" web form Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci
LuxSci

Posts Tagged ‘web form’

HIPAA-compliant Save and Resume for your Web forms

Wednesday, May 3rd, 2017

If you have a long or complex web form, users may wish to fill out only part of it and then save their work so that they can come back later and finish the form.  This is “Save and Resume” functionality.  While some form systems support Save and Resume, few provide HIPAA-compliant Save and Resume.

Form Save and Resume

What does HIPAA-compliant Save and Resume require?

For HIPAA-compliant Save and Resume, at a high level you need:

  1. The form data to be saved must be securely transmitted from the user’s browser to a server
  2. That data should be encrypted while stored
  3. That data must be securely transmitted back from the server when the user wants to resume editing the form
  4. Usually, the end user gets a link that can be used to resume editing the form where the s/he left off.  This link needs to be password protected or otherwise include authentication so that access to the sensitive form data is restricted.  HIPAA requires access control.
  5. Audit trail logs of saving and resuming form data should be kept.
  6. You need a HIPAA Business Associate Agreement with the service provider hosting the database where the form data is being saved.

The majority of Save and Resume functions provided by form service providers either (a) do not encrypt the data, (b) do not provide authentication for resuming the form, (d) do not keep any kind of logs, or (d) do not provide a HIPAA Business Associate Agreement for the data hosting servers.

Read the rest of this post »

Are you encouraging insecurity via your Web site contact and intake forms?

Friday, April 15th, 2016

Many Web sites have “contact us” pages and other Web forms for receiving requests from existing or potential customers.  This includes “new patient intake” forms on the Web sites of healthcare providers.

 

The garden variety Web form suffers from several serious problems:

  • Spam – Getting unwanted form submissions from Web robots.
  • Privacy – Often, sensitive data is submitted insecurely through these forms.
  • Archival – You may need an archived record and backup of all submissions.
  • Notices – You may need to be alerted of form submissions, even if you are not online.

Proactive privacy vs. neglect of privacy

When your Web forms transmit data insecurely, store or send data insecurely, or otherwise to do not treat the data submitted with the level protection that it deserves, you are putting the users of your forms at risk.

The typical argument is that “it is up to the user of the forms to decide if they want to submit sensitive information.” In fact, many insecure forms even have disclaimers requesting people to not submit sensitive information if they have concerns … and then the forms go on to ask lots of sensitive questions.   Especially without a disclaimer, but even with one, the form is actively soliciting people to submit their information insecurely and requesting them to take risks with their private data.   This is not good.

In areas such as healthcare, where these forms are often collecting sensitive health data (protected health information – PHI), the fact that an organization solicits the submission of PHI through insecure, non-HIPAA-compliant means is far from a “best practice”.  Why?

Read the rest of this post »

Adding HIPAA-Compliance to your Web Forms in 10 minutes

Tuesday, April 21st, 2015

Forms are pervasive on web sites; the number of forms associated with medical web sites is growing exponentially as everyone is scrambling towards the goal of a paperless office, seeking to optimize time spent processing applications and managing patient data, speeding up the process of making appointments and getting referrals, meeting meaningful use, etc.

Web forms used in the medical industry generally have to be HIPAA-compliant, however, as they almost always involve the input and transfer of ePHI in one way or another.  That presents a problem as the requirements for a HIPAA-compliant web site are complex and take knowledgeable and experienced developers to implement and take extra time and money to get right — and you really have to get things right where HIPAA is concerned.

So, this is where most people are:

  1. They have a web site, which itself is likely not HIPAA compliant yet
  2. The have some web forms already … or maybe have some forms that they want to put up
  3. These forms will collect ePHI
  4. They need to set this up and have it be HIPAA compliant and don’t want to spend a lot of money or time getting it going.

What they need is “HIPAA Form Processing“. 

Read the rest of this post »

Wish your Web Site Form submissions could turn into PDFs?

Thursday, April 2nd, 2015

Would you like this work flow?

  1. People fill out forms on your web site
  2. They press “Submit”
  3. You get that submissions as PDFs that looks just like you need them to

It is simple; we find many organizations are looking for this because either:

  • Their people are used to processing documents that look a specific way — and if their web site submissions could look like the forms people are used to … then processing accuracy is improved and change is minimized
  • PDFs are a standard way of saving and archiving documents
  • Maybe you also want to collect a signature on your web form and have the PDF signed

Most web form processing solutions do not have the capacity to produce flattened, custom PDFs from your web form submissions; almost none can also do it securely, in a HIPAA-compliant manner.

Read the rest of this post »

7 Steps to Make your Web Site HIPAA-Secure

Friday, February 13th, 2015

Doctors and medical professionals are feeling increasing pressure to get their business online (e.g. use of electronic prescriptions, web appointments, and remote medicine are both trendy and critical for building and sustaining revenue streams in the tightening medical market).  This push includes making available protected health information to patients via a web site and collecting similar private information from patients or would-be patients.

