" web form Archives - LuxSci

Posts Tagged ‘web form’

7 Steps to Make your Web Site HIPAA-Compliant

Tuesday, March 2nd, 2021

Telehealth is the new normal thanks to the Covid-19 pandemic. Many medical providers are finding that not only is telehealth a safer option during the pandemic, it can also help increase patient access to healthcare and improve outcomes. Along with video appointments, the virtual medicine push includes making protected health information available to patients via a web site and collecting similar private information from patients or would-be patients online.

However, where the health information of an identifiable individual is involved, the Health Insurance Portability and Accountability Act (HIPAA) is the official compliance document. The Omnibus rule requires all web sites, old and new, to be properly designed or their owners can face potential financial liability into the millions of dollars.

So, what do these requirements mean and how can HIPAA be followed in the context of a website?

Read the rest of this post »

Are you encouraging insecurity via your web site forms?

Friday, April 15th, 2016

Many web sites have “contact us” pages and include web forms for receiving requests from existing or potential customers. This includes “new patient intake” forms on the web sites of healthcare providers. However, if your aren’t using a secure form solution your web forms may suffer from several serious problems:

  • Spam – Getting unwanted form submissions from bots.
  • Privacy – Often, sensitive data is submitted insecurely through these forms.
  • Archival – You may need an archived record and backup of all submissions.
  • Notices – You may need to be alerted of form submissions, even if you are not online.

Proactive privacy vs. neglect of privacy

When your web forms transmit data insecurely, store or send data insecurely, or otherwise to do not treat the data submitted with the level protection that it deserves, you are putting the users of your forms at risk.

The typical argument is that “it is up to the user of the forms to decide if they want to submit sensitive information.” In fact, many insecure forms even have disclaimers requesting people to not submit sensitive information if they have concerns … and then the forms go on to ask lots of sensitive questions. Especially without a disclaimer, but even with one, the form is actively soliciting people to submit their information insecurely and requesting them to take risks with their private data. This is not good.

In areas such as healthcare, where these forms are often collecting sensitive health data (protected health information – PHI), the fact that an organization solicits the submission of PHI through insecure, non-HIPAA-compliant means is far from a “best practice.” Why does this happen?

  1. Securing forms is trivial and inexpensive. As the bar is so low to collecting data in a compliant way, it could be considered neglectful to not bother with security and privacy and continue to solicit data insecurely.
  2. People can insecurely send you their own, personal PHI any time … when it is done of their own accord. However, when you provide them with a recommended communication channel, and when that channel is not secure, you need to get informed consent from them before you accept the data through that channel. Informed consent means:
    1. Training them in the risks involved.
    2. Getting their explicit sign off indicating their acceptance of these risks.
    3. Capturing and saving those signed consent forms.

Getting signed consent must be properly done and it imposes a barrier in front of your forms. There is really no reason to go though all of the work to setup informed consent when it is much simpler to just secure the forms themselves.

You can block form spam, ensure content security and privacy, archive form submissions, and even get text message notices of new submissions to your phone using LuxSci SecureForm. And it takes only a couple of minutes to integrate a secure form into any existing web site at any web hosting provider.

How does SecureForm Integrate with a Web Site Form?

SecureForm is very easy to set up and integrate. You configure SecureForm account with what you want to happen to your form data. Then you change one line of your web form (where the form posts go) and copy and paste a line of JavaScript into that page. Setup takes about 5 minutes.

How Does SecureForm deal with Spam, Encryption, Archival, and Notices?

SecureForm blocks web robot spam by determining if a real person is connecting to your form and blocking submissions from anything that is not.  Your users do not have to enter any security codes or image (Captcha) codes — the system simply checks that they are using a modern web browser with cookies enabled and JavaScript working. Most web bots do not support one or both of these standard technologies; all modern browsers do.

SecureForm enables privacy and security by allowing you to ensure that the form data is encrypted from the end user all the way to your email inbox. It enables automatic use of secure email delivery, secure FTP uploads, secure online document storage, and more. You can use any or all of these data capture methods.

SecureForm enables archival by allowing you to save copies of all form posts in an online document storage area, by uploading copies to your own FTP site, and/or by saving copies in a database that you can access as needed.

SecureForm enables notices by allowing you to have text messages sent to up to 5 different mobile devices when each form post is submitted. This is in addition to the form data being emailed to where it needs to go. You and you staff can be informed in real time of new posts, no matter where you are.

