Is Typeform HIPAA Compliant?
Typeform is HIPAA compliant on the surface, and could be an option to collect, store, and transmit Protected Health Information via forms, surveys, and quizzes, provided HIPAA covered organizations conduct due diligence to ensure the platform and its capabilities genuinely support HIPAA compliance.
Typeform is a web-based platform that organizations can use to create forms, surveys, and quizzes in order to collect customer data, feedback, and registrations. Depending on which plan an organization subscribes to, data collected by the Typeform platform can be automatically assigned a “lead score”, analyzed by response, or replied to by email.
To support business operations, the Typeform platform integrates with other marketing, analytics, and productivity tools (i.e., Salesforce, Microsoft Teams, etc.). Data can also be exported to programs such as Google Sheets, or storage volumes such as Microsoft OneDrive in order to avoid exceeding Typeform’s storage limits. (Storage limits can be exceeded with attachments and videos).
Two Typeform Plans are HIPAA-Eligible
If Typeform is not used to collect, store or transmit Protected Health Information (PHI), HIPAA covered organizations can subscribe to any Typeform plan In this scenario, the questions and possible responses to forms, surveys, and quizzes would have to be structured in such a way that respondents are unable to reveal PHI to Typeform (i.e. only “Yes/No” responses).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Responses lacking PHI may limit the value of the Typeform platform for HIPAA-covered organizations. Therefore, those that want to use the platform to collect, store, or transmit PHI, must subscribe to a “HIPAA-eligible” plan (one that provides access to a Business Associate Agreement). There are two plans which Typeform state are HIPAA-eligible – the Core Plan for Enterprise and the Growth Custom Plan.
What do the HIPAA-Eligible Plans Consist Of?
The Core Plan for Enterprise and the Growth Custom Plan are the top-of-the-range plans in each plan category. The primary differences between the two is that Growth Plans support video forms and “data enrichment”, and include a reCAPTCHA capability to prevent spam responses. HIPAA covered organizations are advised to disable the AI capabilities in both plans because – at present – the AI capabilities do not support HIPAA compliance.
Thereafter, the differences between the top-of-the-range plans and plans with fewer capabilities include custom domains, multi-language support, more possible integrations, and downloadable user activity reports. Depending on the granularity of the downloadable user activity reports, it is difficult to understand why Typeform does not make all their plans HIPAA-eligible considering their claimed compliance with multiple security standards (see below).
Making Typeform HIPAA Compliant
HIPAA covered organizations that subscribe to a HIPAA-eligible plan may need to make several adjustments to the default configurations in order to make Typeform HIPAA compliant. These can include organizing the hierarchy of accounts to ensure users and integrations only have access to the minimum necessary PHI, manually scheduling backups (unless all data is exported on receipt), and manually scheduling data export reports.
It will also be necessary to disable access to data by the AI capabilities and other non-compliant integrations (i.e., Mailchimp, Google Analytics, etc.). Thereafter, it is advisable to review the Terms of Use, the Service Terms and Conditions, Privacy Policy, Data Processing Agreement, and CCPA Notice (for organizations in California) before entering into the Business Associate Agreement required to make Typeform HIPAA compliant.
Red Flags about Typeform HIPAA Compliance Claims
There are several red flags that raise concerns about how HIPAA compliant Typeform actually is. The first is that both allegedly HIPAA-eligible plans use ChatGPT as their AI engine. ChatGPT is not HIPAA compliant. In addition, data received in forms, surveys, and quizzes is only backed up every 15 days, and there are no (apparent) security tools available to automate audit reports.
Thereafter, according to Typeform’ s Security and Privacy Standards webpage, the company has achieved numerous security certifications. However, all the links to the certifications (including a “HIPAA TYPE 1” certification) feed back to the relevant Wikipedia page rather than the certifications – the exception being a CS-Star Level 1 certification which depreciated in 2022.
Some documents – including the standard Typeform Business Associate Agreement – can be obtained on request by existing Enterprise customers, but mostly under an NDA. In these cases, some form of alternative documentation should be available for prospective customers (i.e., a SOC 3 report or ISO 27001 surveillance report) in order for prospective customers to conduct due diligence.
Therefore, although Typeform claims to be HIPAA compliant, there is a lack of transparency about how HIPAA compliant Typeform actually is. HIPAA covered organizations interested in taking advantage of the platform’s capabilities are advised to request that Typeform’s Sales Team provide up-to-date and meaningful compliance documentation before subscribing to a Typeform HIPAA-eligible plan.
