" form Archives - LuxSci

Posts Tagged ‘form’

When Do Online Forms Need to Be HIPAA-Compliant?

Tuesday, August 22nd, 2023

When it comes to digital data collection, there is often a lot of uncertainty surrounding the HIPAA compliance requirements for online forms. We often have customers ask if their website forms need to be HIPAA-compliant.

The short answer is that securing patient data is always recommended. You never know what types of information individuals will volunteer in an online submission. It is always a good idea to prepare for the possibility of sensitive information being entered into an online form to build trust with your users.

person entering info into login form

Criteria for HIPAA-Compliant Online Forms

Note: the following is suggested advice from LuxSci based on our understanding of HIPAA; however, this should not be taken as legal advice. We advise you to consult your lawyer for accurate legal advice on your particular situation.

HIPAA requires that all Protected Health Information (PHI) be secured to protect the privacy of the individuals identified in the PHI. If your form falls into both of the following categories, it must conform to HIPAA standards:

  1. You are a Covered Entity or Business Associate and,
  2. The form collects PHI.

Let’s look at the two criteria to determine if your forms need to be HIPAA-compliant.

1. Does HIPAA Apply to Your Organization?

HIPAA applies to your web form if your organization is a Covered Entity. It also applies if you are a Business Associate of a Covered Entity and collect data on their behalf.

HIPAA defines a Covered Entity as an organization that falls into one of the following categories:

  1. Care: You provide services or supplies related to an individual’s physical or mental health care. This includes (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure concerning the physical or mental condition or functional status of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other items by a prescription.
  2. Provider: A provider of medical or health services or any other person or organization who furnishes, bills, or is paid for health care.
  3. Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system, or community health information system, and “value-added” networks and switches that either process or facilitate the processing of health information.
  4. Plan: With certain exceptions, an individual or group plan that provides or pays the cost of medical care. The law specifically includes many organizations and government programs as health plans.

Covered Entities contract with Business Associates to process PHI on their behalf. In this scenario, a good example of a Business Associate is a website developer or marketing agency hired to create a website or application for a Covered Entity. They are responsible for protecting PHI on the website and must comply with HIPAA regulations.

2. Does the online form collect PHI?

So, HIPAA applies to your organization. Next, we must determine if a particular web form needs to be compliant. The second criterion is, does the form collect Protected Health Information?

What is ePHI?

ePHI is individually identifiable, protected health information sent or stored electronically. “Protected health information” can include information about an individual’s:

  1. Past, present, or future physical or mental health
  2. Past, present, or future provisioning of healthcare
  3. Past, present, or future payment-related information for the provisioning of healthcare

“Individually identifiable” information includes all information used to determine which specific individual is involved. There are 18 identifiers for an individual (listed below), and together with health information, they constitute PHI.

  • Name
  • Address (all geographic subdivisions smaller than the state, including street address, city, county, and zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone numbers
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

As you can see, a lot of data qualifies as “health information,” and just about every type of web form will collect individual identifiers. Even if your form doesn’t request health information, sometimes people will volunteer it to get faster responses. Covered entities are responsible for securing this data in compliance with HIPAA regulations. In many cases, it’s easier to make all online forms HIPAA-compliant rather than trying to lock them down to prevent the insecure transmission of health data.

Examples of HIPAA-Compliant Online Forms

Some online forms are explicitly designed to collect protected health information. Here are some examples of web forms that generally must be secured to meet HIPAA compliance standards:

  1. Appointment and Referral Requests: These will collect identifiable information about the person requesting the appointment. The request for the appointment should be considered information about “future provisioning of health care to an individual.” Furthermore, requesting an appointment may imply information about “an individual’s past, present, or future physical or mental health or condition.”
  2. Patient Intake Forms: These forms usually enable prospective patients to provide information about themselves for one purpose or another. These forms collect identifiable information about “an individual’s past, present, or future physical or mental health or condition.”

Some examples that might not be considered in the collection of PHI (depending on the exact context of the site) because, while they are individually identifiable, they may not include or imply health information for that individual:

  1. Contact Requests: The website visitor is merely asking for a call or email with no specified reason.
  2. Purchases of products that do not require a prescription: Purchasing a product does not imply who is to use it unless that product is restricted (e.g., via a prescription). Of course, this may also depend on whether you collect health information as part of the purchase for future marketing purposes.

