Create HIPAA compliant forms

How We Support HIPAA Compliant Medical Forms

Formsite offers HIPAA-enabled accounts for accounts collecting protected healthcare information (PHI). We will enter into a Business Associate Agreement (BAA) with your organization which will enable you to collect PHI using Formsite forms.


How to get started

Upgrade your account to an Enterprise level account. Other than the cost of maintaining an Enterprise level account, there is no additional cost.

If you would like an executed copy of the Business Associate Agreement (BAA), you can find that on our Terms of Service page and clicking the link titled “Business Associate Agreement-CE“. Execute the pre-signed document and send to us at support@formsite.com.

At this time we are unable to negotiate the terms of the agreement or enter into a custom agreement. When we receive the executed BAA, we will enable the HIPAA Compliant features and designate the account as a HIPAA account as of the effective date of the BAA.

Note: Any data collected prior to the BAA agreement is not covered by the agreement.


HIPAA compliance security

We provide a number of features to support your compliant collection of PHI. We have outlined below some feature recommendations for use of the Formsite products to collect PHI:

  • Email: Use our Secure Email feature to send any PHI. It is not compliant to use standard email to send PHI data.
  • Login credentials: Enable two-factor authentication for maximum account protection.
  • Exported results and Attachments: Be sure to handle exported data in a HIPAA compliant manner once you have the data stored locally.
  • Integrations: Only integrate with HIPAA compliant third parties for which you also have a BAA in place. We transmit all data securely, but it is your responsibility to have a BAA in place with any third party that receives data from Formsite.
  • Results Reports: Results Reports should not be used to share PHI. PHI should be shared with other Users via a sub-user account. Only disclose results to authorized recipients.
  • Copying forms: Forms that contain PHI should only be copied to another HIPAA compliant account.
  • Additional Security: Extra security is enabled for all forms. This requires your form to use https and also warns you when you may be about to do something insecure such as email PHI via non-secure email. This cannot be disabled. See more information on the Security documentation page.
  • Login Requirement: “Require login to access files” is enabled for all forms. This setting requires that you be logged in to access uploaded files. This setting cannot be disabled. See the Secure results files area on the Security documentation page.

Account termination

Please note, it is not possible to downgrade your account to a lower level of service once it has been designated a HIPAA-enabled account. If you terminate service with us, data collected in your account will be deleted and your account will become inaccessible pursuant to the Software Services Agreement. Once deletion occurs, we won’t be able to reinstate your account. You would need to establish a new account.

Billions of forms submitted