- Data Encryption on the ProntoForms App
- User Authentication
- Users and Permissions
- Form Properties and Settings
- Data Destinations
ProntoForms helps support your HIPAA compliance, but using the ProntoForms service does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of ProntoForms services aligns with HIPAA and the HITECH Act.
Business Associate Agreements (BAAs) are mandated by the HIPAA Security Rule. BAAs consist of information regarding the permissible and impermissible uses of PHI between two HIPAA-beholden organizations. That can include relationships between a Covered Entity and a Business Associate, as well as relationships between two Business Associates. For more information on putting a Business Associate Agreement in place with ProntoForms, please contact firstname.lastname@example.org.
The features discussed below may assist you with your compliance program.
This section discusses how data is encrypted on both the ProntoForms application and the servers.
- Data transmitted between the ProntoForms mobile applications and servers is encrypted using Transport Layer Security (TLS).
- Information stored on ProntoForms servers is encrypted with AES-256.
- Data on the iOS and Android mobile devices is encrypted as long as a passcode is enforced (i.e. the device can be locked):
- ProntoForms for iOS uses the iOS native encryption to keep your data secure on the device. The information is secure as long as the device is locked.
- ProntoForms for Android encrypts all your data and uses the Android Operating System-provided key-stores to store and protect ProntoForms encryption keys.
Configure a Password Policy: Keep up best practices for security with ProntoForms' configurable password policy. Provide users with requirements for passwords such as character length and special characters, and prohibit the use of easily-guessed phrases, such as a user's login name. For more information on ProntoForms Password Policies, please read our documentation: Configure a Password Policy
Session Length: After authenticating to the ProntoForms web portal or mobile app, users can be forced to re-authenticate if there is no activity for a designated amount of time. For more information, please read our documentation: Session Length
Log in Using Single Sign-On: ProntoForms provides Security Assertion Markup Language (SAML) based Single Sign-On (SSO). This allows users to use their corporate credentials to log in -- they do not need to maintain separate ProntoForms login information. ProntoForms SSO can be used with a number of identity providers, including LastPass, OneLogin, and Active Directory. For more information, please read our documentation: Set Up Single Sign-On and Log in Using Single Sign-On
Beyond ease of login, enabling SAML on a team provides extra security features:
- Organizations can easily manage all user credentials through a single identity provider.
- Organizations can set a maximum session length for ProntoForms, so users are required to re-authenticate after a set period.
User Account Lock Out: in the interests of keeping your data safe, user accounts will be locked after ten consecutive failed password attempts. This will prevent these users from logging in or accessing, filling out, or sending forms. For more information on user lockouts, please read: User Account Locked Out
Managing Groups: ProntoForms users must be assigned to groups in order to have access to forms. Forms and permissions are assigned at the group level, rather than on a per user basis. On their mobile devices, users can only access forms (and use the associated data sources, resources, and destinations) that their group is assigned to. For more information on groups, please read: Managing Groups
FormSpaces and FormSpace Permissions: FormSpaces are essentially folders where sets of forms are kept. Access to particular FormSpaces is controlled by Groups. They are yet another tool to control access to forms and form data. For more information, please read: FormSpace Permissions
User Permissions: ProntoForms supports a wide variety of permissions to keep your data secure. For more information, please read: User Permissions
Form Properties and Settings
Enable Data Record Passthrough: If selected, no submitted form data will be saved in the ProntoForms system, only a record of where the data went. Enabling this feature is a major step towards HIPAA compliance, but does limit ProntoForms Support in their ability to assist customers. For more information, please read: Data Record Passthrough
Save photos captured in app to the user's camera roll: This feature is disabled by default in the V2 form builder, meaning that all images and signatures are deleted from the device once the form submission is successfully submitted and processed. For more information, please read: Form Settings: Image Options
Days in Sent Box: This is how long form submissions will be held in the Sent box. To remove restrictions, leave the field blank. You may also disable the Sent Box entirely by de-selecting 'Display submitted forms in the Sent box of the mobile app'. For more information, please read: Form Settings: Sent Box
Bear in mind your compliance requirements when configuring data destinations. Include only the destinations that are needed, and ensure that your destinations have adequate safeguards in place to meet your compliance needs. Using email destinations are generally not recommended.
Customers must perform an assessment of the security controls of the cloud storage provider or content management service for its suitability for use in healthcare. Cloud storage services should only be used if a business associate agreement is entered into with the service provider.
It is important to note that a cloud service which claims to support your HIPAA compliance can be used in a manner in that violates HIPAA rules, as HIPAA compliance is reliant on the people that use the product or service rather than the product or service itself.