Anything that identifies the person and relates to that person’s health or healthcare should be considered PHI and protected. It’s also important to note that as technology has advanced and online tracking has become ubiquitous, it’s possible to infer more about an individual and their health conditions indirectly. It is essential to proceed cautiously and recognize that even the smallest information you collect about a website user is part of a more extensive online profile.

Other industries can get away with not being secure. But why would you? People are afraid and paranoid about identity theft and information leakage on all sites, not just ones related to medical information. Anything a website can do to make visitors more comfortable and secure will improve trust and conversions.

What About Consent for Insecure Transmission?

As a follow-up question, we are often asked if there can be a checkbox on the form that patients can click to consent to use an insecure, non-compliant form. Presumably, if they do not click, they cannot submit the form.

This practice is highly advised against and is almost certainly not HIPAA-compliant. You should consult with a lawyer to ensure it is okay if you have a compelling reason to use this method.

To understand why this is a bad idea, consider “Mutual Consent.”

Under HIPAA, Mutual Consent to transmit ePHI insecurely seems to be allowed if:

  1. You and the patient agree that insecure transmission is okay,
  2. The patient has been appropriately advised of the security risks involved,
  3. The patient agrees in writing that insecure transmission is okay, and
  4. The option for HIPAA-compliant transmission is available by implication.

However, this overcomplicates the process. It is much simpler to have secure web forms by default. You will not need to provide waivers, keep track of who has opted in/out, and maintain two different submission options.

The only case where this could be considered possibly under the HIPAA radar (again, please consult your lawyer) is if:

  1. Your insecure form has a clear section advising the users of the risks of submitting their data via this form.
  2. That warning is understandable to most laypeople without further explanation.
  3. They must check a box (or sign their name) to consent to the insecure form transmission.
  4. You may need to show that they understood and agreed to the risks and didn’t just click without reading.
  5. When you collect the form data, you save and archive all of these consent agreements in case of a breach, and you need to prove that insecure sending was allowed and the user was well informed of the risks.
  6. You have another option available to the user if they do not accept the risks, e.g., Submitting the form securely, calling you via a phone number, printing and mailing in a physical form, etc.

You burden the end-user significantly by adding warnings and consent to online forms. No one wants to read through disclaimers and checkboxes before completing a submission on a general website form. As always with the web, keep it as simple as possible for maximum results. In this case, that means no consent, no warnings, just simple, secure submission.

Conclusion: Set Up HIPAA-Compliant Online Forms Today

LuxSci’s Secure Form solution is designed to meet HIPAA compliance requirements for online data transmission and storage. Contact our sales team today to learn more about our options for secure online engagement.

7 Essential Steps to Creating a HIPAA Website

Tuesday, August 8th, 2023

The recent focus on tracking pixels and analytics codes by enforcement agencies has many healthcare organizations reassessing their website security and compliance. As technology has evolved over the past thirty years, HIPAA rules have adapted to secure sensitive data. In this article, we review the requirements for HIPAA websites and what you need to do to ensure your website is compliant and secure.

healthcare website on laptop screen

Read the rest of this post »

Streamline Operations by Transitioning to Digital Forms

Tuesday, May 31st, 2022

Most healthcare organizations are pursuing digital transformation, but many providers are still reliant on paper forms that need to be printed out, scanned, filed, and securely stored. Shifting to a digital system can streamline operational processes and save time, money, and effort.

digital forms

Why Transition to Digital Forms

There are several reasons to switch to online forms. These include:

  • Having a single, verified source of patient information
  • Making workplace operations more efficient
  • Streamlining tasks such as appointment booking and generating referrals
  • Minimizing spam and other issues that come from using email
  • Enhancing data management processes
  • Cutting back on paper usage and reducing physical secure storage space

Paper forms are easily stolen, destroyed, misplaced, or damaged. A secured digital system saves time and strengthens the organization’s data security posture.

