Is Gravity Forms HIPAA compliant?

Gravity Forms is a third party WordPress plugin that allows users to host forms on their websites. The handling of protected health information (PHI) necessitates third-party entities to adhere to HIPAA compliance. Therefore, a question arises: Is Gravity Forms HIPAA compliant? In short, it is not HIPAA compliant.

Exploring Gravity Forms

A plugin is software installed and integrated into a WordPress-hosted website to improve functionality and add features. Gravity Forms enables users to incorporate various forms, offering multiple functionalities, including newsletter sign-ups, surveys, and contact forms. With its existence spanning over a decade, it has established itself as a premium plugin option for form generation. 

Gravity Forms claims that when data is collected through Gravity Forms, it is stored in tables within your WordPress database, which is hosted by your hosting provider. Gravity Forms utilizes the existing infrastructure provided by WordPress and stores the collected data securely within your database environment. This approach ensures that the data remains under your control and within the confines of your chosen hosting provider.

Related: HIPAA compliant WordPress hosting: A comprehensive guide 2023

Understanding HIPAA compliance 

Covered entities and business associates must be HIPAA compliant to prevent violations or breaches when handling PHI. Compliance involves adhering to the regulations outlined in the Privacy and Security Rules, which establish policies and procedures for data security. 

Software with access to PHI must meet the required standards for protecting sensitive healthcare information. Without such compliance, it cannot be used by the covered entity without incurring a possible violation.

To achieve HIPAA compliance, the key measures involved:

Safeguard PHI:

• Develop and implement policies and procedures to protect the privacy of PHI.
• Obtain patient consent for the use and disclosure of their PHI.
• Provide procedures for the patient's right to access their medical records.

Ensure ePHI Security:

• Conduct a comprehensive risk analysis to identify vulnerabilities and risks associated with electronic PHI (ePHI).
• Implement an approach encompassing physical, technical, and administrative safeguards to secure ePHI.
• Create and test contingency plans to effectively respond to data breaches or unforeseen disasters.

Establish Business Associate Agreements (BAA):

• Enter into a BAA with third-party entities that handle PHI, ensuring they comply with HIPAA regulations.

Related: HIPAA Compliant Email: The Definitive Guide

Evaluating gravity forms' HIPAA compliance

Gravity Forms has areas where its product design may impact compliance. Based on the information provided on their website, here are the areas where Gravity Forms may not meet compliance requirements:

1. Transmission security: Gravity Forms does not provide specific provisions for transmitting PHI securely. The responsibility for implementing encryption depends on the user's environment. 
2. Storage encryption: Data collected through Gravity Forms is not encrypted by default. If encryption for data at rest is required, users would need to rely on additional encryption add-ons or solutions.
3. Data integrity: Gravity Forms does not include specific features for ensuring data integrity, such as mechanisms to detect and prevent tampering with collected data. The responsibility for data integrity lies with the user, including their choice of storage and transport encryption.
4. Business associates agreement: Gravity Forms does not sign a BAA with users, as they do not store or collect data on behalf of users.

Implementing gravity forms in a HIPAA compliant environment

Without a BAA in place, Gravity Forms does not meet the requirements to be HIPAA compliant. Using it in a HIPAA compliant manner involves implementing certain practices and considerations. Here are some guidelines:

1. Data encryption: Enable encryption for data transmitted through Gravity Forms to ensure the secure transfer of PHI. Gravity Forms provides options to enable SSL encryption for form submissions.
2. Access Controls: Implement access controls and user permissions within WordPress to restrict access to PHI collected through Gravity Forms. Only authorized personnel should have access to sensitive data.
3. Using a BAA: If using Gravity Forms with another third-party service provider, ensure a signed BAA is in place. The BAA outlines the responsibilities and obligations of the service provider in maintaining HIPAA compliance.
4. Secure Hosting Environment: Ensure your website and hosting environment meet HIPAA security requirements. Use a HIPAA compliant hosting provider that offers necessary security measures, such as firewalls, regular backups, and intrusion detection systems.
5. PHI Storage and Retention: Store PHI collected through Gravity Forms in a secure, encrypted database. Implement retention policies to ensure data is kept for the required period and securely disposed of when no longer needed.
6. Regular Auditing and Monitoring: Conduct periodic audits and monitoring of Gravity Forms usage to identify and address potential security vulnerabilities or breaches.

Remember, using Gravity Forms alone does not guarantee HIPAA compliance. Assess your organization's specific requirements, consult with legal and compliance experts, and ensure proper implementation and configuration of Gravity Forms within a comprehensive HIPAA compliance program.

See more: Does my website need to be HIPAA compliant?