However, where the health information of an identifiable individual is involved, the Health Insurance Portability and Accountability Act (HIPAA) is the official compliance document.  And with the Omnibus rule in place, all web sites, old and new, must be properly designed or their owners face potential financial liability into the millions of dollars.

So, what do these requirements mean and how can HIPAA be followed in the context of a website?

Read the rest of this post »

Does my online form have to be HIPAA Compliant if it doesn’t ask for medical information?

Monday, September 29th, 2014

HIPAA FormsFor folks in the medical field, there is often a lot of uncertainty regarding which kinds of web forms need HIPAA compliance and which ones do not.  We often have customers asking if this or that form really needs to be secure or not.

The short answer is that you should probably just make ALL of your forms secure, like like it is best to make all pages of your web site secure, no matter what is on the page.  This instills more trust in your web visitors and as a result results in more business.  It doesn’t take much work to secure your forms, so you might as well just do it for all of them in a clear and consistent way.  Your user’s data will be protected, and they will know that you are looking to make the best choices for them, even in cases where it might not strictly be necessary.  This is a good thing.

Back to the original question….

If you are a medical office, do some forms not need to be secure and HIPAA compliant, depending on what is collected?

Note: the following is suggested advice from LuxSci based on our understanding of HIPAA; however, this should not be taken as legal advice.  We advise you to consult your lawyer for accurate legal advice pertaining to your particular situation.

HIPAA requires that all electronic Protected Health Information (ePHI) be secured to protect the privacy of the individuals identified in the ePHI.  So, as long as either (a) HIPAA does not apply to you, or (b) your form does not collect ePHI, then you do not have to secure the web form.

Let’s look at each of the two criteria so that you can tell if either one may apply to you or your form.

Read the rest of this post »

Private Labeling SecureForm

Monday, February 10th, 2014

LuxSci’s SecureForm service enables you to quickly make your web site or PDF forms secure and HIPAA compliant. Receive the form data, including uploaded files, via secure email or download the data securely from LuxSci’s web interface.  It also supports insecure form posts and delivery, making the usual form-to-email process easy to setup and protected from form Spam.

Typically, when using SecureForm, your web or PDF form will post to a secure web site address (URL) that is provided by LuxSci in the LuxSci.com domain name.  I.e. something like “https://secureform.luxsci.com/…”.  Once the form data is processed, the end user is redirected to a success or failure web page on your site (for web forms), or is shown a success or failure PDF that you provide (for PDF forms).  I.e. under most conditions, the end user will never see the domain name to which the form is posted.

For resellers or businesses who wish to use their own web site address in their forms so as to brand the secure form posts and hide the fact that LuxSci is the back end, perhaps something like “https://forms.yourdomain.com/…”, LuxSci has an easy solution: Private Labeling.

Read the rest of this post »

Web Form Spam – Block Spam without a Captcha Code

Tuesday, February 4th, 2014

Many contact us forms and comment forms are plagued by “web form spam”.   Automated programs crawl the Internet looking for web forms.  When found, they start submitting spam advertisements through the forms in the hopes that some of the recipients of these form submissions will see the ads and act on them.  Almost nobody does … but the spam still comes and gets worse and worse over time.

Read the rest of this post »

Case Study: LuxSci SecureForm and Ink Signatures Eliminate Downloading, Printing, Signing, and Faxing of Contracts

Friday, January 31st, 2014

For legal reasons, LuxSci’s HIPAA customers are required to physically sign a “Business Associate Agreement” and return it to us.  While this is a simple and commonplace request, it creates a lot of busy work on the part of the customer and LuxSci!

The customer might have to

  1. Download the file
  2. Print out the 19 pages
  3. Sign the agreement
  4. Fax back all pages, or scan it and return electronically

Then, LuxSci might have to

  1. Locate the document
  2. Sort out faxes that are in the wrong order, upside down, blank, or missing pages
  3. Figure out who sent the document
  4. Verify that pages are not missing or changed
  5. Counter-sign the document and attach them to the customer account
  6. Contact customers who have not sent in their documents properly or at all which is crucial to the HIPAA certification process

Multiplied by lots of customers, this creates a lot of unproductive busy work for everyone — and this time costs money.

To simplify this process, LuxSci use its own SecureForm and Ink Signatures technologies to make submission of signed contracts a snap for customers, as well as to eliminate most of the busy work LuxSci itself has to do to manage the process.

In this post, we describe how both technologies work.

Read the rest of this post »

Web Form Signatures: Fast, Easy Method of Informed Consent

Friday, August 23rd, 2013

A dentist looking for a consult on x-rays needs explicit consent from the patient to transfer the x-rays and related information [securely] to the other doctor, at least in many states.

There are many similar cases where “written” consent is needed to transfer private information, transfer responsibility, request actions, etc.  Simply sending information over email or through a web form does not easily include a mechanism for transferring consent — e.g. written authorization signatures.

Fortunately, there is a simple, cost effective, and secure solution — use of web-based forms which include written signature field(s).

Read the rest of this post »