FormCan allows you to collect personal data with HIPAA compliance. We understand HIPAA laws and how to help your business collect health-related information securely. As part of keeping you compliant, we will provide you with a Business Associate Agreement (BAA) between our company and yours.
Request HIPAA Compliance
Once you have upgraded to Silver or Gold, you will need to request HIPAA compliance from the Team page. FormCan will upgrade all team members’ accounts to be HIPAA compliant. After the system upgrade is complete, the signed BAA will be sent to the team owner’s email box.
Only the forms and submissions in this team are HIPAA compliant. Members may have multiple teams. Forms and submission data from other teams are outside the scope of this team’s HIPAA compliance. In other words, HIPAA compliance applies to the current team.
See User’s Activity
In addition to the higher levels of security adopted in our system, team members can see these changes when they access the system.
Move to a Secure URL
The domain name of all published forms will be changed from https://form.formcan.com/ to https://secure.formcan.com/. This change also impacts the form’s embed script, so make sure that anywhere you have the old forms on your site that you make the update. 7 days after your account was migrated, the old embed scripts and URLs will no longer work. Note that if you use a custom domain, the share URL remains the same. However, embed scripts always need to be changed.
Automatic Logout After Inactivity
After 15 minutes of inactivity, the page will automatically lock, so you don’t have to think about it. Users can unlock it with their password.
After 30 minutes of inactivity, the user will be automatically logged out. Also, every time the browser is closed, the user is will be logged out. All HIPAA team members will have this setting in place. This also means that “Remember me” on the sign-in page will no longer work.
Audit Your Team
As a team owner, there is an additional menu “Audit” on the main menu. On this page, you can view any detail of your team’s sharing, authentication, and access activities. We recommend that you review these activity reports to keep an eye out for any unusual activity and help keep your team secure.
At HIPAA compliant team page, you can find a HIPAA compliance badge.
Encrypted Data Storage
All data storage and transmission in FormCan is encrypted. However, if you want to share your data externally, you need to be extra careful.
- Outbound email. Our email senders are HIPAA compliant. However, if emails contain PHI data in its submission CSV attachments. It is your responsibility to confirm that the email recipient is the right person and that their email service provider is HIPAA compliant. If unsure, disable email notifications.
- Share link. It can be opened without login protection. For HIPAA account, any sharing link will be expired in 72 hours by default. However, if you cannot predict usage, please disable sharing options.
- Integration with third-party services, such as cloud drives or Zapier. Contact your service provider to confirm if they are HIPAA compliant and if BAA is available.
For more details, please check section 2.7. Account Usage for HIPAA Enabled Team in our BAA.
To understand how we implement HIPAA compliance standard, you can find more details from this document.