HIPPA compliance
Tabs
FormCan enables secure collection of personal data with HIPAA compliance. We understand HIPAA laws and how to help your business collect health-related information securely. As part of keeping you compliant, we will provide you with a Business Associate Agreement (BAA) between our company and yours.
Prerequisite
To request HIPAA compliance for your team:
- You need to subscribe to the Silver or Gold plan.
- You need to be the Team Admin.
Request HIPAA compliance
-
Go to the Dashboard.
-
Select your team where you have Team Admin rights and wish to request HIPAA compliance.
-
On the Team page, click Enable HIPAA Compliance for Your Team on the top right, and click Continue.
FormCan will upgrade all team members’ accounts to be HIPAA-compliant. After the upgrade is complete, the signed BAA will be sent to the Team Admin’-s email box.
When a team is set to HIPAA-compliant, the Enable HIPAA Compliance option on the Team page will be replaced with the HIPAA compliance badge.
- Members may belong to multiple teams, but HIPAA compliance only applies to forms and submission data for teams that have enabled HIPAA compliance. Forms and submissions from teams without HIPAA compliance are not covered under this team’s HIPAA compliance.
- After upgrading to a HIPAA-compliant account, remember to update your old forms on your site to ensure accessibility.
Enhanced security measures for HIPAA-compliant accounts
Aapart from the enhanced security measures implemented in the system, team members will be able to observe and experience these security changes when they access and use the platform. The system’s security improvements and updates will be visible to team members as they interact with the platform.
Secure URL
After migrating to a HIPAA-compliant account, the domain name of all published forms will change from https://form.formcan.com/
to https://secure.formcan.com/
.
-
If you’ve used any embed script or sharing URL, update or notify about this change soon. After 7 days, old embed scripts and URLs will no longer work.
-
If you use a custom domain, the share URL remains the same, but embed scripts always need to be updated.
Automatic lock and logout
-
Automatic lock: For HIPAA-compliant accounts, the page locks automatically after 15 minutes of inactivity for added security. To regain access, enter the account’s password to unlock it.
-
Automatic logout: After 30 minutes of inactivity or when the browser is closed, the HIPAA-compliant accounts will be automatically logged out. This means the Keep me logged in option on the sign-in page will no longer function.
Team audit log
As a Team Admin, access the Audit Log under the left navigation bar on the Dashboard. This page allows you to view detailed records of your team’s sharing, authentication, and access activities. Regularly reviewing these activity reports is advised to detect any unusual behavior and ensure your team’s security.
Encrypted data storage
At FormCan, all data storage and transmission are encrypted for enhanced security. However, when sharing data externally, extra caution is advised. This includes:
-
Outbound email: Our email senders are HIPAA compliant, but if emails contain PHI data in PDF or CSV attachments, ensure the recipient’s email service provider is HIPAA compliant. If uncertain, consider disabling email notifications.
-
Share link: Sharing links can be opened without login protection. If unsure about usage, disable sharing options.
-
Integration with third-party services: For cloud drives or Zapier, verify if they are HIPAA compliant and offer a Business Associate Agreement (BAA).
For more details, refer to the section 2.7. Account Usage for HIPAA Enabled Team in our BAA.
To gain insights into our HIPAA compliance implementation, refer to this document for more details.