Online Form Design Best Practices

October 2nd, 2018

Most businesses and organizations today use online forms to collect customer information. The same applies to healthcare companies. But, healthcare companies need to abide by stringent regulations concerning PHI or Protected Health Information under HIPAA.

So, it is of the utmost importance for such organizations to follow certain best practices when designing these forms. Let’s take a look at a few of them.


First and foremost, the data that is filled into the form must be secured when being transmitted, processed and stored. One way to do that is via encryption. Encryption secures form data by making it unreadable to those who do not have the access. This typically includes the browser and server.

SSL is one of the encryption options you can consider. It stands for Secure Sockets Layer and it’s basically a type of security protocol that secures the connection between sender and receiver. So, when data is transmitted, only the sender and receiver will have access to it. No third party can intercept and retrieve the data.

So, SSL encryption allows you to secure the submitted data during transmission.

You can make the data even more secure by adding an authentication layer. What that means is that only people who are authorized to view the data will be able to do so. This can go a long way in preventing unauthorized access.

Protect Yourself from Bots

Bots are automated programs that go poking around the Internet, looking for information, looking for system vulnerabilities, and looking for ways to send spam, among other things.  It is extremely common for such bots to automatically fill out and submit online forms … often with garbage or with spam.

There are number of techniques to detect if forms have been filled out by a bot and block that submission.  This includes the use of captcha and the use of JavaScript techniques to take advantage of the fact that most bots do not process JavaScript effectively.

Of course, bots are evolving and some of them don’t fall for these tricks. But, this is still one of the best ways to prevent spam and other attacks.


SecureForm from LuxSci is another option you can consider. The service works by determining whether or not a real person is accessing your form. If it fails to detect a real person, the tool blocks the submission. There are no requirements for the entry of security codes/images. The system simply verifies if the user is making use of an updated web browser with JavaScript and cookies enabled. You see, most web bots do not support both JavaScript and cookies, which is exactly what modern browsers do.

SecureForm also supports archival by allowing for the saving of forms within an online document storage location. Beyond that, SecureForm includes many “integrations” which allow you to save or send your form data to to the places you need it: databases, secure email, secure FTP sites, Slack, SecureChat, and any online service that supports a standard WebHook API.


The second option is to use CAPTCHA. CAPTCHA is a security protocol that is designed to differentiate between computers and humans by requesting users to identify a series of letters in a box. CAPTCHA has proven to be very effective at keeping away spam. We now also have ReCAPTCHA, which serves the same purpose, but instead of words, it involves identifying specific images.

However, there are a few things to consider when using CAPTCHA/ReCAPTCHA. It is an extra step in the form filling process and that can be a problem. Your customers may not be okay with the idea of having to complete another step. In fact, CAPTCHA has been known to cause abandonment even though it offers a high level of security.

So, do consider the nature of your forms when implementing CAPTCHA/ReCAPTCHA for security purposes. That brings us to the next topic…

Don’t Ask for Too Much Information

There is information that you don’t need and there is information that you need. This is something to think about when designing online web forms. Of course, in the healthcare industry, information collection can often be voluminous. However, you should always keep it down to the essentials.

This will prevent abandonment, make it easier and quicker for your users, and result in less sensitive data to secure.

Make it Easier to Fill Up Data

Simplify the filling up process using autofill. There are bound to be some entries that are common or standard. For instance, when entering and address provide select lists for Country and State, instead of allowing free text.  Similarly, simplify how certain fields are filled in; for example, provide a nice date picker for entering a birthday or appointment date.

This can save a lot of time, prevent errors, and help with data consistency.

Want to discuss how LuxSci’s Secure Form Solutions can help your organization? Contact Us