Jotform is fully committed to safeguarding sensitive information and is HIPAA compliant. This means that Jotform meets the strict privacy and security requirements outlined in the Health Insurance Portability and Accountability Act (HIPAA) to protect health-related data. By using Jotform’s HIPAA-compliant features, you can securely collect and manage patient information, ensuring that all forms and submissions are stored in compliance with HIPAA regulations. This is especially important for healthcare providers and organizations handling protected health information (PHI).
At Jotform, we prioritize security and transparency in all our practices, particularly when handling sensitive data. Below is a high-level summary of our key security features, principles, and architecture designed to ensure HIPAA compliance and maximize data protection:
- Encryption — All data is encrypted in transit, end to end, and at rest. Log data is also encrypted to mitigate the risk of ePHI stored in log files.
- Minimum Necessary Access — Access controls always default to no access unless overridden manually.
- System Access Tracking — All-access requests and changes of access, as well as approvals, are tracked and retained.
- PHI Segmentation — All customer data is segmented. Additionally, all platform customers have a dedicated overlay network (subnet) for additional network segmentation.
- Monitoring — All network requests, successful and unsuccessful, are logged, along with all system logs. API PHI requests (GET, POST, PUT, DELETE) log the requestor, location, and data changed/viewed. Additionally, alerts are proactively sent based on suspicious activity. OSSEC is used for IDS and file integrity monitoring.
- Auditing — All log data is encrypted and unified, enabling secure access to full historical network activity records.
- Minimum Risk to Architecture — Secure, encrypted access is the only form of public access enabled to servers. All API access must first pass through Jotform AWS firewalls. To gain full access to Jotform systems, users must log in via 2-factor authentication through VPN, authenticate to the specific system as a regular user, and upgrade privileges on the systems temporarily as needed.
- Vulnerability Scanning — All customer and internal networks are scanned regularly for vulnerabilities.
- Intrusion Detection — All production systems have intrusion detection software running to proactively detect anomalies.
- Backup — All customer data is backed up every 24 hours. Seven (7) days of rolling backups are retained.
- Disaster Recovery — Jotform has an audited and regularly tested disaster recovery plan. This plan also applies to customers, and they inherit this from us.
- Documentation — All documentation (policies and procedures that make up our security and compliance program) is reviewed at least annually.
- Risk Management — We proactively perform risk assessments to assure changes to our infrastructure do not expose new risks to ePHI. Risk mitigation is done before changes are pushed to production.
- Workforce Training — Despite not having access to the ePHI of our customers, all Jotform workforce members undergo HIPAA and security training regularly.
Send Comment:
7 Comments:
327 days ago
I purchased the HIPAA Compliance and imported my four current forms. Do I have to rebuild those forms in ANY way, or am I totally good to go? Will it look different to the patient? Do I have to embed the form into my website again, or is that seamless? Thanks for all of your help.
More than a year ago
Are there any HIPAA-compliant API endpoints?
We have moved to a HIPAA form instead of a regular one, and now on any API call we see ["isHIPAA"]=>int(1)
Do you guys have any tutorials or specific endpoints? Maybe we're missing some encryption?
Thanks!
More than a year ago
We are utilizing Jotform's HIPAA features with the Gold plan. However, this plan does not include a multi-factor authentication feature, which is a standard requirement for HIPAA compliance. How can you assist us in meeting the HIPAA security requirements?
More than a year ago
Supposed to be completing a valid patient assignment form and medical release for VirtuOx. I was given this link address to do so. Where is the form? And why if I signed form in the office do I have to do this again?
More than a year ago
C'est pour vérifier mon dossier si c'est complet .
Fait-il qu'elle doit sur mon E-mail ?
Merci de me répondre
More than a year ago
Hi, where is the data associated with submitted forms stored? I work in the NHS and all data is required to be stored in the UK
More than a year ago
Are auto Jotform QR Codes safe to use?