5 Questions to Ask Before You Buy a HIPAA Compliant Form Builder

Written by Clint Buechler on July 31, 2018

Posted in Healthcare, IT + Security

Searching for a HIPAA compliant form builder can be a very tedious task. You want to be sure you’re making the right choice because violating the Health Insurance Portability and Accountability Act (HIPAA) can cost you millions of dollars.

There are many form builders out there claiming to meet HIPAA compliance standards, but how can you be sure your online forms and patients’ sensitive data are in safe hands? Before you commit to any form builder, ensure you understand how your data will be managed.

Here’s a list of 5 key questions you should ask when evaluating HIPAA complaint form builders.

1. Do you have an option for a custom BAA?

A business associate agreement, often referred to as a BAA, is a contract between a healthcare provider (you) and a HIPAA compliant entity (your form builder). The BAA outlines how your form builder is permitted to use the PHI it collects, what safeguards they have put into place to protect the PHI, and what happens if your data is breached.

Every organization is different and requires different levels of protection. Many form builders will have a standard BAA that may meet most of your needs, but if you want to make sure you’re completely covered, you’ll want a custom BAA that is designed to meet your specific requirements.

2. Have you been audited by a third-party vendor?

Before buying a car, you may ask a mechanic to give it a look over. The same should be done for form builders. Some form builders will claim to be HIPAA compliant because they’ve completed internal audits and think they’ve set up the proper safeguards, but it’s always best to get a second opinion. Ask to see proof of an audit. Knowing your form builder was audited by an outside vendor shows that they’re serious about keeping your data safe. If they haven’t completed an audit by a third party, it could be a red flag.

3. How is my data stored in your database?

Your data is your most valuable asset, and you need to make sure it is protected when it is moving between systems and when it is sitting in the database. Be sure your form builder has SSL (Secure Sockets Layer) available so your users are securely connected to servers, and also check that the builder has encryption available for your database. Ensuring that your data is always encrypted in transit and at rest is essential for any form builder you choose.

4. Do you have a dedicated security team?

Checking if the form builder has a dedicated security team will tell you how important HIPAA compliance is to them. If they don’t have a dedicated team that can respond to breaches immediately, you could be in the dark when something happens to your data. You want to make sure your sensitive data is being monitored 24/7 and a team is always ready to respond in case of an emergency.

5. What happens if my data is breached?

Be sure you know who is responsible if there is a security breach. Talk about in what scenario your form builder will be held responsible and when you will take responsibility. Make sure the scenarios you talk about are outlined in the BAA you sign so that it is documented for reference. This step is incredibly important if there ever was a HIPAA compliance violation. Make sure you feel comfortable with the agreement.

Asking the questions above will help you while searching for a HIPAA compliant form builder. Interested in how Formstack answers the above questions? Check out the information on our HIPAA compliance forms, or click below to contact our sales team and ask them in person.