" web form Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘web form’

HIPAA-compliant Save and Resume for your Web forms

Wednesday, May 3rd, 2017

If you have a long or complex web form, users may wish to fill out only part of it and then save their work so that they can come back later and finish the form.  This is “Save and Resume” functionality.  While some form systems support Save and Resume, few provide HIPAA-compliant Save and Resume.

Form Save and Resume

What does HIPAA-compliant Save and Resume require?

For HIPAA-compliant Save and Resume, at a high level you need:

  1. The form data to be saved must be securely transmitted from the user’s browser to a server
  2. That data should be encrypted while stored
  3. That data must be securely transmitted back from the server when the user wants to resume editing the form
  4. Usually, the end user gets a link that can be used to resume editing the form where the s/he left off.  This link needs to be password protected or otherwise include authentication so that access to the sensitive form data is restricted.  HIPAA requires access control.
  5. Audit trail logs of saving and resuming form data should be kept.
  6. You need a HIPAA Business Associate Agreement with the service provider hosting the database where the form data is being saved.

The majority of Save and Resume functions provided by form service providers either (a) do not encrypt the data, (b) do not provide authentication for resuming the form, (d) do not keep any kind of logs, or (d) do not provide a HIPAA Business Associate Agreement for the data hosting servers.

Read the rest of this post »

Are you encouraging insecurity via your Web site contact and intake forms?

Friday, April 15th, 2016

Many Web sites have “contact us” pages and other Web forms for receiving requests from existing or potential customers.  This includes “new patient intake” forms on the Web sites of healthcare providers.

 

The garden variety Web form suffers from several serious problems:

  • Spam – Getting unwanted form submissions from Web robots.
  • Privacy – Often, sensitive data is submitted insecurely through these forms.
  • Archival – You may need an archived record and backup of all submissions.
  • Notices – You may need to be alerted of form submissions, even if you are not online.

Proactive privacy vs. neglect of privacy

When your Web forms transmit data insecurely, store or send data insecurely, or otherwise to do not treat the data submitted with the level protection that it deserves, you are putting the users of your forms at risk.

The typical argument is that “it is up to the user of the forms to decide if they want to submit sensitive information.” In fact, many insecure forms even have disclaimers requesting people to not submit sensitive information if they have concerns … and then the forms go on to ask lots of sensitive questions.   Especially without a disclaimer, but even with one, the form is actively soliciting people to submit their information insecurely and requesting them to take risks with their private data.   This is not good.

In areas such as healthcare, where these forms are often collecting sensitive health data (protected health information – PHI), the fact that an organization solicits the submission of PHI through insecure, non-HIPAA-compliant means is far from a “best practice”.  Why?

Read the rest of this post »

Adding HIPAA-Compliance to your Web Forms in 10 minutes

Tuesday, April 21st, 2015

Forms are pervasive on web sites; the number of forms associated with medical web sites is growing exponentially as everyone is scrambling towards the goal of a paperless office, seeking to optimize time spent processing applications and managing patient data, speeding up the process of making appointments and getting referrals, meeting meaningful use, etc.

Web forms used in the medical industry generally have to be HIPAA-compliant, however, as they almost always involve the input and transfer of ePHI in one way or another.  That presents a problem as the requirements for a HIPAA-compliant web site are complex and take knowledgeable and experienced developers to implement and take extra time and money to get right — and you really have to get things right where HIPAA is concerned.

So, this is where most people are:

  1. They have a web site, which itself is likely not HIPAA compliant yet
  2. The have some web forms already … or maybe have some forms that they want to put up
  3. These forms will collect ePHI
  4. They need to set this up and have it be HIPAA compliant and don’t want to spend a lot of money or time getting it going.

What they need is “HIPAA Form Processing“. 

Read the rest of this post »

Wish your Web Site Form submissions could turn into PDFs?

Thursday, April 2nd, 2015

Would you like this work flow?

  1. People fill out forms on your web site
  2. They press “Submit”
  3. You get that submissions as PDFs that looks just like you need them to

It is simple; we find many organizations are looking for this because either:

  • Their people are used to processing documents that look a specific way — and if their web site submissions could look like the forms people are used to … then processing accuracy is improved and change is minimized
  • PDFs are a standard way of saving and archiving documents
  • Maybe you also want to collect a signature on your web form and have the PDF signed

Most web form processing solutions do not have the capacity to produce flattened, custom PDFs from your web form submissions; almost none can also do it securely, in a HIPAA-compliant manner.

Read the rest of this post »

7 Steps to Make your Web Site HIPAA-Secure

Friday, February 13th, 2015

Doctors and medical professionals are feeling increasing pressure to get their business online (e.g. use of electronic prescriptions, web appointments, and remote medicine are both trendy and critical for building and sustaining revenue streams in the tightening medical market).  This push includes making available protected health information to patients via a web site and collecting similar private information from patients or would-be patients.

However, where the health information of an identifiable individual is involved, the Health Insurance Portability and Accountability Act (HIPAA) is the official compliance document.  And with the Omnibus rule in place, all web sites, old and new, must be properly designed or their owners face potential financial liability into the millions of dollars.

So, what do these requirements mean and how can HIPAA be followed in the context of a website?

Read the rest of this post »

LUXSCI