HIPAA FORMS - Add HIPAA Compliant Webforms to Your Wordpress Website

YOU MUST HAVE CALDERA OR GRAVITY FORMS INSTALLED & ACTIVE
Currently the HIPAA Forms plugins is only integrated with Caldera & Gravity Forms. Caldera Forms is a free form builder plugin and can be installed by searching for it in the Wordpress plugin repository (plugins->add new). Gravity Forms is a premium paid form builder plugin that can be purchased HERE No additional extensions are needed.

YOU MUST HAVE SSL ENABLED
The HIPAA FORMS plugin checks to ensure SSL (https) is enabled and being used. Any forms set as HIPAA Compliant will be deactivated if the url does not start with https://. If you're unable to setup SSL with your current host or if your current host's cost is too expensive consider a managed hosting (and optional Wordpress maintenance package) from Code Monkeys. We automatically issue free SSL certificates to all of our hosting customers. CLICK HERE FOR DETAILS

YOU MUST HAVE A VALID LICENSE KEY
You can purchase a license key from hipaaforms.online as a free, monthly, quarterly or annual subscription basis. While this plugin is free to install and use, the HIPAA FORMS plugin is integrated with an API service and you must have an active account with a valid license key to use this service. A free API subcription is available but limits you to 1 form and up to 25 form submissions per month while the paid subscription is $55/mo and allows unlimited forms and form submissions. If your paid subscription expires you will automatically be dropped down to the basic plan and limited to 25 form submissions per month.

A subscription account & license key is required as a BAA agreement is required and the encrypted E-PHI data is stored on the HIPAA Forms API database in order to meet HIPAA/PIPEDA regulations and there must be a way to validate who you are and that all of the requirements are in place to do so.

YOU CAN ONLY SUBMIT & VIEW FORMS FROM YOUR ASSOCIATED DOMAIN
Forms can only be submitted and viewed from the domain you added to your HIPAA FORMS Service subscription account at the time of checkout. When a request is made to the HIPAA FORMS Service API it does a check against your license key, domain and if a BAA agreement has been signed. If any of those things are not valid the API request is denied and an error will be returned specifying what the issue is. Only one license key and domain is allowed per subscription meaning you can NOT use the same license or domain on more than one website. This is done as an additional security measure to ensure that even if a license key is stolen form data would not be accessible. If you need to change the domain associated with your license key you can do so by logging in at https://www.hipaaforms.online/my-account

YOU MUST SIGN THE BAA AGREEMENT
A Business Associate Agreement (BAA) typically is required for companies that are subject to the Health Insurance Portability and Accountability Act (HIPAA) to ensure that protected health information (PHI) is appropriately safeguarded. Failure to manage data privacy risks with non-business associate vendors may lead to both violations of HIPAA and state privacy laws. The BAA agreement is in place for your protection and forms can not be submitted or viewed until it is in place. We also recommend that you have a BAA in place with your web designer if they work on the site as a 3rd party contractor.

COMMON ISSUES:

EMAIL NOTICES GOING TO SPAM
Default Wordpress emails get sent through your host's domain which often times will be flagged as spam. We highly recommend installing an email SMTP plugin for Wordpress and using the SMTP settings for a legit email address. This will allow Wordpress to send emails from the SMTP server instead of from your host.

FORMS ARE DISABLED / HIPAA COMPLIANT BADGE DOESN'T APPEAR
If you do NOT see the additional section at the bottom of the form with the HIPAA compliant badge then there is an issue somewhere and the form will NOT be disabled as it will not be HIPAA compliant. A common reason this might happen is if you do NOT have SSL (https://) enabled or if the user is viewing the http:// version of the page. We strongly recommend that you setup a redirect in your .htaccess file or by using a plugin to ensure all pages are served the https:// version of the page. If this is the case the form will be disabled and you should see a warning notice at the bottom of the form instead of the badge.

Another common reason you might not see this section is if your license key has expired. If this is the case you should see a warning notice at the bottom of the form and the form will be disabled. Reactivating your license key will solve the issue and your form will be enabled again.

A less common reason for this would be if another plugin is causing a Javascript/jQuery error or conflict.

