Is Formstack HIPAA Compliant? BAA, Security Features, and Setup Guide

If you handle electronic protected health information (ePHI), you’re likely asking: is Formstack HIPAA compliant? The practical answer is that Formstack can support HIPAA compliance when you execute a Business Associate Agreement and configure the platform’s security controls correctly. Compliance ultimately depends on your broader policies, vendor management, and day‑to‑day ePHI management.

This guide walks you through the essentials: the Business Associate Agreement (BAA), encryption standards, access controls, audit logging, Secure hosting expectations, how to configure security settings, and compliance best practices you can apply immediately.

Business Associate Agreement Overview

A Business Associate Agreement establishes the legal framework for protecting ePHI when a service provider processes it on your behalf. Without a signed BAA, you should not store, transmit, or process ePHI in Formstack. The BAA clarifies each party’s obligations and limits how the service may be used with health data.

What a BAA typically covers

• Permitted uses and disclosures of ePHI by the vendor in support of your operations.
• Safeguards the vendor must maintain, including administrative, physical, and technical protections aligned to HIPAA’s Security Rule.
• Breach and incident notification timelines, cooperation duties, and investigation requirements.
• Subcontractor management, ensuring downstream providers with ePHI access are bound by equivalent protections.
• Data return or secure destruction upon termination and restrictions on secondary use of ePHI.

What you should confirm in Formstack’s BAA

• Scope: which products, features, and integrations are included or excluded for ePHI management.
• Security controls: encryption, access control, audit trail, and data retention commitments.
• Support processes: breach reporting, availability objectives, and incident handling collaboration.

Data Encryption Standards

Encryption protects ePHI against unauthorized disclosure in transit and at rest. Ensure your account and workflows enforce strong cryptography at every stage of data handling.

In transit: Transport Layer Security

• Require Transport Layer Security for all form loads, submissions, API calls, and admin sessions.
• Avoid transmitting ePHI via unencrypted channels (for example, plain email or insecure webhooks).
• Use secure embed methods and verify that your custom domains redirect to HTTPS.

At rest: Encryption at Rest

• Confirm that form submissions, files, and backups are encrypted at rest using strong, industry‑standard algorithms.
• Evaluate key management practices, including rotation, restricted access, and separate environments for production keys.
• Where available, enable field‑level protection or data masking for highly sensitive fields.

Operational safeguards for encrypted data

• Disable or restrict outputs that can bypass encryption, such as unencrypted email notifications or CSV exports containing ePHI.
• Limit downstream integrations to services that also protect data with TLS and encryption at rest under a BAA.

Access Control Mechanisms

Access controls reduce risk by enforcing least privilege and strong authentication for every user who can view or manage ePHI.

Identity and authentication

• Enforce Multi-Factor Authentication for all administrative and reporting access.
• Prefer SSO with SAML or OIDC to centralize identity management and apply consistent password and session policies.
• Use short session lifetimes and automatic timeouts for consoles handling ePHI.

Authorization and least privilege

• Apply role‑based access control so users can only view the forms and submissions needed for their duties.
• Separate duties for builders, reviewers, and data exporters; require approvals for permission changes.
• Restrict bulk exports and file downloads to vetted roles; require just‑in‑time access for rare tasks.

Network and environmental controls

• Where supported, use IP allowlisting for admin access and APIs.
• Disable risky features for ePHI (for example, public links or anonymous sharing) unless strictly required and monitored.

Audit Logging Importance

An immutable Audit Trail is essential for detecting misuse, supporting investigations, and demonstrating compliance during audits. Logs should be comprehensive, time‑synchronized, and retained according to policy.

What to log

• User logins, failed login attempts, MFA challenges, and session terminations.
• Form and workflow changes, permission updates, API token creation, and integration configuration edits.
• Data events: views, exports, deletions, file downloads, and webhook deliveries.

How to use logs

• Automate alerts on anomalous activity, such as large exports, unusual IPs, or off‑hours access.
• Perform periodic access reviews using audit reports to verify least‑privilege assignments.
• Retain logs for a period aligned to your regulatory and litigation‑hold requirements.

Secure Hosting Infrastructure

Secure hosting underpins application‑level controls. Validate the provider’s security posture and require evidence that core safeguards extend to the environments processing your ePHI.

