Here to Help: Healthcare Security 101 (Protecting Patient Data)

Written by Jessica Haas on November 9, 2016

Posted in Healthcare, Here to Help

“Here to Help” is a support column written especially for Formstack’s awesome, loyal customers.

Healthcare organizations are held to high standards when it comes to collecting and protecting patient data. And they should be. Most of the information these organizations collect is personal and highly sensitive, so it must be handled with extreme care to ensure it doesn’t end up in the wrong hands.

Healthcare data security is especially important in today’s fast-paced, digital world. Hospitals and health clinics are no strangers to cyber attacks, so they need to have a variety of security measures in place to safeguard their electronic health records.

If you’re collecting healthcare information via Formstack forms, we’ve done some of the work for you via our form security features. But here are a few steps you can take to ensure you’re making patient data security a priority:

Collect Patient Data via HIPAA Compliant Forms

The most important way to protect patient data is through HIPAA compliant web forms.

Formstack offers an enterprise-level solution that is compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). With Formstack HIPAA compliance, the electronic protected health information (ePHI) you collect is safeguarded by extra layers of security. These security measures include the following:

  • Automatic timeout of user sessions after 15 minutes of inactivity
  • Logging of potentially destructive actions (e.g., user logins and submission edits)
  • Withholding of submission data from approval, notification, and confirmation emails (messages may contain a link back to Formstack to view the data)

For more information on getting set up with Formstack HIPAA compliance, review our healthcare solutions page and submit the form at the bottom to request a demo.

Encrypt Patient Data Stored in the Database

Another way to protect the ePHI your health organization collects is by enabling data encryption in the Formstack database. When you collect patient information via a Formstack form, the information submitted is stored in the Formstack database. To ensure tight security of that information, Formstack offers the ability to encrypt the stored data.

Enable Data Encryption in Formstack

Formstack’s database encryption works by generating public and private keys that are stored with your form and require you to set an encryption password. The public key encrypts the data saved in the database, the private key decrypts the data, and the password you set encrypts the private key. Your encryption password is not saved on the server in plain text, so no one can access or decrypt the information without knowing your encryption password.

Set Data Encryption Password in Formstack

It’s important to remember your password because no one (not even Formstack staff members) can access or retrieve your data without it. It’s also important to ensure your password is safeguarded and only shared with users who are authorized to access the form’s submission data.

To arm a healthcare form with data encryption, go to Settings > Security and select “Enable Data Encryption” at the bottom of the box. When prompted (as shown above), set your password and click “Enable data encryption.”

For more information on this level of form security, check out our post on securing your form with data encryption.

Limit Access to Patient Data

Another layer of protection you can add to your healthcare forms is access control. This involves defining access rules for Formstack users on specific forms so that submission review and collaboration only occurs among authorized stakeholders (i.e., doctors, nurses, and other personnel).

With Formstack, you can ensure limited access to sensitive data by setting specific user permissions. To set permissions, you must be signed in to an admin account. Once logged in to the appropriate account, follow these steps:

1. Click on the “My Profile” icon in the top right corner of the screen and select “Users” from the dropdown list.

Formstack Account Users Permission Levels

2. When the list of users pops up, click on a specific user’s name to view permissions options. You will see tabs for Global Permissions, Folder Permissions, Form Permissions, Theme Permissions, and Credentials Permissions. The most important permissions are those for setting global access, folder access, and form access.

Formstack Permissions Options

3. To give a user admin access or to allow the user to create forms and themes, click on the Global Permissions tab and simply select the checkbox next to each option that you want to enable.

Formstack Global Permissions

4. To manage user permissions for specific folders or forms, select the Folder Permissions tab or the Form Permissions tab. Within each tab, you will see a list of folders and forms and a “Permission” column. To update a permission, select the dropdown box next to the appropriate folder or form, and choose the access level you want (i.e., Form Admin, View + Edit, or View only).

Formstack Permission Access

Here is what the various levels allow:

  • View: User can view, search, and download the submitted data.
  • View + Edit: User can view, search, download, and edit the submitted data.
  • Admin: User has complete access to the submitted data, form builder, and settings.

For more information on setting permissions, check out our Permissions FAQs doc.

Form security isn’t the only Formstack feature that can benefit healthcare professionals. Click below to learn more about Formstack’s top healthcare solutions.