Cognito Forms offers HIPAA compliance through business associate agreements, making it easy to build medical forms for new patient registrations, appointment scheduling, refill requests, patient satisfaction surveys, and even online bill payment.

Summary

In preparation for establishing a BAA with Cognito Forms, please take note of the following terms and stipulations:

• Encryption – All forms for HIPAA-compliant customers will be encrypted at rest. If you have existing forms that are not currently encrypted, they will immediately be encrypted moving forward after establishing the BAA. All new forms will be automatically encrypted at rest (including any files uploaded via the File Upload field).
• Support – Support for form issues will be provided through standard email support and template sharing, but not through direct access by Cognito Forms team members.
• Timeouts – User timeouts will change from 8 hours to 1 hour to increase the security for sensitive PHI. Automatic locking of screens and other computer security measures should still be employed, but this adds an additional layer of protection.
• Emails – Email notifications should be reviewed to ensure they are HIPAA-compliant. PHI should be marked as protected to prevent transmission via email unless patients have signed a waiver allowing for transmission of PHI via email for communication purposes.
• Integrations – Cognito Forms agrees to enter into written contracts with any agent or independent contractor that creates, receives, maintains, or transmits PHI on behalf of the Cognito Forms with regard to services provided by Cognito Forms pursuant to the Agreement (collectively, “Subcontractors”). Such contracts shall obligate Subcontractor to abide by substantially the same terms and conditions as are required of Cognito Forms under this BAA.
• Not an EMR – Cognito Forms is not an Electronic Medical Record system and does not track patients as individuals. While sensitive PHI information may be collected securely through Cognito Forms, information that should be considered part of a patient’s Legal Health Record should be transferred (either manually or automatically) into a system that supports tracking of this information by patient and meets the availability requirements necessary for providing patient care during emergencies.
• Plan – Your organization must be on the Cognito Forms Enterprise plan (and not a trial) in order to enter into a BAA. There is no additional cost associated with obtaining the BAA beyond this monthly subscription plan.
• Copying forms – When copying forms into a HIPAA-complaint organization, certain form settings will be copied over, but disabled until you re-enable them. Additionally, you cannot copy any associated form entry data. Please refer to our help topic for further details.
• Workflow links – Workflow links sent to known users (like employees of the business) are HIPAA compliant when sent to an email address that supports end to end encryption, like Office 365. Over 90% of email accounts support end-to-end encryption. Workflow links may be sent to patients if and only if they have opted into email-based communication of their data via a signed consent form.

Establishing a BAA

To enter into a Business Associate Agreement with Cognito Forms:

1. Select your organization’s name in the top left and then select Settings.
2. Click on Plan in the left-hand navigation, or scroll to the Plan section.
3. From your plan settings, click the Sign our BAA to get started link.
4. Review the BAA as written in the dialog, then provide your title and signature at the bottom of the agreement and click the I Agree button.
5. You will see a message indicating that you have successfully entered into a BAA with Cognito Forms, as well as the option to download a PDF copy of your agreement. You will also receive a copy of your agreement via email.
6. Your plan settings will now reflect your BAA status. From here, you can exit your agreement by clicking the Exit your BAA link. You can also download a copy of your BAA at any time from the Cognito Forms BAA link.

If you have any questions about establishing a BAA with Cognito Forms, please contact us.