What to expect and verify

• SOC Compliance (for example, SOC 2 Type II) attestation covering relevant security, availability, and confidentiality controls.
• Hardened infrastructure with network segmentation, web application firewalling, DDoS protection, and continuous vulnerability management.
• Regular patching, endpoint protection, malware scanning, and secure software development lifecycle practices.
• Encrypted backups, tested disaster recovery, documented RPO/RTO objectives, and secure data destruction procedures.
• Physical security controls and visitor management at data centers, with monitored access and environmental protections.

Configuring Security Settings

The following setup flow helps you enable HIPAA‑appropriate controls and reduce exposure from the start. Adjust steps to match your plan’s available features.

1) Prepare the account

• Request and execute the Business Associate Agreement before collecting any ePHI.
• Confirm which products, add‑ons, and integrations are HIPAA‑eligible; disable or avoid those that are not.
• Define your ePHI data map so you know exactly which forms, fields, and files will contain regulated data.

2) Harden identity and access

• Turn on Multi-Factor Authentication globally; require MFA for API and reporting users.
• Integrate SSO to centralize password policies, lifecycle management, and conditional access.
• Create least‑privilege roles; restrict export permissions and file downloads to designated staff.

3) Protect data flows and storage

• Force HTTPS for all embeds and custom domains; verify Transport Layer Security is enforced end‑to‑end.
• Enable Encryption at Rest for submissions and uploaded files; confirm backups are encrypted.
• Disable inclusion of ePHI in email/PDF notifications; instead, send secure links requiring login and MFA.
• Limit integrations to vendors with a signed BAA; map fields to exclude ePHI from non‑compliant endpoints.

4) Configure forms and workflows

• Collect the minimum necessary ePHI; use conditional logic to avoid unnecessary data capture.
• Mask or tokenize sensitive fields when displayed to users with limited roles.
• Apply reCAPTCHA or equivalent to reduce automated abuse without exposing data.
• Set retention policies that automatically purge ePHI when it is no longer needed.

5) Monitor and maintain

• Enable comprehensive Audit Trail logging and review reports on a defined cadence.
• Run periodic access recertifications; remove dormant accounts and unused API tokens.
• Test incident response, including breach notification workflows and evidence preservation.

Compliance Best Practices

Strong configuration is necessary but not sufficient. HIPAA demands ongoing governance, risk management, and workforce readiness that extends beyond the software.

• Perform a risk analysis covering data collection, storage, exports, and integrations; document mitigating controls.
• Maintain written policies and procedures for ePHI management, access, retention, disposal, and incident handling.
• Train staff on HIPAA privacy and security requirements, phishing awareness, and secure handling of submissions.
• Use data minimization, field‑level protection, and approved secure channels for any downstream processing.
• Continuously validate vendor assurances, renewal of SOC reports, and BAA coverage for new features.

Conclusion

Formstack can be part of a HIPAA‑compliant stack when you sign a Business Associate Agreement, enforce encryption in transit and at rest, apply strong access controls with Multi-Factor Authentication, maintain an auditable trail, and operate on secure hosting with proven controls. Pair these configurations with disciplined policies and monitoring, and you’ll significantly reduce risk while meeting compliance obligations.

FAQs.

What does the Formstack BAA cover?

A typical Formstack BAA defines permitted uses of ePHI, required safeguards, breach notification obligations, subcontractor responsibilities, and data return or destruction at termination. It may also clarify which products, features, and integrations are approved for ePHI and which must be disabled to remain compliant. Always review the executed BAA for exact scope and requirements.

How does Formstack encrypt ePHI?

Encryption should be enforced in transit with Transport Layer Security and at rest with strong algorithms applied to submissions, files, and backups. Keys should be tightly controlled and rotated. You should disable outputs that expose plaintext (for example, ePHI in email bodies) and ensure any connected systems also encrypt data under a BAA.

What security controls does Formstack implement?

Common controls include role‑based permissions, Multi-Factor Authentication, SSO support, audit logging, and encryption for data in transit and at rest. On the hosting side, you should expect hardened infrastructure and independent validation such as SOC Compliance reports. Confirm which controls are available on your plan and enable them to enforce least privilege.

How do I enable HIPAA features in Formstack?

First, contact the vendor to execute a Business Associate Agreement and confirm a HIPAA‑eligible plan. Then enable account‑level security settings: MFA, SSO, encrypted storage, restricted exports, and comprehensive audit logging. For each form, collect only necessary ePHI, remove ePHI from emails and PDFs, limit integrations to BAA‑covered vendors, and apply retention and access policies. Regularly review logs and permissions to maintain compliance over time.