Does my Appointment Request or Contact Form Need to Be HIPAA Compliant?

Practis Blog

At Practis we are frequently asked, “Does my contact or appointment request form need to be secure?”. Most standard contact or appointment request web forms use form mail scripts to collect and email responses over an open unsecure Internet connection. As a medical provider who needs to comply with HIPAA security regulations, this presents a problem.

The problem with emailed web form responses

The problem with email is that there are many server hops your message needs to take – from the originator’s desktop or phone to outgoing and incoming mail servers to  the recipient’s workstation. A copy of your email is stored on each machine which creates an opportunity for your message to be viewed by an uninvited hacker. Every message sent may cross the Internet multiple times. Unencrypted, this message can be read by anyone who has access.

According to the Department of Health and Human Services (DHHS), many healthcare organizations, or covered entities, had personal health information (ePHI) stolen because of emails not being adequately encrypted and secured. While organizations can send PHI via email, it needs to be done using a solution to encrypt and secure ePHI.  DHHS standards for access control, integrity and transmission security require covered entities to implement policies and procedures to “restrict access to, protect the integrity of, and guard against unauthorized access to ePHI.”

So what data is considered ePHI?

ePHI is any TWO DATA elements together that can be used to identify someone. These include the following:

  • Name
  • Address (all geographic subdivisions smaller than state, including street address, city, county, and zip)
  • All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone number
  • Fax number
  • Email address
  • Social security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate or licence number
  • Any vehicle, license or other device serial number
  • Web URLs
  • Internet Protocol (IP) Address
  • Finger or voice print
  • Photographic image – Photographic images are not limited to images of the face.
  • Any other characteristic that could uniquely identify the individual

Ensuring the secure transmission of messages

HIPAA requires that ePHI remains secure at rest and in transit. That means ePHI must be protected while sitting on workstations and servers, and encrypted each time your email message crosses the web. Ensuring transmission security affects which email systems healthcare organizations can use.  Free email services such as Gmail or Hotmail are not secure enough as it is difficult for one product to protect the entire path from sender to recipient. Standard web forms cannot offer the level of security that HIPAA requires.

Using HIPAA compliant appointment request or contact forms

Due to the nature of email and difficulty in keeping it secure, we recommend avoid using unsecure web forms or listing your email address on your healthcare website. HIPAA compliant Practis Forms is designed for healthcare entities to safely collect ePHI online. Practis Forms allow patients to contact you, ask questions, request appointments, complete their medical history or pay their bill. 

You can learn more at