What to Look for in a HIPAA-Compliant Online Form Builder

October 9th, 2018

As a healthcare provider, or for that matter, any entity that works with healthcare clients, you are probably already aware of the fact that you cannot use traditional web forms to accept PHI (Protected Health Information). That would be a gross violation of the HIPAA regulations and can get you into trouble. For instance, you might have to pay a hefty fine.

Now, many organizations use online form builders to capture client or patient information. There is a reason for it – the forms make it much easier to collect patient information and manage the clients themselves. They automate workflows and reduce paperwork. They save time.

But, when it comes to healthcare information, obvious risks come into play. HIPAA regulations exist to minimize those risks by protecting patient data. But, how can organizations ensure that the data captured by such forms are protected?

The answer is to create forms that are compliant with HIPAA standards. This blog will list the key features that need to be included in a HIPAA-compliant online form.

Business Associate Agreement

First and foremost, a HIPAA-compliant form obtained through a third-party service must come with a BAA (Business Associate Agreement) from that third party. As you might know, a BAA is a hybrid agreement in that it is both contractual and regulatory. Essentially, the agreement satisfies all HIPAA regulations and establishes expectations and liability between the parties.

So, when one party violates or breaks the terms of the agreement, the affected party can seek legal action. However, if both parties have signed a contract without a BAA, they may be both liable and face legal ramifications under federal law.

As a healthcare organization, it is always wise to categorize your vendors and partners as business associates and enter into BAAs. In the case of form builders, the form building service provider and the form hosting company are business associates. So, before you build a form using their services, you must enter into a BAA.

When a BAA is entered into, the form-building service has now agreed to comply with HIPAA regulations and has accepted liability. This is one reason that such services are never “free.”

HTTPS Encryption

HTTPS stands for HyperText Transfer Protocol Secure. This is the secure version of HTTP, and like HTTP, it is a protocol over which website data is transmitted. However, HTTPS also ensures that the data transmitted is securely encrypted and that you are communicating with the website to which you intend to connect (read more about HTTPS, SSL, and secure websites). The purpose is to make sure that people can send and receive data without worrying about it being stolen or accessed without authorization.

HIPAA-compliant forms need to be enabled with HTTPS to ensure that PHI is never accessed by third parties while being transmitted. This is a core requirement under HIPAA standards.

Encryption for Data at Rest

Providing encryption for data during transmission is just one part of the solution. Data also should be encrypted during “rest”  (i.e., while saved to disk). Typically, resting data is protected by encrypting the files before storing them. In some cases, the storage itself is encrypted.

Make sure you talk to your form-building service about this and determine whether or not they encrypt data at rest.

Multiple Options to Save/Send Data

Determine if there are multiple options to save and send your data. Most online form builders email all forms to a single email address. This is the wrong move and inflexible, considering all your information ends up in the same location.

However, with a diversified approach, your information is at much less risk of being targeted and compromised, and you can leverage the service to meet your business goals better.

Ink Signatures

HIPAA-compliant online forms also benefit from an ink signature feature. Typically, most forms use a checkbox to indicate agreement. However, this is a weak method because it cannot prove who actually checked the box, despite it being legally binding. Checking a box is not resistant to forgery either.

An ink signature can be executed on a web form by drawing over the screen with a stylus or finger. It can also be done with a mouse. This signature is then converted into a digital image and embedded into the online form.

Multi-Format Refilling

The form must enable you to refill the data into other formats such as PDF or HTML. This ensures that the data can be captured in various formats at your convenience.

Backup and Archiving

Check for options to backup and archive all your data. Archived data is necessary for future legal proceedings if any. Archival is required under HIPAA.


Ensure there are options to help you track and determine who viewed or submitted the form data.

Redundancy in Form Processing

Ensure your forms can scale to a range of viewers and are immune to server issues.

Dedicated Servers

Ensure that your forms are processed on dedicated data servers to isolate your data. This is necessary if you are concerned with maximizing the security of your processing.

Want to discuss how LuxSci’s Secure Form Solutions can help your organization? Contact Us