Jotform HIPAA Compliance

Learn how Jotform helps you comply with HIPAA and builds a better, more secure environment to mitigate your risk and help you prove compliance with HIPAA. We did the hard work so you don’t have to, and you can inherit a lot of the work that we’ve done in terms of audits. Our API, platform, and data integration service make HIPAA compliance easier.

In an effort to be transparent, we go into a good amount of detail on this page. As a lead-in, below is a high-level summary of our major architecture, our guiding principles, and how it maximizes our security.

• Encryption — All data is encrypted in transit, end to end, and at rest. Log data is also encrypted to mitigate the risk of ePHI stored in log files.
• Minimum Necessary Access — Access controls always default to no access unless overridden manually.
• System Access Tracking — All-access requests and changes of access, as well as approvals, are tracked and retained.
• PHI Segmentation — all customer data is segmented. Additionally, all platform customers have a dedicated overlay network (subnet) for additional network segmentation.
• Monitoring — All network requests, successful and unsuccessful, are logged, along with all system logs. API PHI requests (GET, POST, PUT, DELETE) log the requestor, location, and data changed/viewed. Additionally, alerts are proactively sent based on suspicious activity. OSSEC is used for IDS and file integrity monitoring.
• Auditing — All log data is encrypted and unified, enabling secure access to full historical network activity records.
• Minimum Risk to Architecture — Secure, encrypted access is the only form of public access enabled to servers. All API access must first pass through Jotform AWS firewalls. To gain full access to Jotform systems, users must log in via 2-factor authentication through VPN, authenticate to the specific system as a regular user, and upgrade privileges on the systems temporarily as needed.
• Vulnerability Scanning — All customer and internal networks are scanned regularly for vulnerabilities.
• Intrusion Detection — All production systems have intrusion detection software running to proactively detect anomalies.
• Backup — All customer data is backed up every 24 hours. Seven (7) days of rolling backups are retained.
• Disaster Recovery — Jotform has an audited and regularly tested disaster recovery plan. This plan also applies to customers, and they inherit this from us.
• Documentation — All documentation (policies and procedures that make up our security and compliance program) is reviewed at least annually.
• Risk Management — We proactively perform risk assessments to assure changes to our infrastructure do not expose new risks to ePHI. Risk mitigation is done before changes are pushed to production.
• Workforce Training — Despite not having access to the ePHI of our customers, all Jotform workforce members undergo HIPAA and security training regularly.