Collecting patient information online? If you aren’t using a HIPAA compliant form, you could be at risk of a data breach or HIPAA-related penalties and fines.
Are Google Forms HIPAA compliant? Standard Google Forms are not HIPAA compliant. However, you can make them HIPAA compliant by signing a business associate agreement with Google along with changing security and privacy settings on the account to safeguard protected health information (PHI) and other sensitive data.
What are HIPAA Compliant Forms?
HIPAA compliant forms are user-completed digital documents that contain fields, text, and other inputs taken from patients to complete some sort of data-driven task. For example, you may need to collect health information from a patient during intake, and you’ve decided to collect that information digitally. You can use a digital form on a kiosk or mobile device to do so, but the form must comply with HIPAA Privacy and Security rules.
Briefly, HIPAA regulations define PHI as any data that can be used to identify an individual patient as part of the healthcare process. This data can include medical records, notes from doctors, correspondence between patients and doctors and patient payment and billing information.
Any primary provider of healthcare services (the “Covered Entity” or CE) or a partner provider (the “Business Associate” or BA) that handles PHI in any capacity is regulated under HIPAA and must abide by the regulation’s reporting, security, and administrative rules.
Any personal data a patient enters into a digital form can be considered PHI. As such, any information entered into that form must remain private and protected from unauthorized access.
Several rules and guidelines govern the necessary steps to secure a form:
- The form must be secured by proper controls as defined by HIPAA’s Security Rule. This states that reasonable, proper encryption and security software must be in place to protect any data at rest and in transit. So, your form must secure data at the device and when it traverses myriad applications within a network.
- The device on which the form was submitted must have adequate technical and physical safeguards, including authorization protection, encryption, and controls over who can access the device.
- If the form is provided by a third-party software vendor, the CE must have a standing Business Associate Agreement (BAA) with the vendor to clarify their responsibilities and liability as well as your own.
Even with these safeguards in place, there isn’t a guarantee that the form is compliant if proper steps (like handling data or data-gathering devices) aren’t also followed. A non-compliant form could jeopardize PHI and put your healthcare organization in non-compliance, with penalties up to $50,000 per incident and potential jail time.
How Can I Ensure That My Current Form Provider Is Compliant?
The short answer is yes. Since digital and web HIPAA compliant forms are technical tools used by healthcare providers, they can be designed to be HIPAA compliant like anything else. Likewise, the form provider can also become HIPAA compliant. How that works, however, will depend on the features of the services offered by the provider.
Some ways to ensure your form provider is HIPAA compliant include:
- Guarantee encrypted data storage and transmission: If a patient submits a form, then that data will usually go somewhere like a remote database. All data transmitted like this must be encrypted during its travel with technology like SSL or SFTP (or some comparable and compliant technology). If there is a way to enable encryption, either through the provider or some settings, then do it.
- Protect any reporting or analytics: The strength of most platforms is their ability to compile data for reporting and analytics, but this data must also be protected in some way if it involves PHI.
- Vet the emails: Many form providers will also include email notifications for submitted forms. These notifications shouldn’t contain any PHI. Nevertheless, make sure that the email is encrypted and stored in encrypted servers through a HIPAA compliant third party
- Require your forms provider to sign a BAA: If your forms provider is handling PHI on your behalf, then they are acting as a BA and therefore need to sign a BAA.
It is imperative that you perform security and risk assessments on the form provider’s product alongside the BAA. This is the only way to ensure that they have the right controls and safeguards to manage patient data.
Top HIPAA Compliant Form Providers
|Provider||Has a BAA?||Features||Private Cloud Servers|
|Accellion||Yes||Custom forms, email forms, data logging, reporting, CISO Dashboard, SIEM integrations||Yes|
|Google Forms||Yes||Custom forms, reporting||No|
|Microsoft Forms||Yes||Custom forms, integration with Microsoft Azure and M365||Available|
|Formstack||Yes||Custom forms, smart lists, electronic signatures||No|
|JotForm||Yes||Custom forms, payment processing, reporting||Available|
Google Forms are known for being fast, intuitive, and easy to deploy. They also plug into the Google Cloud backend, including Google Sheets. This intuitive form building comes at a price, as it can lack some of the features that other dedicated providers have.
Microsoft Forms are powerful, if a bit complex. Like most of Microsoft products, it is backed by the power of Microsoft cloud platforms like Azure, which are all HIPAA compliant. However, the forms can be a bit clunky depending on your level of expertise.
Formstack is a dedicated form provider that focuses specifically on that task and not much else. Alongside custom forms, Formstack allows CEs to create smart, context-sensitive lists and electronic signatures for patient forms–a big plus. While these are complex and useful, they aren’t part of a larger platform and would require additional support for storage or integration.
JotForm is another established form provider that gives users flexible HIPAA compliant forms. It includes several great features like payment processing and customizable forms, but it doesn’t include some features like context-dependent form building and branching choices.
The Accellion Difference in HIPAA Compliant Forms
With Accellion, healthcare providers get much more than a secure form product that ensures HIPAA compliance. CEs utilize the Accellion Kiteworks® content firewall to lock down the exchange of PHI with patients, suppliers, and partners by unifying visibility and security across multiple third-party communication channels, including email, file sharing, mobile, managed file transfer, SFTP and, yes, forms. CEs all over the world rely on Accellion for t the following mission-critical capabilities:
- Security: We take security seriously. That includes FIPS 140-2 validated encryption, including AES-256 at rest and TLS 1.2 in motion . Additionally, we integrate with your existing security infrastructure, including ATP, DLP, SIEM, LDAP/AD, SSO, and more to ensure your data stays safe.
- Compliance: We provide the administrative, technical, and physical safeguards necessary for HIPAA compliance. This includes granular policy controls that limit access to folders, encryption key rotation, and DLI integration for emergency access to PHI. PHI is also traced as it moves in, through, and out of your network for reporting and logging that can inform your required risk assessments. We also have a standing BAA you can sign when you work with us.
- Visibility: You can see where all your PHI is stored, where it came from, who has accessed it and who they’ve shared it with. Visibility also lets you detect suspicious activity and take action on anomalies, drill down to fine-grained transaction details, and analyze behavior and content.
Make Accellion Your Trusted Form Provider
If you want control over your data in a way that is compliant with HIPAA regulations. With Accellion, you have data that is visible, accessible, and secure at all times. Stay compliant with HIPAA regulations but, more importantly, keep your frontline workers connected and your patients’ information private.
*** This is a Security Bloggers Network syndicated blog from Cyber Security on Security Boulevard – Accellion authored by Vince Lau. Read the original post at: https://www.accellion.com/hipaa-compliance/hipaa-compliant-forms/