HIPAA Compliance

How BttrForm supports HIPAA compliance with BAA agreements, PHI encryption, and configurable safeguards for healthcare data.

7 min read

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient health information in the United States. If your organization collects, stores, or transmits Protected Health Information (PHI) through forms -- patient intake forms, insurance claim forms, medical surveys -- you need to ensure your tools meet HIPAA requirements. BttrForm provides the technical safeguards and administrative controls to support your HIPAA compliance program.

What Is HIPAA and Why It Matters

HIPAA applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates (any vendor that handles PHI on their behalf). If you are a covered entity using BttrForm to collect health-related data, BttrForm acts as your business associate and must meet specific security and privacy requirements.

HIPAA Is a Shared Responsibility

BttrForm provides the technical infrastructure and safeguards, but HIPAA compliance is a shared responsibility. You are responsible for configuring your forms appropriately, training your staff, and ensuring your workflows follow HIPAA guidelines.

Business Associate Agreement (BAA)

Before processing PHI through BttrForm, you must have a signed Business Associate Agreement in place. The BAA defines the responsibilities of both parties regarding the handling of PHI.

How to Sign a BAA

  1. Navigate to Settings > Compliance in your BttrForm dashboard.
  2. Locate the HIPAA Compliance section.
  3. Click Sign Business Associate Agreement.
  4. Review the agreement terms. The BAA covers data handling, breach notification, and termination procedures.
  5. An organization admin or owner must sign the BAA -- members and viewers cannot initiate this.
  6. Once signed, the BAA is effective immediately and applies to all forms within the organization.

Admin Required

Only organization admins or owners can sign the BAA. If you do not see the option, ask your organization admin to complete this step.

What the BAA Covers

ProvisionDescription
Data handlingHow BttrForm processes, stores, and transmits PHI
EncryptionAES-256-GCM encryption at rest, TLS 1.3 in transit
Access controlsRole-based access, audit logging, session management
Breach notificationBttrForm notifies you within 60 days of discovering a breach
TerminationPHI returned or destroyed upon contract termination
SubcontractorsRequirements for any subprocessors handling PHI

PHI Field-Level Encryption

Standard encryption at rest (AES-256) protects all data stored in BttrForm. For PHI, BttrForm adds an additional layer: field-level envelope encryption using AES-256-GCM.

How It Works

When a form is marked as containing PHI, individual fields identified as PHI receive an extra encryption layer:

1. Form response submitted
2. PHI fields identified (automatic or manual tagging)
3. A unique Data Encryption Key (DEK) is generated for the response
4. PHI fields encrypted with DEK using AES-256-GCM
5. DEK encrypted with master key via KMS (envelope encryption)
6. Encrypted response stored in database
7. DEK stored separately from encrypted data

This means that even if someone gained access to the raw database, PHI fields would remain encrypted and unreadable without the corresponding DEK and master key.

Enabling PHI Encryption

  1. Open your form in the form builder.
  2. Go to Form Settings > Compliance.
  3. Enable HIPAA Mode for the form.
  4. BttrForm will automatically scan fields and tag likely PHI fields. You can also manually tag fields.
  5. Save the form. All future submissions will have PHI fields encrypted at the field level.

Existing Data

Enabling HIPAA mode applies field-level encryption to new submissions only. If you have existing responses that contain PHI, contact support to arrange encrypted migration of historical data.

PHI Detection

BttrForm includes automatic PHI detection that scans form fields for patterns commonly associated with health information. The scanner analyzes field names, labels, and descriptions to identify potential PHI.

What the Scanner Detects

PHI CategoryExample Field Names
Patient identifiersName, date of birth, social security number, medical record number
Contact informationAddress, phone number, email (in healthcare context)
Health dataDiagnosis, medication, treatment, symptoms, allergies
Insurance dataPolicy number, group number, plan name
Provider dataDoctor name, facility, NPI number

How Detection Works

  • Automatic scanning runs when you save or publish a form with HIPAA mode enabled.
  • Fields flagged as potential PHI are highlighted in the form builder with a shield icon.
  • You can accept or dismiss each detection. Dismissed fields will not receive field-level encryption.
  • You can also manually tag any field as PHI, regardless of whether the scanner flagged it.

