Is Wufoo HIPAA compliant?

by

Wufoo is not HIPAA compliant because its parent company, SurveyMonkey, does not sign Business Associate Agreements (BAAs), which are required for HIPAA compliance when handling protected health information (PHI), making it unsuitable for collecting or storing PHI in a HIPAA-regulated context. To make Wufoo or any similar tool HIPAA compliant, several steps would need to be followed, though Wufoo itself cannot fully meet these requirements due to the lack of a BAA. Here’s what would generally be needed to achieve HIPAA compliance with an online form tool:

  1. Secure Hosting Environment: The platform must be hosted on a secure infrastructure that complies with HIPAA’s Security Rule, ensuring data encryption, regular audits, and robust access control.
  2. Business Associate Agreement (BAA): A BAA must be in place between the healthcare provider (or covered entity) and the tool’s provider. This agreement outlines the responsibilities of the business associate in safeguarding PHI.
  3. Data Encryption: PHI must be encrypted both in transit (e.g., using HTTPS) and at rest to prevent unauthorized access.
  4. Access Controls: The platform must provide mechanisms to restrict access to PHI based on user roles and ensure that only authorized personnel can view or manage sensitive data.
  5. Audit Controls: The system must keep detailed logs of who accesses PHI and any actions taken, which can be reviewed to identify unauthorized activity.
  6. Data Backup and Disaster Recovery: The platform must have a reliable system for backing up data and recovering it in case of an unexpected event.
  7. Secure Data Transmission: All data transmitted through the platform must use secure protocols to prevent interception or breaches.
  8. Compliance Training: All users of the platform must undergo training to understand HIPAA requirements and how to properly handle PHI.
  9. Regular Risk Assessments: The platform must undergo periodic risk assessments to identify and address potential vulnerabilities.

Since SurveyMonkey, the parent company of Wufoo, explicitly states that it does not sign BAAs, it is not possible to use Wufoo for HIPAA-compliant purposes, regardless of how many additional security measures are implemented. For organizations needing HIPAA-compliant forms, it is recommended to use a dedicated tool that explicitly supports HIPAA compliance and provides a BAA, such as JotForm Enterprise, Formstack, or other specialized platforms.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]