How To Make Online Web Forms HIPPA Compliant

The dilemma of providing truly HIPPA Compliant forms for Online patients

How To Make Online Web Forms HIPPA Compliant

Web forms are common and there are many form builder applications, but rarely are they HIPPA Compliant. Some forms providers claim to be HIPPA Compliant, but by their very nature of data harvesting, they are in fact, not truly compliant. Some forms providers market themselves as HIPPA Compliant, but in their small print state that all data collected by the customer's forms becomes the property of the forms provider. So... how does an organization make their Online forms HIPPA Compliant?

The first question to ask is whether the form needs to be HIPPA Compliant. A simple survey or questionnaire may have generic questions that elicit generic answers, which do not require HIPPA Compliance. Some forms may ask for personal information that requires the form be protected for PII (Personally Identifiable Information), but not require HIPPA Compliance.

If the form is asking for any PHI (Personal Health Information), then HIPPA Compliance is a compulsory requirement. If any questions ask for the person's healthcare provider profile or medical conditions or similar, the form falls under GHIPPA Compliance Guidelines. If the form does not ask for any PHI, but does ask for PII, then HIPPA Compliance is not required, but would provide sufficient data protection to comply with PII Compliance guidelines.

Once you have decided that your form does fall under HIPPA Compliance, there are some specific steps to take to make your form HIPPA Compliant. Apply the necessary steps and verify that each step is in fact applied, before making your Online form publicly accessible.

Identify who will have access to the PHI. Any person or organization that will have access to your PHI falls under HIPPA Compliance and should be identified. This requires knowing what organizations and individuals have data access, such as developers, programmers, administrators and customer service.

All individuals who will have access to the PHI must sign a BA (Business Agreement). You are responsible to acquiring a BA for each organization, and each organization is responsible for acquiring a BA for each of its employees who will access that PHI. Each organization that uses a subsequent organization that has individuals who will access PHI is responsible for acquiring a BA from that organization, and the organization is responsible for BAs for its exmployees, and so on.

EZ Fast Forms provides HIPPA Compliant forms management and data access, and a permanent Business Associate Agreement with all active members.

Online forms are comprised of questions with fields associated that let the user answer each question. When answers are submitted from the Online form to the responsible server, that data must be secured while in-transit. In-transit data, whether POST or GET, must be encrypted with SSL/TLS encryption. This is what banks do to protect your financial information, and the encryption is detectable by noting the encryption lock icon in the browser. That lock icon will provide access to read the details of the security certificate, which can be informative.

Note: POST vs GET data submissions are similar yet different. They both send data o the server, but their method is different. A GET request sends the variables and values within the URI (Universal Resource Indicator) or in the Query. The URI is a set of pathway elements separated with a / character, like The Query is any content subsqeuent to a ? such as A POST request is composed of a Query that is sent as a separate message body that accompanies the URL/URI. Both GET and POST are parsed and handled by the server, but a GET request may become stored in the browser cache, which breaks HIPPA Compliance. Therefore, POST is always preferable for sending PHI data.

Online forms submit data using differing methods. Some forms contain all the questions, and the answers are submitted as a whole packet of data. Other forms break questions into groups and subit sections of data in series. Other forms submit data quietly without refreshing the page view, nor messaging the user. Whether the data submission is synchronous or asynchronous, it will be sent to the responsible server via either a POST or a GET request, which must be encrypted.

Encrypting form data in-transit is extremely simple and is inexpensive. Although some security certificate providers charge large fees, certificates can be purchased for as little as $5/year, and some even offer them for free. Acquiring a Security Certificate to encrypt your in-transit data is a task best delegated to your web developer or web programmer. Once installed, make sure to read the certificate details and calendarize the renewal date, so you do not let the certificate expire. Expired certificates can lead to site dysfunction, and in the least will make your Online form no longer HIPPA Compliant.

Once your BAs are organized and your form data is secured in-transit to the server, your attention should turn to data storage and handling. When a user submits PHI data to your server, it has to go somewhere, else what's the point of an Online form? Not only should you know where the PHI data goes after submission, you need to document the route for that data in your HIPPA Compliance documentation.

EZ Fast Forms encrypts data in-storage. We do not share our encryption schema, nor the details of our security protocols, but we do apply more layers of security than HIPPA Compliance requires.

You need to know how data makes its way to your providers or staff. Your PHI should never travel to you as an email. Your PHI should not be emailed as an attached PDF, even if that PDF is encrypted. Nor should your PHI be emailed to you as an attached ZIP or other compressed archive, even if encrypted. Encrypted PDFs and ZIP Archives are NOT HIPPA Compliant, due the nature of how easily those methods of encryption can be broken. It is okay, however, to email a notification that your PHI data set is available to access via a secured method.

EZ Fast Forms provides various data access options. You can receive email alerts and/or tet alerts to notify you when your PHI data set is ready for handling. The email alert will contain a link that takes you directly to the data set, but does require an initial login. Text messages also contain a link to the PHI via the same secured method. There is an option for each form to attach a PDF of the submitted data, with an option to set an encryption password on the attached PDF. There is also an option to include specified questions within the email alert message body, which may break HIPPA Compliance, if the answer is PHI. These options are for members to evaluate and choose to use or leave the default compliant settings.

Once logged-in, EZ Fast Forms members may access PHI and PII through secured connections that protect the data in-transit. Data may be downloaded as a Protected PDF, Un-protected PDF, FDF Data File, CSV, TSV, XLSX and TXT formats. EZ Fast Forms advises that handled data sets be purged periodically, and not left on the server indefinitely.

A general comment on good Login Access Management is to always actively logout from your membership profile when you are finished with a session or for the day. EZ Fast Forms protects from Session Hijacking, but leaving your computer unattended in an insecure environment may allow an unauthorized individual to access PHI, and you are responsible for preventing unauthorized access.

Concerned about HIPPA Compliance?

Email us at or call 801-253-2564 and we will be happy to answer your questions, research any new concerns, and implement custom solutions to meet your special HIPPA Compliance needs.

EZFF Membership

Have questions or concerns about signing up for an EZ Fast Forms Membership?