Does my patient intake form need to be HIPAA compliant?

August 2nd, 2017


Our latest “Ask Erik” question involves questioning when web-based patient-intake forms need to be HIPAA compliant:

B.G. asks:

“Do we need to be HIPAA compliant if our intake forms have patient name, birthday, and address, but no social security number or other insurance information?”

The short answer is “YES“.

You need to be concerned about HIPAA compliance when you ask or send identifiable health information.  It is perhaps not surprising, but “identifiable” is a really broad concept.

Essentially, health information is identifiable if it is associated with any one or more of the following:

  • Name
  • Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voice prints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

So: name, address, and birthday are all considered identifiers and thus a patient intake form that includes these along with possible health information would be submitting Protected Health Information (i.e. PHI).  If your organization falls under the auspices of HIPAA, then you need to take steps to properly protect this data.

Some organizations try to solve this problem with a disclaimer indicating that “web forms are insecure” and suggesting that patients submit their information / intake at the own risk.  I.e., they are “opting into” insecure delivery of their sensitive information.

A disclaimer for an insecure form is really looked on poorly from a security and compliance point of view.  Because it is very inexpensive and easy to make web forms secure and HIPAA-compliant, not doing so while also soliciting use of the insecure pathway looks very bad.  If there were to be a breach of this data, your company may have responsibility for it because of this.

The best solution is to secure your intake forms.  A very simple and effective way to do that is to order LuxSci’s SecureForm service and then channel your forms posts through LuxSci for HIPAA-compliant data storage and delivery to your email, database, FTP site, etc.