This feature is available to organizations on the Enterprise plan.
Cognito Forms offers HIPAA compliance through business associate agreements, making it easy to build medical forms for new patient registrations, appointment scheduling, refill requests, patient satisfaction surveys, and even online bill payment.
In preparation for establishing a BAA with Cognito Forms, please take note of the following terms and stipulations:
- Encryption - All forms for HIPAA-compliant customers will be encrypted at rest. If you have existing forms that are not currently encrypted, they will immediately be encrypted moving forward after establishing the BAA. All new forms will be automatically encrypted at rest (including any files uploaded via the File Upload field).
- Support User - You will no longer be able to add the Cognito Support user to your HIPAA-compliant organization. Support for form designs will be provided through standard email support and template sharing, but not through direct access by Cognito Forms team members.
- Timeouts - User timeouts will change from 8 hours to 1 hour to increase the security for sensitive PHI. Automatic locking of screens and other computer security measures should still be employed, but this adds an additional layer of protection.
- Emails - Email notifications should be reviewed to ensure they are HIPAA-compliant. PHI should be marked as protected to prevent transmission via email unless patients have signed a waiver allowing for transmission of PHI via email for communication purposes.
- Integrations - If you are using Zapier to integrate with other cloud services, you need to contact Zapier to see if they will extend a BAA covering these integrations. Our communication with Zapier is encrypted; but Zapier does not fall under our BAA, as you must establish a separate user agreement to use their service. JSON post should be used as an alternative to Zapier whenever possible for secure integration with other systems.
- Not an EMR - Cognito Forms is not an Electronic Medical Record system and does not track patients as individuals. While sensitive PHI information may be collected securely through Cognito Forms, information that should be considered part of a patient's Legal Health Record should be transferred (either manually or automatically) into a system that supports tracking of this information by patient and meets the availability requirements necessary for providing patient care during emergencies.
- Plan - Your organization must be on the Cognito Forms Enterprise plan (and not a trial) in order to enter into a BAA. There is no additional cost associated with obtaining the BAA beyond this monthly subscription plan.
- Copying forms - When copying forms into a HIPAA-complaint organization, certain form settings will be copied over, but disabled until you re-enable them. Please refer to our FAQ for more information.
Please note that the individual signing the BAA needs to be an owner and someone with the authority to sign legally binding contracts for their organization. See our sample standard agreement.
To enter into a Business Associate Agreement with Cognito Forms:
- Click on your organization’s name in the top right, and then click the settings icon to access your organization's settings.
- Click on Plan in the left-hand navigation, or scroll to the Plan section.
- From your plan settings, click the Sign our BAA to get started link.
- Review the BAA as written in the dialog, then provide your title and signature at the bottom of the agreement and click the I Agree button.
- You will see a message indicating that you have successfully entered into a BAA with Cognito Forms, as well as the option to download a PDF copy of your agreement. You will also receive a copy of your agreement via email.
- Your plan settings will now reflect your BAA status. From here, you can exit your agreement by clicking the Exit your BAA link. You can also download a copy of your BAA at any time from the Cognito Forms BAA link.
If you have any questions about establishing a BAA with Cognito Forms, please contact us.