by Ryan Ozawa
Article filed in

Is Typeform HIPAA compliant?

by Ryan Ozawa

Typeform logo

Do you need to conduct a customer satisfaction survey? Collect contact information for an upcoming webinar? Using secure online forms is the best way to capture information in a way that is easy to organize and analyze. Instead of sorting through rambling email messages, users can be prompted to submit the exact information you need.

Web forms can be integrated into your website or sent out as links in an email. But if you’re a covered entity dealing with protected health information (PHI), there are a few more factors to consider.

What is Typeform?

Founded in Barcelona in 2012 by Robert Muñoz and David Okuniev, Typeform is a software as a service (SaaS) company that focuses on one thing: dynamic web forms.

In its first six months, Typeform picked up 100,000 users and raised $15 million in funding. Now, the company has over 300 employees, and its forms have been used by companies small and large, including Apple, Nike, Uber and Airbnb.

Unlike a typical web form, which presents a page of numerous boxes and checkboxes to fill out, Typeform uses dynamic, customizable elements that use elegant design and crisp animations to lead users through a series of questions, one at a time.

Is Typeform HIPAA Compliant? - Paubox

“You don’t want to make a boring form, and your audience won’t answer one,” reads the company’s pitch. “Create a typeform instead—and make everyone happy.”

Typeform says its conversational approach to forms provides “more thoughtful responses, and higher completion rates.” The approach also allows for conditional logic, which means answers to a given question can lead users down different paths.

Are Typeforms secure?

The company maintains a Security at Typeform page which outlines the privacy and security measures.

“We have a comprehensive set of information security policies following the ISO 27001 standard to ensure compliance, and to guide our employees and contractors in making the right security decisions,” Typeform says, for example. “We encrypt your data in-transit using secure TLS cryptographic protocols (TLS 1.2) and Advanced Encryption Standard (AES) is used with a 256-bit key to encrypt data at rest including the backups of the information.”

The company also notes that its services are hosted in a Virtual Private Cloud (VPC) on Amazon Web Services.

“Our main servers are located in Virginia, USA and backup servers are located in Frankfurt, Germany,” the company notes. “They are compliant with security and privacy standards.”

Typeform relies on its vendors for some security measures: payment company Stripe “ensures compliance with the Payment Card Industry’s Data Security Standards (PCI DSS 3.2) and the Revised Directive on Payment Services (PSD2),” and cloud hosting provider Amazon is “certified in various frameworks from SOC2 to ISO 27001.”

There has been at least one notable data breach involving Typeform.

In 2018, hackers were able to access data backups for forms submitted before May 3rd, 2018, involving more than 100,000 records. Although Typeform has since removed information about the breach from its website, Fractional CISO reports that the number and names of affected customers are unknown, but that many used Typeform to collect a wide range of personal information.

Is Typeform HIPAA Compliant?

On its security page, Typeform mentions a number of standards and guidelines it follows, from TLS and AES encryption, to ISO 27001, to OWASP Top Ten.

The page does not mention HIPAA.

However, Typeform also maintains a separate COVID-19 FAQ page. This page addresses HIPAA compliance directly.

Q: Can I collect health related information with my typeform?

A: Collecting personal health related information in the United States is tied to HIPAA compliance. If you’re using your typeform to collect such information in the US, please check with us to make sure that we have a Business Associate Agreement in place.

Based on this page, it appears that Typeform is willing to serve as a business associate for healthcare providers, health plans, and healthcare clearinghouses.

We should note, however, that while Typeform vendor Amazon Web Services can be HIPAA compliant, it doesn’t appear that Stripe is compliant.

Conclusion

At least as recently as the onset of the COVID-19 pandemic, Typeform appears to be HIPAA compliant—if you’re able to execute a business associate agreement with them.

If you use Typeform to collect and process payment information, its Stripe integration may not provide sufficient protection.

Finally, whether you’re integrating Typeform into your website or sending survey links out via email, make sure you have a HIPAA compliant website and use HIPAA compliant email.

Try Paubox Email Suite for FREE today.