Review Automated Detections

Automatic PHI detection is a convenience tool, not a guarantee. Always review the detected fields to ensure all PHI is properly identified. You are responsible for correctly classifying your data.

Redaction Settings

When PHI data flows through integrations -- webhooks, email notifications, third-party connectors -- there is a risk of exposing sensitive information to systems that may not meet HIPAA requirements. BttrForm provides redaction controls to prevent this.

Webhook Redaction

When a form has HIPAA mode enabled, webhook payloads automatically redact PHI fields:

{
  "form_id": "abc-123",
  "response_id": "resp-456",
  "fields": {
    "email": "user@example.com",
    "patient_name": "[REDACTED - PHI]",
    "diagnosis": "[REDACTED - PHI]",
    "preferred_contact_time": "Morning"
  }
}

Non-PHI fields are sent normally. PHI fields are replaced with a redaction marker. The full data remains available in the BttrForm dashboard.

Email Notification Redaction

Email notifications for HIPAA-enabled forms never include PHI field values. Instead, notifications include:

  • The form name and submission timestamp
  • A count of fields submitted
  • A secure link to view the full response in the BttrForm dashboard (requires authentication)

Configuring Redaction

Navigate to Form Settings > Compliance > Redaction to customize:

  • Full redaction (default) -- All PHI fields replaced with [REDACTED - PHI]
  • Partial redaction -- Show last 4 characters of identifiers (e.g., ***-**-1234)
  • No redaction -- Send full PHI data (only enable this if the receiving system is HIPAA-compliant and covered by your BAA)

Third-Party Systems

If you disable redaction for webhooks, you are responsible for ensuring the receiving system meets HIPAA requirements and is covered by an appropriate BAA.

Session Management

HIPAA requires that systems handling PHI implement access controls including automatic session termination. BttrForm provides configurable session management for organizations with HIPAA mode enabled.

Configurable Session Timeouts

SettingDefaultRangeDescription
Idle timeout15 minutes5--60 minutesSession ends after inactivity
Maximum session8 hours1--24 hoursSession ends regardless of activity
Remember deviceDisabledOn/OffSkip re-authentication on trusted devices

Re-authentication for Sensitive Operations

Certain operations require the user to re-enter their password, even during an active session:

  • Exporting form responses containing PHI
  • Downloading file attachments from PHI forms
  • Modifying HIPAA or compliance settings
  • Changing organization security settings
  • Viewing audit logs

This prevents unauthorized actions if a user walks away from an unlocked computer.

Frequently Asked Questions

Who needs a BAA?

Any organization that is a HIPAA covered entity or business associate and uses BttrForm to collect, store, or process PHI needs a signed BAA. If you are unsure whether your organization is subject to HIPAA, consult your compliance officer or legal counsel.

What counts as PHI?

PHI is any individually identifiable health information that relates to a person's past, present, or future physical or mental health condition, healthcare services, or payment for healthcare. This includes names, dates, contact information, medical record numbers, and health data when combined with identifying information.

Can I export encrypted PHI data?

Yes. When you export responses from a HIPAA-enabled form, the export includes the decrypted PHI data. The export file itself is delivered as an encrypted download that expires after 24 hours. You are responsible for securing the exported data according to your organization's HIPAA policies.

What happens if I disable HIPAA mode on a form?

Disabling HIPAA mode stops field-level encryption for new submissions. Existing encrypted submissions remain encrypted and accessible. The change does not retroactively remove encryption from previously collected data.

Is BttrForm HIPAA certified?

There is no official HIPAA certification. HIPAA compliance is demonstrated through implementing the required administrative, physical, and technical safeguards. BttrForm provides the technical safeguards (encryption, access controls, audit logging) and administrative controls (BAA, policies) to support your compliance program. We undergo annual third-party security assessments that evaluate our HIPAA controls.

Was this helpful?

HIPAA Compliance | BttrForm