Cognito-forms – Are email notifications sent by Cognito Forms HIPAA compliant

cognito-forms

I'm starting a company that will build and sell websites to pharmacies. Each website will need HIPAA compliant forms, for example for patients to order refills on.

Would Cognito Forms allow me to purchase an enterprise plan and then place a different form on each individual pharmacy website so that, again for example, if a patient reorders their medication, their response would be emailed directly to that individual pharmacy and not to me or to any other?

Would Cognito Forms sign a BAA (Business Associate Agreement) with just my website/marketing company or with my company and each individual pharmacy I build a website for?

Best Answer

This is technically two questions:

1. Are emails sent from Cognito Forms HIPAA compliant?

Yes, when following HIPAA guidelines. Cognito Forms leverages MailGun for HIPAA compliant transmission of emails and has a BAA with MailGun. This means that communications with MailGun are secure and MailGun has privacy measures in place to ensure emails are safe when passing through their servers.

However, when sending notifications to third parties, like pharmacies, these email accounts must also be HIPAA compliant to ensure that the security and processes for managing these email accounts comply with HIPAA guidelines. Additionally, prior consent is always required before sending emails to patients for any reason, regardless of how secure the transmission is.

A better approach would be to leverage the secure JSON webhooks to send requests directly into a HIPAA-compliant order fulfillment system maintained by the pharmacy, instead of relying on email.

2. Can a single Cognito Forms Enterprise plan be used for multiple Covered Entities?

Yes, though not ideal. If your organization is acting as a Business Associate on behalf of multiple Covered Entities, then you can sign a BAA with Cognito Forms for a single Enterprise account and leverage this for your customers. Your customers would, in turn, sign a separate BAA directly with your organization, establishing a chain of trust, similar to our BAA's with Microsoft Azure for hosting and MailGun for email delivery.

However, this poses a number of limitations and possible security issues if not managed correctly by you. First, you must ensure that you either do not allow pharmacies to log into Cognito Forms or you must assign them a global permission of None and only provide Editor or Reviewer permissions for their specific forms. You will also be directly responsible for the data in Cognito Forms and honoring any requests to remove this data on their behalf.

Our recommendation is for each Covered Entity to have their own Cognito Forms organization, with agencies having a single guest account to assist with form building and integration activities. This gives Covered Entities more control over their data.

Best Answer

Related Solutions

Cognito-forms – Can the information entered into a Cognito Form be automatically sent to an email address upon submission

Cognito-forms – Are uploaded images supposed to be included in Cognito Forms confirmation email

Related Topic