Is Gravity Forms HIPAA Compliant?
Gravity Forms is not HIPAA compliant and should not be used in its default state by covered entities and business associates to collect, store, or transmit Protected Health Information (PHI). To make Gravity Forms HIPAA compliant it is necessary to install a plugin that isolates PHI from the service. ย ย
The answer to is Gravity Forms HIPAA compliant is complicated because Gravity Forms claims not to qualify as a business associate because it does not collect, store, or transmit data on a customerโs behalf. It also claims to have no access to customer data so will not sign a HIPAA Business Associate Agreement with covered entities and business associates.
However, on the HIPAA and Gravity Forms web page, it is stated โthe data collected by Gravity Forms is not encrypted during storageโ. This is followed by the recommendation โencryption of data at rest would need to be provided by an add-on or the custom codeโ. This would appear to contradict the assertion that Gravity Forms does not collect data on a customer’s behalf and does not qualify as a business associate.
To further complicate the answer to is Gravity Forms HIPAA compliant, in its 2022 guidance on HIPAA and Cloud Computing, HHSโ Office for Civil Rights states โa CSP [in this case Gravity Forms] providing โno view servicesโ [on behalf of a covered entity or business associate] is not exempt from any otherwise applicable requirements of the HIPAA Rules.โ
How to Use Gravity Forms in Compliance with HIPAA
There are two ways in which covered entities can use Gravity Forms in compliance with HIPAA. The first is to use the service only to collect personal information that does not qualify as individually identifiable health information. To use Gravity Forms in this way, covered entities will need to understand what is considered PHI under HIPAA.
In addition, as well as only collecting personal information that does not qualify as individually identifiable health information, covered entities must ensure there is no โfree typingโ field in which PHI could be collected from a website visitor. Covered entities that need to collect information of this nature must take steps to make Gravity Forms HIPAA compliant.
How to Make Gravity Forms HIPAA Compliant
Making Gravity Forms HIPAA compliant is the second way in which it is possible to use the service in compliance with HIPAA. This process involves installing a HIPAA compliant plugin into the WordPress site on which Gravity Forms is being used (for example, HIPAA Forms by Code Monkeys) to isolate the content of the forms from the Gravity Forms service.
While this overcomes the issue of Gravity Forms refusing to sign a Business Associate Agreement, it does mean that covered entities will have to enter into a Business Associate Agreement with Code Monkeys, and will be paying for both the Gravity Forms service and the HIPAA Forms service. The WordPress site must also have SSL enabled.
HIPAA Compliant Alternatives to Consider
Because of the administrative overhead and cost of making Gravity Forms HIPAA compliant, covered entities may want to consider HIPAA compliant alternatives. Covered entities with existing Office 365 or Workspace accounts may wish to consider embedding their respective Forms services into a webpage, while JotForm and Zoho are also suitable alternatives.
In all cases, it is advisable to seek professional HIPAA compliance and technical advice if you are unsure about whether a website form and the services used to host it is HIPAA compliant. It is also advisable to provide HIPAA training to any members of the workforce who will be involved in the design of the forms or in responding to forms when they are submitted.