Improve the Patient Check-In Process

Almost every time a patient visits a doctor’s office, they must fill out paper forms. The time the patient spends filling out these forms could be better spent interacting with their health care provider. In addition, the front office staff must organize, file, and store these never-ending documents. Sometimes these forms are scanned and digitally filed.

Why not cut out the extra step and require patients to submit these forms digitally? Before the patient’s appointment, they could fill out and submit these forms in the patient portal. Providers could also use iPads or tablets to have patients digitally submit forms in the office.

This improves efficiency and data management processes while enabling staff to focus on what matters most- providing excellent medical care.

Integrate Digital Forms with Electronic Records

Another benefit of digitizing paper forms is that it is easier to integrate with existing electronic records systems. Using a digital form solution that connects to systems via APIs (like LuxSci’s Secure Form) allows organizations to upload their form data to a secure database. In addition, look for digital form solutions that can be configured to send or save form data wherever the organization designates. Flexibility helps preserve existing workflows and meet documentation requirements.

For example, an organization may utilize multiple online forms that require different storage workflows. Contact forms may be sent to an email inbox for follow-up by office staff, while patient forms should be sent to a secure database or added directly to a patient’s file. Using a flexible digital form streamlines processes for office staff.

LuxSci’s Secure Form lets organizations send data to email addresses, databases, file storage, SFTP, or any webhook-enabled place like Slack. No special software or web hosting changes are required to use it. The Secure Form service turns complex data collection into a simple process.

Ink Signatures

If the paper forms are legal documents, like medical information releases, they should have signature capabilities. Ink signatures enable form users to submit handwritten signatures with a web form. Ink signatures are more legally binding because they prove the user’s identity and intention.

Accordingly, LuxSci’s Secure Form has ink signature capabilities that do not require additional software to install. They are easy for users as well. All they have to do is draw their signatures in the box with their mouse, a stylus, or finger.

The signature is saved as an image file that can be easily stored and secured. See Web Form Signatures: Fast, Easy Method of Informed Consent for more information on ink signatures.

Conclusion

There is no reason to continue using paper forms in today’s digitally enabled world. Transitioning to digital forms improves operational efficiency and data management practices. Interested in getting started? LuxSci’s Secure Form offers the security and flexibility to manage patient-submitted data.

Is a “Click Here to Agree” User Agreement Checkbox Legally Binding?

Tuesday, November 16th, 2021

A website order form or registration form comes complete with terms and conditions. What is the best way to have the user see and agree with these terms? Ultimately, the user’s agreement needs to be legally binding to protect the business if there is an issue. Is it good enough to have the user check an agreement checkbox? Do you have to do more? Do you have to be sure that the user reads the terms?

user agreement checkbox

These questions come up all the time and are a cause for concern. Just because other websites do it “one way” does not necessarily make that way right or best for you. This article will tackle how the different choices you make in getting user agreements translate (or don’t translate) into binding contractual relationships.*

* This material is legal in nature and taken from discussions with our own legal counsel and from the American Bar Association. However, we are not lawyers and this should not be considered “legal advise.” Please consult your own lawyers to confirm how your choices apply to your particular situation and needs. 

1. The “BrowseWrap Agreement”: Don’t do this!

Some websites include a textual statement similar to: “Using this site signifies your acceptance of our terms and conditions” or “By submitting this form, you accept our terms of use.” A link to the terms is usually (but not always) located near this statement. The website user does not have to do anything to signify reading and accepting the terms. In most cases, the user may not even be aware of this statement and may not know about the terms thrust upon them through the use of the site.

This kind of “just by using it, you agree” format is known as a “browsewrap agreement.” Courts have held that these user agreements are not usually* binding on users and have little value in protecting the website and its owners. Do not use a browsewrap agreement if you want any meaningful contract with your site user.

* An exception seems to be, for example, if the case where a user is behaving in a way that implies that they are aware of the terms and are trying to get around them.

2. The “ClickWrap Agreement”: User Agreement Checkbox

Users commonly encounter checkboxes that must be checked to signify the acceptance of the terms, the agreement, etc. The agreement will be presented on the page (e.g., in a scrolling box) or a link to it right near the check box. The user is not permitted to continue until that box has been checked, indicating that the user agrees.

This is called a “clickwrap agreement.” The agreement is wrapped up in the deliberate action of clicking to signify acceptance of the terms or contract.

