18 HIPAA Compliant Form Builders to Protect Your Patient Data
If you work in healthcare and handle protected health information (PHI), you know that there is no way around it.
PHI needs to be sent, received, and stored safely and securely. First and foremost, it has to be handled according to HIPAA compliance guidelines.
In healthcare it is vital to understand what the rules are, how do they apply to you, and how to comply.
Whether it’s a covered entity that generates PHI, or a business associate who needs to access it, HIPAA regulations matter.
There is a lot to take into account, but you shouldn’t be worrying yourself sick over how to do it right.
Before we get into the problem of HIPAA-compliant digital forms, let’s do a quick recap of who is affected by it, and why.
For whom is HIPAA relevant?
Two groups must comply with HIPAA regulations: covered entities (CEs) and business associates.
What is a covered entity?
A covered entity is any organization that collects, creates, or transmits PHI electronically (also known as “ePHI”). Subgroups that fall under the umbrella of covered entities include:
Healthcare providers: Such as doctors, nursing homes, hospitals, or psychologists
Health plans: Any individual or group plan that offers or pays for healthcare services, such as health insurance companies, health maintenance organizations, Medicaid, and Medicare
Clearinghouses: organizations that act as the middleman between healthcare providers and insurance payers. Healthcare clearinghouses process healthcare transactions according to required standards
What is a business associate?
A business associate is an organization that has access to PHI as contracted by a covered entity.
Examples of healthcare business associates are IT providers, email hosting services, and - you guessed right - form builders.
When a covered entity allows a business associate to support its healthcare activities, the business associate needs to sign a contractual agreement with the covered entity. This contract is known as a Business Associate Agreement (BAA).
Just like the covered entity, the business associate needs to adhere to HIPAA regulations to protect PHI. Moreover, it is mandated to inform the covered entities in the case of any potential or actual data breaches.
Tech products and HIPAA: A foggy relationship
Each entity that has access to PHI needs to make sure the appropriate technical, physical, and administrative safeguards are in place.
There’s a lack of clarity in HIPAA requirements and a lengthy checklist of rules to adhere to
HIPAA regulations commonly get updated or changed. As a consequence, organizations will have to follow through and update their compliance plan
When slip-ups cause HIPAA violations, both covered entities and individuals can face some pretty hefty fines, even if PHI is not breached. Breaches can result in facing criminal charges and lawsuits. The height of penalties for breaches varies greatly depending on the severity of the violation, liability, and how cooperative the organization is during investigations into the breach
The regulations shouldn’t be taken lightly. It doesn’t matter if a violation was due to willful neglect or unintentional. Ignorance is not seen as a justifiable reason for counter-sanctions. Fines for non-compliance will be issued regardless
According to a 2015 report released by the Department of Health and Human Services (HHS), HIPAA deficiencies in terms of privacy, data security, and breach notification were found in most of the covered entities that were screened, especially in the smaller entities. A triple-digit fine could be devastating for a modest practice or organization
Image Source: Hipaajournal
How HIPAA affects digital form users
Organizations need to follow rules and regulations that are complex and time-consuming.
If you’re not careful, you’ll walk straight into an administrative nightmare. Every action needs to be logged. There are also many forms to fill out and procedures to follow.
As we know, neglect in following HIPAA standards and regulations can result in penalties. Furthermore, this can land you an honorable spot on the HIPAA Wall of Shame, where known breaches from the past 24 months that are currently being investigated are displayed.
You’d rather be known for integrity than for compromising your patients’ sensitive data. Overall, there is a lot to take into account.
Why forms are relevant in the healthcare context
There is a simple answer to this question: In healthcare, forms that collect PHI are ubiquitous.
Forms are essential to register new patients, jot down symptoms, outline treatments, or refill a prescription, among other uses.
Think of the new patient authorization forms when they visit a doctor for the first time, or the Covid-19 test form people fill out to comply with their data getting transmitted to a clearinghouse.
Forms are an essential part of healthcare, and making sure they are HIPAA compliant is paramount.