NONCE EXPIRED ERROR
Wordpress uses a nonce (number used once) to help secure your site during things like form submissions and AJAX calls, although its not really a "number used once" in the traditional sense. Instead this is a hash token that can be used multiple times within a 12 or 24 hour period at which point the nonce will expire. What happens is if your cache expiration is set beyond 12 hours the nonce will also be cached resulting in a validation error as that nonce will have expired.

This is not just a specific issue to our plugin, if your cache expiration is set too long it can cause issues with many other plugins as well.

To solve this issue make sure you have any caching plugins such as W3TC or Super Cache set to expire before 12 hours.

If the problem persists with caching plugins completely deactivated then its most likely an issue with a server-side cache on your hosting server. You will need to contact your hosting company and request the caching be reduced to under 12 hours. If you are on an ultra-cheap shared hosting solution from someone like HostGator you will most likely need to move to another host as they will not adjust their caching to play well with Wordpress nonces and honestly if you rely on your website for you business which we would assume you do if you are using this plugin then you really should spend a little extra for a good reliable host, you really do get what you pay for when it comes to hosting solutions.

LONGER FORMS ARE SUBMITTING BUT NOT SHOW THE FORM INFORMATION IN THE SUBMITTED FORMS VIEW
Very long forms may exceed the max_input_vars setting in your hosting server's PHP.ini. This will cause the form to submit however the actual form will most likely be empty and not actually sent through the API since it's larger than your limit.

To solve this increase you max_input_vars in your PHP.ini. If you are on a shared hosing account and do not have access to the PHP.ini settings or are unsure on how to change them there are 3rd party plugins available in the Wordpress plugin repository that will allow you to change your settings from the Wordpress admin panel.

COMMON QUESTIONS:

WHAT IS A BAA?
A Business Associate Agreement (BAA) typically is required for companies that are subject to the Health Insurance Portability and Accountability Act (HIPAA) to ensure that protected health information (PHI) is appropriately safeguarded. Failure to manage data privacy risks with non-business associate vendors may lead to both violations of HIPAA and state privacy laws. You will be unable to use the HIPAA FORMS Service until you have signed the BAA with Code Monkeys LLC (the developers of the service) and will receive a notice to do so within the "submitted forms" tab as well as in the settings tab until it has been signed. We HIGHLY recommend that you have a BAA in place with your web designer as well if you use a 3rd party contractor for web design service.

You can email your signed BAA to us at spencer at codemonkeysllc.com. We will review it and assuming everything looks good we will sign it and replace the BAA on file for your account.

This plugin is released under the GPL license and is open source allowing you to modify the plugin however we strongly recommend against attempting to modify the core functionality of the plugin. The plugin simply acts as an interface to the API service where most of the "under the hood" functionality lives however some functionality such as encryption prior to sending the form data to the API happens within the plugin. Breaking or disabling this encryption process could result in non-encrypted private protected sensitive health information being submitted which would be a HIPAA violation and may lead to both violations of HIPAA and state privacy laws.

While we recommend not modifying the core functionality of the plugin changing the CSS/Styles is totally fine and recommended.

CAN IMAGES/FILES BE ATTACHED TO FORMS?
We offer a secure HIPAA compliant file upload add-on option with unlimited uploads and unlimited storage to our service for an additional $30/mo or $300/yr. This option is not available with our basic free subscription.

With our file upload option enabled the basic file upload fields within Caldera or Gravity Forms are over-ridden by our plugin and the files are submitted directly from the browser to our secure encrypted file storage system when the form is submitted.

If files have been uploaded and attached to a submitted form you’ll be able to view those files from within the submitted form interface of the HIPAA Forms dashboard.

Secure generic pre-signed access URLs are generated when you load the submitted form that expire after 1 hour for greater security.

You are only able to submit and view forms from within the domain associated with your license key. If your staging version in under a subdomain of that domain you will be fine, the root domain is all that matters. However if your staging version is under a different domain you will only be able to use the service from staging OR live, not both at the same time.

If you are "pre-launch" we would recommend setting the domain on your HIPAA FORMS Service account to your staging server domain first. Then once you are ready to go live simply switch the domain to the live domain.

We understand that this can be frustrating to developers that do not have a staging version under the same root domain as we're developers ourselves. We are exploring possible solutions to this for future releases to help with this issue.