ProntoForms enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) to use ProntoForms to process and transmit protected health information (PHI). This article explains how to set up ProntoForms to ensure that your use of the product is HIPAA compliant.
This section discusses how data is encrypted on both the ProntoForms application and the servers.
- Data transmitted between the ProntoForms mobile applications and servers is encrypted using Transport Layer Security (TLS).
- Information stored on ProntoForms servers is encrypted with AES-256.
- Data on the iOS and Android mobile devices is encrypted as long as a passcode is enforced, while information stored on the native application leverages the functionality of the mobile operating systems to encrypt stored data, requiring no manual configuration by the customer.
Configure a Password Policy: Keep up best practices for security with ProntoForms' configurable password policy. Provide users with requirements for passwords such as character length and special characters, and prohibit the use of easily-guessed phrases, such as a user's login name. For more information on ProntoForms Password Policies, please read our documentation: Configure a Password Policy
Session Length: After authenticating to the ProntoForms web portal or mobile app, users can be forced to reauthenticate if there is no activity for a designated amount of time. For more information, please read our documentation: Session Length
Log in Using Single Sign-On: ProntoForms provides Security Assertion Markup Language (SAML) based Single Sign-On (SSO). This allows users to use their corporate credentials to log in -- they do not need to maintain separate ProntoForms login information. ProntoForms SSO can be used with a number of identity providers, including LastPass, OneLogin, and Active Directory. For more information, please read our documentation: Set Up Single Sign-On and Log in Using Single Sign-On
Beyond ease of login, enabling SAML on a team provides extra security features:
- Organizations can easily manage all user credentials through a single identity provider.
- Organizations can set a maximum session length for ProntoForms, so users are required to re-authenticate after a set period.
Mass Password Deletion: With SAML/SSO enabled, users can sign into ProntoForms using their corporate credentials. To limit users to signing in using Single Sign-On, a team admin can mass clear the ProntoForms passwords of users on their team. For more information, please read our documentation: Mass Password Deletion
User Account Lock Out: in the interests of keeping your data safe, user accounts will be locked after ten consecutive failed password attempts. This will prevent these users from logging in or accessing, filling out, or sending forms. For more information on user lockouts, please read: User Account Locked Out
Managing Groups: ProntoForms users must be assigned to groups in order to have access to forms. Forms and permissions are assigned at the group level, rather than on a per user basis. On their mobile devices, users can only access forms (and use the associated data sources, resources, and destinations) that their group is assigned to. For more information on groups, please read: Managing Groups
FormSpaces and FormSpace Permissions: FormSpaces are essentially folders where sets of forms are kept. Access to particular FormSpaces is controlled by Groups. They are yet another tool to control access to forms and form data. For more information, please read: FormSpace Permissions
User Permissions: ProntoForms supports a wide variety of permissions to keep your data secure. For more information, please read: User Permissions
Form Properties and Settings
Enable Data Record Passthrough: If selected, no submitted form data will be saved in the ProntoForms system, only a record of where the data went. Enabling this feature is a major step towards HIPAA compliance, but does limit ProntoForms Support in their ability to assist customers. For more information, please read: Data Record Passthrough
Save photos captured in app to the user's camera roll: This feature is disabled by default in the V2 form builder, meaning that all images and signatures are deleted from the device once the form submission is successfully submitted and processed. For more information, please read: Form Settings: Image Options
Days in Sent Box: This is how long form submissions will be held in the Sent box. To remove restrictions, leave the field blank. You may also disable the Sent Box entirely by de-selecting 'Display submitted forms in the Sent box of the mobile app'. For more information, please read: Form Settings: Sent Box