Courts generally uphold clickwrap agreements as legally binding. They can be used for order forms, contracts, and other agreements.

What makes a User Agreement Checkbox binding?

The most significant thing that makes a clickwrap agreement binding is that the user must intentionally agree (i.e., by checking the agreement box and any other actions, like submitting an order). It does not matter if the user has read or understands the terms as long as the user agrees. Why? The user can read the agreement, ask questions, gain clarification, and NOT agree if they do not understand or do not agree. By actually agreeing, the user is waiving the “I didn’t read it” or “I don’t understand it” complaints.

Clickwrap requirements:

  1. The terms must be on the page near the user agreement checkbox so the user can read them. Or, there must be a clear link to the terms near the checkbox.
  2. The user must not be able to proceed with any actions (e.g., ordering, registering) until the agreement checkbox is checked.

Several things strengthen the degree to which a clickwrap agreement is binding:

  1. If a link to the terms is used, it should be prominent and clear. The text near the box should clearly state that the user agrees to the terms.
  2. Make sure the terms are obvious and readable. I.e., use large type size, clear text, etc.
  3. Including the terms in an [scrolling] area above the agreement checkbox is better than a link.
  4. Ensure your site records and saves the fact that the agreement checkbox was checked (or not)! Include all contextual information such as the date, time, internet IP address, etc.
  5. Make sure that your terms agreement is a valid and standard legal document. Have your lawyer review it.

PDF DocuSign- Next Level User Agreement Checkbox

So far, we have been discussing “checking a checkbox” to agree. If you have used DocuSign or similar technologies, the process is more elaborate:

  1. Enter your name (and initials) and “assume a signature.” This is just your name rendered in some interesting font.
  2. Click on specific boxes to “Sign” your agreement as you read the PDF. This pastes in your assumed signature.

This has all of the hallmarks of a very good clickwrap:

  1. The user signs within the document — so there is no doubt that it was read or viewed.
  2. The signer intentionally clicks to agree to each signature area.
  3. You are not “done” until you have signed all areas (i.e., you can not proceed until you have explicitly agreed)

DocuSign is essentially “clickwrap” made easily and correctly for a PDF. However, it does not add binding power beyond what you can get with regular clickwrap.

Beyond Clickwrap- Ink Signatures

What can improve on clickwrap? You can improve on clickwrap by:

  1. Intention: Making the user do more to confirm than check a box. This shows more intention.
  2. Identity: Find ways to more strongly associate the act of signing with who is performing that act. There is less and less of an argument that “it wasn’t me.”

One way to go beyond clickwrap is to use LuxSci’s “Ink Signatures” and Secure Form service for collecting your web form data. Ink Signatures add a box (or multiple boxes) to your web form where users can sign their name with a mouse, stylus, or finger.

How can using Secure Form + Ink Signatures make document agreements more binding?

  1. The user does more work than checking a box by signing their name. This shows more intention and can make the contract more binding.
  2. The signature can be a required field so that the user cannot proceed without signing.
  3. Identity verification can be done through the signature images as the user signs their name.
  4. Secure Form automatically records the date and time the form was submitted and the internet IP address of the user who signed the form.
  5. Secure Form’s GeoLocation feature records the latitude, longitude, and approximate physical address of the user who signed the form when they signed it.

Item 1 speaks to intention. Items 3 through 5 improve the binding of identity to the agreement. This takes clickwrap to the next level and improves the legal enforceability of your terms and conditions.

What type of user agreement process is best for your forms? That depends on the terms and the degree to which enforceably binding agreements with your end-users are needed. Consult with a lawyer if you are unsure.

Does my patient intake form need to be HIPAA compliant?

Wednesday, August 2nd, 2017

 

Our latest “Ask Erik” question involves questioning when web-based patient-intake forms need to be HIPAA compliant:

B.G. asks:

“Do we need to be HIPAA compliant if our intake forms have patient name, birthday, and address, but no social security number or other insurance information?”

The short answer is “YES“.

You need to be concerned about HIPAA compliance when you ask or send identifiable health information.  It is perhaps not surprising, but “identifiable” is a really broad concept.

Read the rest of this post »