LuxSci SecureForm is the swiss army knife of web and PDF form processing tools, integrating quickly with any existing web sites and providing form security even if your web site is not already secured with TLS.

Adding HIPAA Compliance to your Web Forms in 10 minutes

Tuesday, April 21st, 2015

Forms are pervasive on web sites; the number of forms associated with medical web sites is growing exponentially as everyone is scrambling towards the goal of a paperless office, seeking to optimize time spent processing applications and managing patient data, speeding up the process of making appointments and getting referrals, meeting meaningful use, etc.

Web forms used in the medical industry generally have to be HIPAA-compliant, however, as they almost always involve the input and transfer of ePHI in one way or another. That presents a problem as the requirements for a HIPAA-compliant web site are complex and take knowledgeable and experienced developers to implement and take extra time and money to get right — and you really have to get things right where HIPAA is concerned.

So, this is where most people are:

  1. They have a web site, which itself is likely not HIPAA compliant yet
  2. They have some web forms already … or maybe have some forms that they want to put up
  3. These forms will collect ePHI
  4. They need to set this up and have it be HIPAA compliant and don’t want to spend a lot of money or time getting it going.

What they need is “HIPAA Form Processing.”

Read the rest of this post »

Wish your Web Site Form submissions could turn into PDFs?

Thursday, April 2nd, 2015

Would you like this work flow?

  1. People fill out forms on your web site
  2. They press “Submit”
  3. You get that submissions as PDFs that looks just like you need them to

It is simple; we find many organizations are looking for this because either:

  • Their people are used to processing documents that look a specific way — and if their web site submissions could look like the forms people are used to … then processing accuracy is improved and change is minimized
  • PDFs are a standard way of saving and archiving documents
  • Maybe you also want to collect a signature on your web form and have the PDF signed

Most web form processing solutions do not have the capacity to produce flattened, custom PDFs from your web form submissions; almost none can also do it securely, in a HIPAA-compliant manner.

Read the rest of this post »

Do my online forms need to be HIPAA Compliant if they don’t ask for medical information?

Monday, September 29th, 2014

HIPAA FormsFor folks in the medical field, there is often a lot of uncertainty regarding which kinds of web forms need HIPAA compliance and which ones do not. We often have customers ask if their online forms need to be HIPAA compliant.

The short answer is that you should probably just make ALL of your forms secure, like it is best to make all pages of your web site secure, no matter what is on the page. This instills more trust in your web visitors and results in more business. It doesn’t take much work to secure your forms, so you might as well just do it for all of them in a clear and consistent way. Your user’s data will be protected, and they will know that you are looking to make the best choices for them, even in cases where it might not strictly be necessary. This is a good thing.

Back to the original question….

If you are a medical office, do your online forms need to be HIPAA Compliant, depending on what is collected?

Note: the following is suggested advice from LuxSci based on our understanding of HIPAA; however, this should not be taken as legal advice. We advise you to consult your lawyer for accurate legal advice pertaining to your particular situation.

HIPAA requires that all electronic Protected Health Information (ePHI) be secured to protect the privacy of the individuals identified in the ePHI. So, as long as either (a) HIPAA does not apply to you, or (b) your form does not collect ePHI, then you do not have to secure the web form.
Let’s look at each of the two criteria so that you can tell if either one may apply to you or your form.

1. Does HIPAA Apply to You?

HIPAA applies to your web form if you are a “HIPAA Covered Entity” or if you are collecting data for someone that is a HIPAA Covered Entity (making you a “HIPAA Business Associate” of theirs).

HIPAA Covered Entities Include:

  1. Care: You provide services or supplies related to the physical or mental health care of an individual. This includes: (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
  2. Provider: A provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
  3. Clearinghouse:  A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value added” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.
  4. Plan: With certain exceptions, an individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)). The law specifically includes many types of organizations and government programs as health plans.

You are a HIPAA Business Associate if someone who is a HIPAA Covered Entity has contracted you to collect data for them through the form. (You also have to sign a Business Associate Agreement and abide by many other restrictions if you are a Business Associate). A good example of a Business Associate in this case would be a web design company that handles the web sites and forms for their customers … some of whom are “HIPAA Covered Entities.”  The web design company, if it is collecting ePHI through the web site for these customers must then be a Business Associate of that customer and do things in a secure way to meet HIPAA’s demands … or else their customer is out of compliance … a bad state of affairs.

