HIPAA Compliant Online Forms

Web forms offer healthcare organizations an easy way to digitally collect information from patients, but care must be taken not to violate HIPAA Rules. To collect any health data, HIPAA compliant online forms must be used.

HIPAA Compliant Online Forms Must be Used for Collecting Health Information

The HIPAA Privacy and Security Rules requires all HIPAA-covered entities and business associates to implement a range of safeguards to ensure the confidentiality, integrity, and availability of protected health information. Online forms are not specifically mentioned in the HIPAA text, but the Privacy and Security Rules do apply to online forms.

Large healthcare organizations are more likely to have in-house staff with the skills to create forms that comply with HIPAA Rules, but many covered entities take advantage of the convenience of third-party webform solutions. There are many companies that offer HIPAA compliant online forms software that allows forms to be quickly spun up and used for a wide range of purposes such as onboarding new patients, obtaining consent, collecting payments, and conducting surveys.

Prior to using any third-party solution provider, HIPAA-covered entities should assess the security controls that have been put in place to secure information captured by the forms. All information captured by online forms must be secured and protected against unauthorized access at rest and in transit. One of the easiest ways to achieve this is with the use of encryption. Encrypted forms require a key to be entered to view the information to protect against unauthorized data access.

Most form software solutions encrypt data, although the algorithms used provide different levels of protection. HIPAA-covered entities should choose a webform solution that offers end-to-end encryption and uses encryption algorithms recommended by NIST.

How to Choose a Third Party Webform Solution

Several popular web form solution providers advertise their services as capable of creating HIPAA compliant forms or may even claim they offer a HIPAA compliant webform service. Strictly speaking, no software solution can be HIPAA compliant as it is possible to use any software in a manner that violates HIPAA Rules.

Companies that offer HIPAA compliant online forms software will have implemented safeguards that meet the requirements of the HIPAA Privacy and Security Rules. The solution provider will also agree to become a business associate and sign a business associate agreement (BAA) with HIPAA covered entities.

A signed, HIPAA compliant business associate agreement must be obtained from an online form software company before the software can be used in connection with any health information. Healthcare organizations can use form software supplied by companies that are not prepared to sign a BAA, but the forms cannot then be used to collect any protected health information.

HIPAA Compliant Online Forms Software Does Not Guarantee Compliance

With a BAA in place, further steps must be taken to create HIPAA-compliant online forms. A BAA does not guarantee compliance.

Access controls must be configured correctly to make sure that only individuals authorized to view webform data can login. Strong passwords should be set, and multi-factor authentication should be set up, if available. Users should also be automatically logged out of the admin account after a set period of inactivity and audit logs should be maintained and periodically checked.

The web form service may send email notifications or reports to administrators to alert them to new form entries. If that is the case, the emails/reports should not include any protected health information. That information should only be accessible behind a login.

If a solution is chosen that interacts or integrates with other systems – Google Sheets for example – make sure that the forms only send data to HIPAA compliant platforms and make sure that a BAA is obtained from the provider of that software.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.