What to Look for in a HIPAA-Compliant Online Form Builder

October 9th, 2018

As a healthcare provider, or for that matter any entity that works with healthcare clients, you are probably already aware of the fact that you cannot use traditional web forms to accept PHI (Protected Health Information). That would be a gross violation of the HIPAA regulations and can get you into a lot of trouble. For instance, you might have to pay a hefty fine.

Now, many organizations make use of online form builders to capture client or patient information. There is a reason for it – the forms make it much easier to collect patient information and also manage the clients themselves.  They automate workflows and reduce paperwork.  They save time.

But, when it comes to healthcare information, there are obvious risks that come into play. HIPAA regulations exist to minimize those risks by protecting patient data. But, how can organizations ensure that the data captured by such forms are protected?

Well, the answer is to create forms that are compliant with HIPAA standards. In this blog, we are going to list out the key features that need to be included in a HIPAA-compliant online form.

Business Associate Agreement

First and foremost, a HIPAA-compliant form obtained through a third-party service must come with a BAA (Business Associate Agreement) from that third party. As you might know, a BAA is basically a hybrid agreement, in that, it is both, contractual and regulatory in nature. Essentially, the agreement satisfies all regulations under HIPAA and also establishes expectations and liability between the parties.

So, when one party violates or breaks the terms of the agreement, the affected party can seek legal action. However, if both parties have signed a contract without a BAA, then they may be both liable and may have to face legal ramifications under federal law.

As a healthcare organization, it is always a wise idea to categorize your vendors and partners as business associates and enter into BAAs with. In the case of form builders, the form building service provider and the form hosting company are business associates. So, before you build a form using their services, you must enter into a BAA.

When a BAA is entered into, it means that the form-building service has now agreed to comply with HIPAA regulations and has accepted liability.  This is one reason that such services are never “free.”

HTTPS Encryption

HTTPS stands for Hyper Text Transfer Protocol Secure. This is basically the secure version of HTTP and like HTTP, it is a protocol over which website data is transmitted. However, HTTPS also ensures that the data transmitted is securely encrypted and that you are communicating with the website to which you are intending to connect (read more about HTTPS, SSL and secure web sites). The purpose is to make sure that people can send and receive data without having to worry about it being stolen or accessed without authorization.

Needless to say, HIPAA-compliant forms need to be enabled with HTTPS to ensure that PHI is never accessed by third-parties while being transmitted. This is a core requirement under HIPAA standards.

Encryption for Data at Rest

Providing encryption for data during transmission is just one part of the solution. Data also should be encrypted during “rest”  (i.e., while saved to disk). Typically, resting data is protected by simply encrypting the files before storing them. In some cases, the storage itself will be encrypted.

Make sure you talk to your form building service about this and determine whether or not they encrypt data at rest.

Multiple Options to Save/Send Data

Determine if there are multiple options to save and send your data. In general, most online form builders email all forms to a single email address.  This is a bad move and inflexible, considering all your information ends up in the same location.

However, with a diversified approach, your information is at much less risk of being targeted and compromised and you can leverage the service to better meet your business goals.

Ink Signatures

HIPAA-compliant online forms also benefit from an ink signature feature. Typically, most forms use a checkbox to indicate agreement. However, this is a weak method because it cannot be proven as to who actually checked the box, despite it being legally binding. Checking of a box is not resistant to forgery either.

An ink signature can be executed on a web form by drawing over the screen with a stylus or finger. It can also be done with a mouse. This signature is then converted into a digital image and embedded into the online form.

Multi-Format Refilling

The form must allow you to refill the data into other formats such as PDF or HTML. This is to ensure that the data can be captured in various formats as per your convenience.

Backup and Archiving

Check for options to backup and archive all your data. Archived data is necessary for future legal proceedings, if any.  Archival is required under HIPAA.


Make sure there are options to help you track and determine who viewed or submitted the form data.

Redundancy in Form Processing

Ensure your forms can scale to a range of viewers and are immune to server issues.

Dedicated Servers

Ensure that your forms are processed on dedicated data servers to isolate your data. This is necessary if you are concerned with maximizing the security of your for processing.

Want to discuss how LuxSci’s Secure Form Solutions can help your organization? Contact Us