Learn how Jotform helps you comply with HIPAA and builds a better, more secure environment to mitigate your risk and help you prove compliance with HIPAA. We did the hard work so you don’t have to, and you can inherit a lot of the work that we’ve done in terms of audits. Our API, platform, and data integration service make HIPAA compliance easier.
In an effort to be transparent, we go into a good amount of detail on this page. As a lead-in, below is a high-level summary of our major architecture, our guiding principles, and how it maximizes our security.
- Encryption — All data is encrypted in transit, end to end, and at rest. Log data is also encrypted to mitigate the risk of ePHI stored in log files.
- Minimum Necessary Access — Access controls always default to no access unless overridden manually.
- System Access Tracking — All-access requests and changes of access, as well as approvals, are tracked and retained.
- PHI Segmentation — all customer data is segmented. Additionally, all platform customers have a dedicated overlay network (subnet) for additional network segmentation.
- Monitoring — All network requests, successful and unsuccessful, are logged, along with all system logs. API PHI requests (GET, POST, PUT, DELETE) log the requestor, location, and data changed/viewed. Additionally, alerts are proactively sent based on suspicious activity. OSSEC is used for IDS and file integrity monitoring.
- Auditing — All log data is encrypted and unified, enabling secure access to full historical network activity records.
- Minimum Risk to Architecture — Secure, encrypted access is the only form of public access enabled to servers. All API access must first pass through Jotform AWS firewalls. To gain full access to Jotform systems, users must log in via 2-factor authentication through VPN, authenticate to the specific system as a regular user, and upgrade privileges on the systems temporarily as needed.
- Vulnerability Scanning — All customer and internal networks are scanned regularly for vulnerabilities.
- Intrusion Detection — All production systems have intrusion detection software running to proactively detect anomalies.
- Backup — All customer data is backed up every 24 hours. Seven (7) days of rolling backups are retained.
- Disaster Recovery — Jotform has an audited and regularly tested disaster recovery plan. This plan also applies to customers, and they inherit this from us.
- Documentation — All documentation (policies and procedures that make up our security and compliance program) is reviewed at least annually.
- Risk Management — We proactively perform risk assessments to assure changes to our infrastructure do not expose new risks to ePHI. Risk mitigation is done before changes are pushed to production.
- Workforce Training — Despite not having access to the ePHI of our customers, all Jotform workforce members undergo HIPAA and security training regularly.
Send Comment:
7 Comments:
295 days ago
I purchased the HIPAA Compliance and imported my four current forms. Do I have to rebuild those forms in ANY way, or am I totally good to go? Will it look different to the patient? Do I have to embed the form into my website again, or is that seamless? Thanks for all of your help.
355 days ago
Are there any HIPAA-compliant API endpoints?
We have moved to a HIPAA form instead of a regular one, and now on any API call we see ["isHIPAA"]=>int(1)
Do you guys have any tutorials or specific endpoints? Maybe we're missing some encryption?
Thanks!
365 days ago
We are utilizing Jotform's HIPAA features with the Gold plan. However, this plan does not include a multi-factor authentication feature, which is a standard requirement for HIPAA compliance. How can you assist us in meeting the HIPAA security requirements?
More than a year ago
Supposed to be completing a valid patient assignment form and medical release for VirtuOx. I was given this link address to do so. Where is the form? And why if I signed form in the office do I have to do this again?
More than a year ago
C'est pour vérifier mon dossier si c'est complet .
Fait-il qu'elle doit sur mon E-mail ?
Merci de me répondre
More than a year ago
Hi, where is the data associated with submitted forms stored? I work in the NHS and all data is required to be stored in the UK
More than a year ago
Are auto Jotform QR Codes safe to use?