2. Does the online form collect ePHI?

Ok – so let’s say that HIPAA does apply to you and you still want to know if a particular web form needs to be compliant. This is determined by whether the form collects ePHI or not.

What is ePHI?
ePHI is individually identifiable, protected health information that is sent or stored electronically. “Protected health information” can include information about any one of:

  1. An individual’s past, present, or future physical or mental health or conditions
  2. The past, present, or future provisioning of health care to an individual
  3. The past, present, or future payment-related information for the provisioning of health care to an individual

“Individually identifiable” information includes any and all information that can be be used to determine which specific individual is involved. There are 18 types of identifiers for an individual (listed below). Any of these, together with any type of “protected health information” (e.g. an appointment with a particular doctor) constitutes ePHI.

  • Name
  • Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
  • Telephone numbers
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voice prints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

So, it is pretty easy for a web form to be collecting ePHI!

Web Forms and ePHI need to be HIPAA Compliant

Here are some examples of web forms that would likely be collecting ePHI:

  1. Appointment Requests and Referral Requests: These will collect identifiable information about the person requesting the appointment and the request for the appointment should be considered information about “future provisioning of health care to an individual.” Furthermore, by context, requesting an appointment by itself may also imply information about “an individual’s past, present, or future physical or mental health or condition.”
  2. Patient Intake Forms: These forms usually allow the prospective patient to provide information about themselves for one purpose or another. This is both identifiable and information about  “an individual’s past, present, or future physical or mental health or condition.”

Some examples that might not be considered the collection of ePHI (depending on the exact context of the site), because while they are individually identifiable, they do not include or imply health information for that individual:

  1. Contact Requests: Where the web site visitor is merely asking for a call or email with no reason specified.
  2. Requests for Information: Where the web site visitor requests a white paper, a pamphlet, or other information
  3. Purchases of products that do not require a prescription: Purchasing a product does not in and of itself imply who is to use it unless that use of that product is restricted (e.g. via a prescription). Of course, this may also depend on if you try to collect health information as part of the purchase, e.g. for future marketing or upsell.

Getting the picture — anything that identifies the person and relates in any way to that person’s health or healthcare should be considered ePHI and protected. In other cases, you could get away with not being secure. But — why would you? People are afraid and paranoid about identity theft and information leakage on all sites … not just ones related to medical information. Anything that a website can do to make its visitors more comfortable and “secure” will improve trust and sales conversions.

What About Consent for Insecure Transmission?

As a follow up question, we are often asked if there can be a checkbox on the form where patients can click to consent to the use of an insecure, non-compliant form. Presumably, if they do not click, they thus cannot submit the form at all. E.g. you are forcing them to either “go away” or submit securely with consent” to insecurity.

This is highly advised against and is almost certainly not HIPAA compliant in any circumstance. This is also a case where if you were going to do it anyway, you should really consult with a lawyer to make sure it’s OK in your case.

To understand why this is a bad idea, let’s consider “Mutual Consent.”

Under HIPAA, Mutual Consent to transmit ePHI insecurely seems to be allowed if:

  1. You and the patient agree that insecure transmission is OK,
  2. The patient has been properly advised of the security risks involved,
  3. The patient agrees in writing that insecure transmission is OK, and
  4. The option for HIPAA-compliant transmission is available, by implication.

By far the simplest thing to do is to simply have secure transmission and be done with it — no need to consent to insecure delivery. It doesn’t make things any easier for the person filling out the form if the form is insecure.

The only case where this could be considered possibly under the HIPAA radar (again … please consult your lawyer), is if:

  1. Your insecure form has a clear section where it advises the users of the risks of submitting their data via this form
  2. That warning is understandable to most lay people without further explanation
  3. They have to check a box (or maybe sign their name) to consent to submission of that form
  4. You may need to be able to show that they understood and agreed to the risks, and didn’t just click without reading.
  5. When you collect the form data, you save and archive all of these consent agreements in case there is a breach and you need to prove that insecure sending was allowed and the user was well informed of the risks.
  6. You have another option available to the user in case s/he does not accept the risks … e.g. submitting the form securely, calling you via a phone number, printing and mailing in a physical form, etc.

Essentially, you are placing a significant burden on the end user by adding warnings and consent to your form. This will turn most folks off. As always with the web, keep it as simple as possible for maximum results. In this case, that means no consent, no warning, just simple secure submission.