There are six main HIPAA forms you’ll come across most often. Understanding these will help you run operations more efficiently, but also reduce the risk profile of the organization you are part of.
Image Source: Cloudapper
The switch to digital has implications on data security. On top of that, patients expect to receive care as easily as they order their groceries online.
Digital forms play a role in this. Now, let’s see how HIPAA relates to forms.
What makes a form HIPAA compliant?
When handling ePHI, HIPAA requires that a minimum set of requirements is met by a digital form. These are:
Transport Encryption: Is always encrypted as it is transmitted over the Internet
Backup: Is never lost, i.e. should be backed up and can be recovered
Authorization: Is only accessible by authorized personnel using unique, audited access controls
Data Integrity: Is not tampered with or altered
Storage Encryption: Should be encrypted when it is being stored and archived
Disposal: Can be permanently disposed of when no longer needed
Omnibus/HITECH: Is located on the web servers of a company with whom you have HIPAA Business Associate Agreement
Ticking off the aforementioned points is your responsibility. PHI and ePHI safety and integrity should be your highest concern.
This is essential because the number of healthcare data breaches continues to rise year after year.
When health records end up on the black market, they’re worth up to 40 times as much as a credit card number.
A personal identification number is permanent, whereas a credit card number is not. This can greatly complicate the lives of people whose information was compromised, as the breached information is often used for fraudulent activities.
Image Source: Hipaajournal
Building software that handles all security points is a job on its own. That’s why it makes sense to look into forms that take care of this for you.
18 form builders that are HIPAA-compliant
For your patient's sake and your peace of mind, you want to make every process around PHI collection as safe as can be.
A HIPAA-compliant form builder takes the guesswork out of compliance, at least in one recurring area of your practice or organization.
With this in mind, we compiled a list of digital form builders that are compliant with HIPAA. Take a look!
JotForm offers a wide array of mobile-friendly, fully customizable HIPAA-compliant forms and BAAs to securely collect patient data.
You can generate live medical reports from form data, optimize workflows by connecting JotForm with tools you already use, and automate approvals.
JotForm forms are paired with JotForm Health App to view medical records, schedule appointments, and get signed consent forms from any device (even when not connected to the internet).
Currently, the company offers Corona responders free unlimited HIPAA accounts. This qualifies healthcare providers, government organizations, and nonprofits for free Jotform plans.
Pricing: $29/month (billed annually), or $39 on a per-month basis. With both plans, you can create up to 100 forms and send 10,000 form submissions. Nonprofits enjoy a 50% discount.
Typeform lets you build interactive quizzes, surveys, and forms that show one question/prompt at a time. You can add images, design themes, change fonts and backgrounds.
Typeform is run on Amazon Web Services and upholds multiple levels of encryption, access control, and penetration testing.
HIPAA is mentioned on a separate Covid-19 FAQ overview, stating Typeform is willing to act as a business associate for covered entities, if you sign a BAA with them.
It’s also worth telling that Typeform’s Stripe integration won’t be usable, as there is no mention of HIPAA or BAAs on Stripe’s website.
Pricing: Checking out the free versions gives you 3 typeforms with 10 questions per typeform and 100 responses per month. The paid plan with unlimited forms starts at $35/month (billed annually) with room for up to 1,000 form responses per month. It is possible to test features from the paid plans in trial mode, although the forms won’t be shareable.
Bonus: If you intend to use Typeform for a not-for-profit Covid-19-related project, Typeform even offers a free 3-month subscription.
Formstack is an all-in-one HIPAA-compliant solution for gathering data, creating documents, and collecting eSignatures.
Formstack’s Forms, Documents, and Sign underwent a security audit by a third-party compliance assessment provider. A Standard BAA as well as the option to create customized BAAs is possible.
Formstack monitors their HIPAA accounts to prevent breaches. TLS encryption, user-level permissions, and HIPAA-compliant integrations secure ePHI are listed in the features. User and action logging data can be requested in the case of an audit or potential security breach.
