If you have a long or complex web form, users may wish to fill out only part of it and then save their work so that they can come back later and finish the form. This is “Save and Resume” functionality. While some form systems support Save and Resume, few provide HIPAA-compliant Save and Resume.
What does HIPAA-compliant Save and Resume require?
For HIPAA-compliant Save and Resume, at a high level you need:
- The form data to be saved must be securely transmitted from the user’s browser to a server
- That data should be encrypted while stored
- That data must be securely transmitted back from the server when the user wants to resume editing the form
- Usually, the end user gets a link that can be used to resume editing the form where the s/he left off. This link needs to be password protected or otherwise include authentication so that access to the sensitive form data is restricted. HIPAA requires access control.
- Audit trail logs of saving and resuming form data should be kept.
- You need a HIPAA Business Associate Agreement with the service provider hosting the database where the form data is being saved.
The majority of Save and Resume functions provided by form service providers either (a) do not encrypt the data, (b) do not provide authentication for resuming the form, (d) do not keep any kind of logs, or (d) do not provide a HIPAA Business Associate Agreement for the data hosting servers.
Read the rest of this post »