HIPAA Compliance

HIPAA Compliance

Is there an additional charge for HIPAA compliance?

There is no additional charge. The platform as a whole provides HIPAA compliant functionality for you to use. Create compliant forms under any forms2 subscription.

Are we limited to specific forms?

Any form that you create can be HIPAA compliant. We provide “Is Personal Data” checkboxes for every form field, allowing you to specify what data falls under “Protected Health Information (PHI)”. When checked, these fields are anonymised at all points of export from the system.

Are form fields set in stone?

While we provide example Forms that you can use immediately, all Forms can be customised (or created from scratch) as desired. Simply ensure that any Protected Health Information (PHI) fields in your Form design make use of our “Is Personal Data” option.

What has forms2 done to meet HIPAA requirements?

forms2 has undertaken a number of initiatives to meet HIPAA requirements:
Business Associate Agreement (BAA) forms2 has drawn up a Business Associate Agreement (BAA) stating our HIPAA compliance, allowing you to collect PHI through your forms2 forms.

Encryption of data at rest and in transit

All data stored within the forms2 Platform is encrypted on our servers, be this within a database, storage service, or file backups. All data transport between servers, services and/or devices (both internally and externally) occur exclusively over SSL encrypted transport protocols. “Is Personal Data” flags for data entities in the platform (e.g. forms and data sources) 

The forms2 Platform provides checkbox options to allow forms2 customers to flag/identify data fields that contain personal data. This, in turn, allows the forms2 Platform to anonymise these fields when data leaves the forms2 Platform (e.g. via manual export, connector integrations, and/or the forms2 Platform API).

Careful vetting of sub-processors

Each sub-processor of forms2 is vetted by our team in the areas of security, contractual terms, data processing agreements, and EU standard contractual clauses / Privacy Shield.

What is a Business Associate Agreement (BAA)?

forms2 has drawn up a Business Associate Agreement (BAA) stating our HIPAA compliance, allowing you to collect PHI through your forms2 forms.

Who is a Controller or a Processor?

forms2 customers decide the nature of data being captured and stored, and they choose which individuals interact with the forms2 Platform (thus, in turn, whose personal data is captured and processed). It is thus you, as a forms2 customer, that legally acts as the “Controller”.

forms2 provides the means (the forms2 Platform) for forms2 customers to capture data and interact with their respective users, clients, and other parties. As such, forms2 is only processing personal data for, and on behalf of, forms2 customers as a “Processor”.

The only case where forms2 acts as a Controller is during a limited set of direct interactions with forms2 customers (these being governed by the forms2 Privacy Policy).

What types of Personal Data does the forms2 Platform process?

For registered users on the platform, basic contact information is processed (i.e. direct identifiable personal data such as e-mail addresses or name) as well as minimal device information, connection information, and geolocation.

While it’s not up to us to control what data we receive, this can include items such as contact information, IP addresses, and other data.

We process customer-submitted data as part of our contractual obligation to our customers and in accordance with applicable laws.

Does the forms2 Platform utilise sub-processors? Show me the list?

We use certain sub-processors to assist in providing the forms2 platform to customers. A sub-processor is a third-party data processor engaged by forms2, that has or potentially will have access to or process customer data (which may include personal data).

How long does personal data remain on the forms2 Platform?

All personal data relating to a user is either deleted or anonymised within 7 days of the user deletion action. The 7 day period allows for fast recovery if the deletion was accidental.
For the avoidance of doubt, deactivation of a user account does not remove the account or its personal data; the account is simply archived.
All other data entities
This is determined and configured by forms2’s customers, based on their own agreements with data subjects in turn. The forms2 Platform provides customers with functionality to delete data entities as needed.
forms2 backups
Backups are performed on a regular basis and are kept in encrypted, secure storage for up to 60 days. This means that items deleted in production environments are available for restoration from backups for up to 60 days thereafter.
forms2 test/development environments
Data is occasionally extracted from production to development/testing environments for support, testing and debugging purposes. When this occurs, personal data is anonymised in order to assure privacy.

Who has access to personal data stored on the forms2 Platform?

Personal data stored on the forms2 Platform may be visible to:
forms2 employees & contractors
All employees & contractors are trained and contractually committed to following forms2’s privacy, security, and data protection practices.
We work with carefully selected services to provide aspects of the forms2 platform and may process data with these services as necessary to provide forms2 platform services.
Other third parties if required by applicable law or where forms2 has a good-faith belief that such disclosure is reasonably necessary to:
(a) protect the safety of any person from death or serious bodily injury, or
(b) prevent fraud or abuse
Access only occurs to the extent and limited to such personal data as necessary for that specific purpose of the respective party.

Where is personal data stored?

The forms2 Platform is hosted in Europe. All customers are hosted exclusively within our West Europe (Amsterdam & Dublin) datacenters. forms2 also provides software features to forms2 customers, which allows them to anonymise personal data upon export out of the forms2 Platform.

Is data processed by forms2 used for direct marketing or automated decision making?

Registered administrator users may be contacted by forms2 with news or offers about the forms2 Platform. This communication can be unsubscribed at any time by the user.
forms2 does not use personal data processed through the forms2 Platform for direct marketing purposes, nor does the forms2 Platform employ automated decision-making processes/techniques which create or deny rights to individual persons.
We only process personal data under instruction and under control of the forms2 customer for the purpose of the forms2 Platform solution.