HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

RoboForm Review

This RoboForm review has been compiled from the perspective of a HIPAA Covered Entity or Business Associate required to comply with the safeguards of the Security Rule. Consequently, some features mentioned in this review may not be relevant for other, non-regulated businesses.

The HIPAA Security Rule includes a number of safeguards that apply to password managers if they are going to be used to store or share Protected Health Information (PHI). These include access controls, user verification, activity reporting, and automatic logoff. Most vault-based password managers include these capabilities in their business subscription plans – including RoboForm.

However, most vendors of vault-based password managers will not, or decline to say, whether they will enter into a Business Associate Agreement – a requirement of HIPAA even when the vendor cannot view any PHI because it is encrypted and the vendor does not have the decryption key. RoboForm falls into the “decline to say” category, so it is safe to assume they won´t.

Therefore, if a business was to deploy a RoboForm password manager in a health care environment, they would not be able to store PHI on the platform or use it to share health information – even via the secure messaging feature. However, if the business did not use the platform for storing or sharing PHI, RoboForm can be a cost-effective way to enhance the security of online accounts.

How the RoboForm Password Manager Works

RoboForm is a vault-based password manager. This means that rather than browser-based password managers (i.e., Chrome) that only save passwords in one browser brand, or operating system-based password managers (i.e., Apple Keychain) that only save passwords in one OS type, users can access passwords from any Internet-connected device regardless of the browser or operating system.

This has advantages for businesses inasmuch as passwords for corporate accounts can be shared securely among teams across all devices without businesses having to consider who is using which browser or what type of device. It also supports the use of unique complex passwords for each account to mitigate the risk of a data breach attributable to a brute force attack.

With regards to administering users and complying with the Security Rule safeguards, the RoboForm business plan includes a series of features that simplify corporate password management. These include (but are not limited to) Role-Based Access Controls, Active Directory integration, password audits (*), and advanced reporting capabilities that satisfy the requirements for activity reporting.

(*) HIPAA does not stipulate minimum password strengths, but it is a business´s best interests to enforce policies requiring passwords to be of a minimum length and complexity. You can find more best practices for HIPAA passwords in this article.

How Much does the RoboForm Business Plan Cost?

Due the savings businesses can make by mitigating the risk of a data breach and improving productivity (i.e., fewer calls to the IT Helpdesk for password resets), the cost of a password manager is usually outweighed by the benefits. This is certainly the case with RoboForm´s business plan which is considerably cheaper than most comparable business plans.

The cost of a RoboForm business plan varies according to the number of users and the length of the subscription. There is also a custom pricing schedule for businesses with more than 1,000 users.

RoboForm Business Plan Pricing (per user per year – correct as of August 2022)
Length of Subscription 1-10 Users 11-25 Users 26-100 Users 101-1000 Users
1 Year $39.95 $35.95 $34.95 $29.95
3 Years $33.95 $30.95 $29.95 $25.95
5 Years $29.95 $26.95 $25.95 $22.95

With regards to RoboForm´s other subscription options, they are only suitable for individual personal use and are extremely limited. For example, the RoboForm free plan does not synchronize passwords across devices, and there is no storage space included in the premium “Everywhere” plan. Unlike most vendors, RoboForm does not offer a Family or a Teams plan.

RoboForm Review: Conclusion

RoboForm is not as technically advanced as some password managers; but, at the price, the business plan is worth considering if you are not going to use the password manager to store or share PHI. If you do intend storing or sharing PHI on a password manager, you are better off speaking with Bitwarden, who will happily enter into a Business Associate Agreement.