Is Gravity Forms HIPAA Compliant?

Is Gravity Forms HIPAA compliant? HIPAAGuide.net

Gravity Forms is not HIPAA compliant and should not be used in its default state by covered entities and business associates to collect, store, or transmit Protected Health Information (PHI). To make Gravity Forms HIPAA compliant it is necessary to install a plugin that isolates PHI from the service. ย ย 

The answer to is Gravity Forms HIPAA compliant is complicated because Gravity Forms claims not to qualify as a business associate because it does not collect, store, or transmit data on a customerโ€™s behalf. It also claims to have no access to customer data so will not sign a HIPAA Business Associate Agreement with covered entities and business associates.

However, on the HIPAA and Gravity Forms web page, it is stated โ€œthe data collected by Gravity Forms is not encrypted during storageโ€. This is followed by the recommendation โ€œencryption of data at rest would need to be provided by an add-on or the custom codeโ€. This would appear to contradict the assertion that Gravity Forms does not collect data on a customer’s behalf and does not qualify as a business associate.

To further complicate the answer to is Gravity Forms HIPAA compliant, in its 2022 guidance on HIPAA and Cloud Computing, HHSโ€™ Office for Civil Rights states โ€œa CSP [in this case Gravity Forms] providing โ€œno view servicesโ€ [on behalf of a covered entity or business associate] is not exempt from any otherwise applicable requirements of the HIPAA Rules.โ€

How to Use Gravity Forms in Compliance with HIPAA

There are two ways in which covered entities can use Gravity Forms in compliance with HIPAA. The first is to use the service only to collect personal information that does not qualify as individually identifiable health information. To use Gravity Forms in this way, covered entities will need to understand what is considered PHI under HIPAA.

In addition, as well as only collecting personal information that does not qualify as individually identifiable health information, covered entities must ensure there is no โ€œfree typingโ€ field in which PHI could be collected from a website visitor. Covered entities that need to collect information of this nature must take steps to make Gravity Forms HIPAA compliant.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

How to Make Gravity Forms HIPAA Compliant

Making Gravity Forms HIPAA compliant is the second way in which it is possible to use the service in compliance with HIPAA. This process involves installing a HIPAA compliant plugin into the WordPress site on which Gravity Forms is being used (for example, HIPAA Forms by Code Monkeys) to isolate the content of the forms from the Gravity Forms service.

While this overcomes the issue of Gravity Forms refusing to sign a Business Associate Agreement, it does mean that covered entities will have to enter into a Business Associate Agreement with Code Monkeys, and will be paying for both the Gravity Forms service and the HIPAA Forms service. The WordPress site must also have SSL enabled.

HIPAA Compliant Alternatives to Consider

Because of the administrative overhead and cost of making Gravity Forms HIPAA compliant, covered entities may want to consider HIPAA compliant alternatives. Covered entities with existing Office 365 or Workspace accounts may wish to consider embedding their respective Forms services into a webpage, while JotForm and Zoho are also suitable alternatives.

In all cases, it is advisable to seek professional HIPAA compliance and technical advice if you are unsure about whether a website form and the services used to host it is HIPAA compliant. It is also advisable to provide HIPAA training to any members of the workforce who will be involved in the design of the forms or in responding to forms when they are submitted.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/