HIPAA and Gravity Forms

Introduction

When looking into HIPAA requirements for a website, we often get asked “Is Gravity Forms HIPAA compliant?”. The question is rarely that simple, as much of compliance is dependent upon other factors. Your website host, storage environment, plugin choices, data management and information handling workflows, permission management and staff access will play a much larger part in such a determination.

This article outlines a few basics of HIPAA guidelines, and covers those few areas that Gravity Forms may impact upon. This article is not legal advice, is not a statement of absoluteness, and should not be confused for being a binding or authoritative word on any of these topics. If compliance is business critical for you, seek the help of an appropriate professional.

Basics Of Compliance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) designated the following main requirements to deal with the handling and management of health information (ePHI) as pertains to compliance:

1. Transport Encryption: Always encrypted during transmission over the Internet.
2. Backup: PHI is never lost. Should be be backed up regularly, and can be recovered when needed.
3. Authorization: Accessibility to data is by authorized personnel using unique, audited access controls.
4. Integrity: The ePHI is not tampered with or altered during any process. If it is, you should be able to tell.
5. Storage Encryption: Encryption is required during data storage.
6. Disposal: ePHI can be permanently disposed of when no longer needed.
7. Omnibus/HITECH: Your data host for ePHI is an organization with whom you have a HIPAA Business Associate Agreement (or you secure your in-house servers properly as per the HIPAA security requirements).

Relation to Gravity Forms

Gravity Forms does not transmit your form collected data to ourselves or any third party by default, nor do we store any of the data collected by your forms on our own servers or infrastructure. Where your data is sent, and where it is stored is controlled by the website administrator. This renders many of the requirements listed above as outside the scope of the Gravity Forms product design itself.

The most common compliance areas we are asked about for Gravity Forms as it relates to HIPAA are:

• Is Gravity Forms compliant for transport encryption?
• Is Gravity Forms compliant for storage encryption?
• Does Gravity Forms meet the data integrity guidelines?
• Will you sign a business associate agreement?

We address each of those topics below:

Transport Encryption

Transport encryption is dependent upon your environment, and outside the scope of Gravity Forms product design.

You use of a current and properly setup security certificate, and the location of your website host and database storage components are the major factors here. Gravity Forms does not enforce any requirements on this setup.

See the Third Party Add-Ons section below.

Storage Encryption

This is an area where Gravity Forms product design may impact compliance. If you require this for your solution, it is important to note that:

By default, The data collected by Gravity Forms is not encrypted during storage.

If required, encryption of data at rest would need to be provided by an add-on or the custom code. See the Third Party Add-Ons section below.

Data Integrity

The ability of your data to be verified as not modified and non-tampered with is related more to the options you chose for transport and data storage encryption. There is nothing within Gravity Forms product design when it comes to form data storage that is intended to provide a verifiable checksum for entry data.

Business Associate Agreements

As we do not host or store your collected form data on your behalf, we will not sign any such agreements. This is a conversation to be had with your website host or data services provider.

Third Party Add-Ons

Some of the functionality mentioned above may be able to be provided by third party add-ons. Below is a non-definitive list of a few we have been made aware of. Installing any or all of these suggestions may still not be any guarantee of compliance. The burden of providing (and being able to prove) this is on you.

​Disclaimer: Third-party services, plugins, or code snippets that are referenced by our Support documentation or in Support Team communications are provided as suggestions only. We do not evaluate, test or officially support third-party solutions. You are wholly responsible for determining if any suggestion given is sufficient to meet the functional, security, legal, ongoing cost and support needs of your project.

Feedback, feature and integration requests, and other functionality ideas can be submitted on our Gravity Forms, Gravity Flow, or Gravity SMTP product roadmap pages.

HIPAA Forms by Code Monkeys

HIPAA FORMS – Add HIPAA Compliant Webforms to Your WordPress Website

Gravity Forms Encrypted Fields by PluginOwl.

You can find it at https://codecanyon.net/item/gravity-forms-encrypted-fields/18564931

---

References

These articles were used as references during our research into this topic. They will most likely contain useful information for you.

• https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
• https://luxsci.com/blog/what-makes-a-web-site-hipaa-secure.html
• https://compliancy-group.com/web-forms-hipaa-compliant/