Pricing: Formstack offers a 14-day trial. The Starter plan is priced at $50/month (billed annually), or $59 on a per-month basis for one user. This user can create up to 20 forms and send out up to 1,000 form submissions.
Logiforms is a form builder with a flexible and intuitive drag-and-drop interface.
It also supports the implementation of automated workflows to build and store secure forms and PDFs via HIPAA-compliant features such as 256 Bit SSL Encryption on forms, Data at Rest Encryption, and end-to-end TLS/HTTPS Encryption.
Pricing: Logiforms offers a 15-day trial. The Professional plan is priced at $24.95/month. Two users will have access to the software, allowing for the creation of 10 forms and 5,000 form submissions. Add-ons are available for small, additional fees.
Microsoft Forms is a beginner-friendly form builder for surveys, polls, and quizzes.
The software is HIPAA and BAA compliant, and meets BAA protection standards, with form data encrypted at rest and in transit.
Microsoft services that fall under the BAA went through audits for the Microsoft ISO/IEC 27001 certification.
Pricing: Free to use for anyone with an Office 365 Education license, Microsoft 365 Apps for Business clients, and users with a Microsoft account pro.
Cognito Forms is a versatile platform with various form templates to pick from. It’s both a beginner and developer-friendly product that offers the possibility to adjust forms with custom HTML and CSS.
You can build HIPAA compliant forms that process online payments, let users request appointments or prescriptions, register new patients and connect with third-party integrations.
Pricing: HIPAA compliance is granted under the Enterprise plan at $99/month. The plan allows for unlimited form creations and entries, granting 20 users access to the tool.
HIPAA Forms is a WordPress plugin that requires you to have Caldera or Gravity Forms installed.
To use it, you will need a valid HIPAA Forms license key, SSL enabled and, of course, a signed BAA agreement.
The result is checking a box next to the form to make it HIPAA compliant. If your system is based on WordPress, it won’t get much easier than this.
Pricing: You can test the plugin for free with one form and 25 form submissions. The subscription starts at $600/year, unlocking unlimited forms, unlimited form submissions, and removed branding. The possibility to upload files can be purchased as an add-on for $300/year.
123 Form Builder is an enterprise-level, fully customizable drag-and-drop form builder to craft online forms for your healthcare practice or business.
The software incorporates extended security protocols, conditional logic rules, 80+ integrations, and the possibility to send data directly to a preferred CRM.
With this in mind, the software is most fitting for large teams who gather heaps of data.
Pricing: HIPAA-compliant forms are only available under the Enterprise plan, priced at $199.99/month. You’ll need to contact sales for a customized offer.
FormAssembly’s data collection tool and form builder is used by over 4,000 global organizations, such as Amazon, Lenovo, and Harvard University.
All collected data is kept secure, it integrates with your current systems such as Salesforce, Google Apps, and Pardot, and allows you to easily create advanced forms.
Pricing: HIPAA-compliant forms and BAAs are available under the fourth-tier Compliance Cloud plan. You’ll need to contact the team for a personalized offer, but the costs will probably be above the $224/month threshold, as this is what the second-tier plan costs.
FormDr is a form solution tailored to hospitals, health systems, and other single and multi-location practices.
With FormDr you can combine several pages into one online form packet, easing the effort for patients of going through multiple separate forms.
And of course, FormDr is compliant with HIPAA.
Pricing: They offer a free 14-day trial, and offer to convert your files into forms. All three plans offer HIPAA compliant forms. The main differences between plans lie in the number of users, submissions, form views, and available GB’s for file storage. The starter plan is priced at $29/month, whether you pay-as-you-go or for the entire year.
PandaDoc is a comprehensive document automation and personalization software where one can build proposals, quotes, contracts, and forms within minutes.
Workspaces support efficient storing of staff and patient information separately, all fully HIPAA-compliant.
Pricing: To get a customized, HIPAA-compliant enterprise plan PandaDoc asks you to contact their sales team.
HIPAA-compliant authentication and privacy settings are available for Google Forms, meaning CEs can utilize Google Forms as a HIPAA-compliant form builder.
A BAA with Google will need to be signed beforehand.
CEs can monitor folder and file access and visibility, and grant each contributor the necessary permissions. Before utilizing Google Forms to collect or store ePHI, admins need to adjust privacy settings and disable any third-party apps that don’t meet HIPAA standards.
Pricing: Google Forms is available under the Business Starter plan at $6 per month per user, granting access to the entire Google Workspace, and includes a 14-day trial.
Users on the Enterprise Plan can request a standard business associate agreement to make use of the HIPAA-compliant settings.
This will allow you to build secure referral, healthcare payment, and medical history forms.
Formsite supports organizations with essential data management features such as Secure Email and access control with two-factor authentication.
The software also has integrations for Salesforce and Google Sheets (for which you’ll need a BAA for too).
Pricing: The standard Enterprise plan starts at $249.95/month or $2499.95/year.
DocuSign electronic signatures and document generation software is used among 12 of the world’s top 14 pharmaceutical companies.
The software is fully compliant with ESIGN, UETA, and HIPAA, and is ISO 27001:2013 certified.
All data that passes through DocuSign’s servers is encrypted and authenticated, both in transit and rest.
Pricing: DocuSign asks customers in the healthcare branch to contact sales for industry-specific offerings.
MedForward offers marketing consultancy services and digital tools focused on helping medical businesses grow since 2007.
Their MedForward Forms web app is developed by their in-house team and allows patients to safely complete HIPAA-compliant online forms.
They will convert your existing forms into an online format, while still allowing patients to make use of forms in their original format.
Pricing: Payments are made month-to-month. No longer-term commitments are necessary, although you need to contact MedForward for a personalized quote.
Enterprise low-code mobile form builder ProntoForms enables you to make custom apps without any technical know-how.
The app allows for advanced conditional workflow logic and rich data capture beyond checklists. It’s rated #1 on G2’s Enterprise Grid for mobile solutions.
ProntoForms has passed several audits, HIPAA included.
They maintain a service availability of 99.9% and frequently run through their incident response and disaster recovery plans to prevent security threats.
Pricing: All three available plans offer HIPAA compliance, although the Essentials Plan may fall short in customization capabilities. The Essentials plan is priced at $15/month per user, allowing you to create 10 forms with 250 questions each.
LuxSci’s SecureForm web and PDF form solution lets you add and save HIPAA compliant forms.
SecureForm integrates into web or PDF forms you currently use. It can be used in tango with any CMS (WordPress included) as well as hand-coded pages. Your data is secured with TLS encryption during transmission, and at rest with PGP and/or AES encryption.
Pricing: The Small plan allows for the creation of up to 100 forms starting at $50/month.
SurveyMonkey is a popular form builder used by 98% of Fortune 500 companies.
The company offers a standard form BAA and implements the necessary safeguards to protect ePHI they handle on behalf of CEs.
Safeguards incorporate data backup plans, regular systems risk analysis and incident response plans.
Pricing: Only the Enterprise plan offers HIPAA-compliant features. SurveyMonkey asks customers to contact them for a personalized offer.
Keeping your organization compliant is not easy, but essential. Choosing a HIPAA-compliant form builder will lessen the administrative burden and ensure ePHI collected through forms is stored and sent safely.
Once you switch to a HIPAA-compliant form builder, you’ll make and send forms the same way as you always have.
The main difference is that the data is now transmitted and stored according to HIPAA standards.
This is one step closer to compliance, and less worry in the case of an upcoming audit.
To conclude, it’s worth noting that most of the HIPAA-compliant digital forms listed in this article are also supported by Make.
If you are looking for increased capacity and flexibility over time, picking a solution that is both integrations-friendly and HIPAA compliant will fill two needs with one deed.
Disclaimer: The information on this page does not constitute official healthcare or legal advice. Make is not liable for any damage or liabilities arising out of or connected in any manner with this platform.