to us signed. At this time we are unable to negotiate the terms of the agreement or enter into a custom agreement.
- Formsite will execute the BAA, enable the HIPAA Compliant features, and designate the account as HIPAA compliant as of the date of the BAA. Any data collected prior to the BAA agreement is not covered by the agreement.
HIPAA compliance security
We provide the features necessary to compliantly collect PHI. Use these features, when appropriate, to maintain HIPAA compliance.
- Email: Use our Secure Email feature to send any PHI. It is not compliant to use standard email to send PHI data.
- Login credentials: Enable two-factor authentication for maximum account protection.
- Exported results and Attachments: Be sure to handle exported data in a HIPAA compliant manner once you have the data stored locally.
- Integrations: Only integrate with HIPAA compliant third parties for which you also have a BAA in place. We transmit all data securely, but it is your responsibility to have a BAA in place with any third party that receives data from Formsite.
- Results Reports should not be used to share PHI. PHI should be shared with other Users via a sub-user account. Only disclose results to authorized recipients.
- Copying forms: Forms that contain PHI should only be copied to another HIPAA compliant account.
- Extra security is enabled for all forms. This requires your form to use https and also warns you when you may be about to do something insecure such as email PHI via non-secure email. This cannot be disabled. See more information on the Security documentation page.
- “Require login to access files” is enabled for all forms. This setting requires that you be logged in to access uploaded files. This setting cannot be disabled. See the Secure results files area on the Security documentation page.
Account termination
HIPAA compliant accounts are only supported at our Enterprise level of service. It is not possible to downgrade your account to a lower level of service once it has been designated a HIPAA-enabled account. If you terminate service with us, data collected in your account will be deleted and your account will become inaccessible after 30 days. Once this happens, we won’t be able to reinstate your account. You would need to establish a new account if you want to continue with a HIPAA compliant account.