HIPAA Compliance and Security Features

Introduction

The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law designed to protect the privacy and security of patients’ sensitive health information. ProntoForms offers configuration options to help covered entities meet their HIPAA compliance requirements. ProntoForms undergoes an annual SOC 2 and HIPAA Security Rule audit by a third-party to attest to the suitability of the design and operating effectiveness of our controls relevant to security, availability, and confidentiality.

Recommendations and best practices

ProntoForms helps support your HIPAA compliance, but using the ProntoForms service does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of ProntoForms services aligns with HIPAA and the HITECH Act. The following sections provide recommendations and best practices for configuring ProntoForms to maintain HIPAA compliance.

Implement robust internal controls

Implement robust internal controls regarding general ProntoForms system access and system usage.

What ProntoForms Does Recommendation Useful Links and Notes
ProntoForms provides the ability to configure a password policy or enable single sign-on (SSO) using SAML 2.0 and a number of common identity providers. Configure your password policy or authentication scheme to comply with HIPAA requirements.

Configure a Password Policy

Setting up SSO

Logging in with SSO

User accounts will be locked automatically after ten failed login attempts, which prevents the user from logging in, accessing, completing, or sending forms. No action required. User Account Lockout
ProntoForms provides the ability to configure a maximum session length, after which users will be forced to reauthenticate. Configure the maximum session length per your organization’s policies and HIPAA requirements. Session Length
ProntoForms offers three different user roles (Mobile-only User, User, and Admin). We also provide the ability for your organization to assign users to groups that have permissions to view selected forms or FormSpaces.
  1. Assign users to the appropriate role required for their job function.
  2. Configure groups to allow users access to specific forms or FormSpaces.

Note: User accounts are intended for use by employees of covered entities; they should not be provided to patients who have rights under HIPAA. Customer Feedback Forms may be used to collect PHI; however, patients who have rights under HIPAA should not be permitted to complete the form using their own mobile devices.

User Roles

Managing Groups

FormSpace Permissions

Remove user accounts

Remove user accounts for users who have been terminated.

What ProntoForms Does Recommendation Useful Links and Notes
ProntoForms provides the ability for customers to configure user permissions and remove users. Manage and delete user accounts based on your organization’s policies. User Permissions
Managing Users

Protect data during transmission

Protect data being transmitted to and from the ProntoForms system.

What ProntoForms Does Recommendation Useful Links and Notes

Data within the ProntoForms system is encrypted in transit and at rest. Data transmitted between mobile applications uses TLS 1.2 or higher encryption. Data stored on our servers is protected using AED-256 encryption. Data stored on mobile devices is protected using native encryption provided that a passcode is enforced.

  1. Ensure that data sent to and from the ProntoForms system (via Data Sources and Data Destinations) is adequately protected outside of ProntoForms.
  2. Enforce a passcode on your organization’s devices.
Enforce a Passcode
ProntoForms servers are hosted by AWS and located in the United States. When Data Passthrough is enabled, no submitted form data will be saved in the ProntoForms system – only a record of where the data went. Enabling this feature may limit ProntoForms Support in their ability to assist you.
  1. If desired, enable Data Passthrough for forms that contain sensitive information.
  2. If using shared devices, consider enabling In Memory Forms.

Data Passthrough

In Memory Forms

With the recommended Form Settings configured, images captured in the ProntoForms app are not saved to the user's camera roll. All images and signatures are deleted from the device once the form is successfully submitted and processed. Make sure the option to save images on devices is not enabled. Image Options
ProntoForms provides the ability to customize how long completed form submissions are stored in the Sent box on mobile devices.

When configuring your forms, enter “0” to disable the storage of form submissions in the Sent box.

This ensures that no part of the form remains stored on the device.

Days in Sent Box
ProntoForms provides the opportunity to configure Data Destinations if desired.

Bear in mind your compliance requirements when configuring Data Destinations. Include only the destinations that are needed and ensure that your destinations have adequate safeguards in place to meet your compliance needs. Using email destinations is generally not recommended.

Perform an assessment of the security controls of the cloud storage provider or content management service for its suitability for use in healthcare. Cloud storage services should only be used if a business associate agreement is entered into with the service provider.

Note: A cloud service that claims to support your HIPAA compliance can be used in a manner that violates HIPAA rules, as HIPAA compliance depends on the people that use the product or service rather than the product or service itself.

Creating and Managing Data Destinations

Note: ProntoForms is not responsible for the security practices of third-party organizations who provide Data Destinations. You must verify that a Data Destination meets your compliance requirements before you configure the destination.

If you have HIPAA compliance requirements, you should not use Email or SMS Data Destinations.

Implement a business continuity and disaster recovery plan

What ProntoForms Does Recommendation Useful Links and Notes
ProntoForms maintains an SLA of 99.5% uptime. We back-up your data to our disaster recovery region daily and simulate disaster recovery quarterly. Implement your own Business Continuity and Disaster Recovery plan for other aspects of your business. Subscribe to ProntoForms Status page updates. Status page

Considerations for Covered Entities

Business Associate Agreements (BAAs) are mandated by the HIPAA Security Rule. BAAs consist of information regarding the permissible and impermissible uses of PHI between two HIPAA-beholden organizations. That can include relationships between a Covered Entity and a Business Associate, as well as relationships between two Business Associates. For more information on putting a Business Associate Agreement in place with ProntoForms, please contact infosec@prontoforms.com.

A screenshot of text

Description automatically generated

For more information, refer to the following topics:

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments