Add HIPAA Compliant web forms to your WordPress website using the HIPAA FORMS SaaS Service (subscription license key required for SaaS service).
|Author:||Code Monkeys LLC (profile at wordpress.org)|
|WordPress version required:||4.7|
|WordPress version tested:||5.0.3|
|Added to WordPress repository:||27-12-2017|
|Total downloads:||5 450|
Click to start download
This is the interface showing the submitted forms.
This is an example form showing the appended HIPAA Compliant badge, privacy statement agreement and signature field.
YOU MUST HAVE CALDERA OR GRAVITY FORMS INSTALLED & ACTIVE
Currently the HIPAA Forms plugins is only integrated with Caldera & Gravity Forms. Caldera Forms is a free form builder plugin and can be installed by searching for it in the WordPress plugin repository (plugins->add new). Gravity Forms is a premium paid form builder plugin that can be purchased HERE No additional extensions are needed.
YOU MUST HAVE SSL ENABLED
The HIPAA FORMS plugin checks to ensure SSL (https) is enabled and being used. Any forms set as HIPAA Compliant will be deactivated if the url does not start with https://. If you’re unable to setup SSL with your current host or if your current host’s cost is too expensive consider a managed hosting (and optional WordPress maintenance package) from Code Monkeys. We automatically issue free SSL certificates to all of our hosting customers. CLICK HERE FOR DETAILS
YOU MUST HAVE A VALID LICENSE KEY
You can purchase a license key from hipaaforms.online as a free, monthly, quarterly or annual subscription basis. While this plugin is free to install and use, the HIPAA FORMS plugin is integrated with an API service and you must have an active account with a valid license key to use this service. A free API subcription is available but limits you to 1 form and up to 25 form submissions per month while the paid subscription is $55/mo and allows unlimited forms and form submissions. If your paid subscription expires you will automatically be dropped down to the basic plan and limited to 25 form submissions per month.
A subscription account & license key is required as a BAA agreement is required and the encrypted E-PHI data is stored on the HIPAA Forms API database in order to meet HIPAA/PIPEDA regulations and there must be a way to validate who you are and that all of the requirements are in place to do so.
YOU CAN ONLY SUBMIT & VIEW FORMS FROM YOUR ASSOCIATED DOMAIN
Forms can only be submitted and viewed from the domain you added to your HIPAA FORMS Service subscription account at the time of checkout. When a request is made to the HIPAA FORMS Service API it does a check against your license key, domain and if a BAA agreement has been signed. If any of those things are not valid the API request is denied and an error will be returned specifying what the issue is. Only one license key and domain is allowed per subscription meaning you can NOT use the same license or domain on more than one website. This is done as an additional security measure to ensure that even if a license key is stolen form data would not be accessible. If you need to change the domain associated with your license key you can do so by logging in at https://www.hipaaforms.online/my-account
YOU MUST SIGN THE BAA AGREEMENT
A Business Associate Agreement (BAA) typically is required for companies that are subject to the Health Insurance Portability and Accountability Act (HIPAA) to ensure that protected health information (PHI) is appropriately safeguarded. Failure to manage data privacy risks with non-business associate vendors may lead to both violations of HIPAA and state privacy laws. The BAA agreement is in place for your protection and forms can not be submitted or viewed until it is in place. We also recommend that you have a BAA in place with your web designer if they work on the site as a 3rd party contractor.
EMAIL NOTICES GOING TO SPAM
Default WordPress emails get sent through your host’s domain which often times will be flagged as spam. We highly recommend installing an email SMTP plugin for WordPress and using the SMTP settings for a legit email address. This will allow WordPress to send emails from the SMTP server instead of from your host.
FORMS ARE DISABLED / HIPAA COMPLIANT BADGE DOESN’T APPEAR
If you do NOT see the additional section at the bottom of the form with the HIPAA compliant badge then there is an issue somewhere and the form will NOT be disabled as it will not be HIPAA compliant. A common reason this might happen is if you do NOT have SSL (https://) enabled or if the user is viewing the http:// version of the page. We strongly recommend that you setup a redirect in your .htaccess file or by using a plugin to ensure all pages are served the https:// version of the page. If this is the case the form will be disabled and you should see a warning notice at the bottom of the form instead of the badge.
Another common reason you might not see this section is if your license key has expired. If this is the case you should see a warning notice at the bottom of the form and the form will be disabled. Reactivating your license key will solve the issue and your form will be enabled again.
NONCE EXPIRED ERROR
Wordpress uses a nonce (number used once) to help secure your site during things like form submissions and AJAX calls, although its not really a “number used once” in the traditional sense. Instead this is a hash token that can be used multiple times within a 12 or 24 hour period at which point the nonce will expire. What happens is if your cache expiration is set beyond 12 hours the nonce will also be cached resulting in a validation error as that nonce will have expired.
This is not just a specific issue to our plugin, if your cache expiration is set too long it can cause issues with many other plugins as well.
To solve this issue make sure you have any caching plugins such as W3TC or Super Cache set to expire before 12 hours.
If the problem persists with caching plugins completely deactivated then its most likely an issue with a server-side cache on your hosting server. You will need to contact your hosting company and request the caching be reduced to under 12 hours. If you are on an ultra-cheap shared hosting solution from someone like HostGator you will most likely need to move to another host as they will not adjust their caching to play well with WordPress nonces and honestly if you rely on your website for you business which we would assume you do if you are using this plugin then you really should spend a little extra for a good reliable host, you really do get what you pay for when it comes to hosting solutions.
LONGER FORMS ARE SUBMITTING BUT NOT SHOW THE FORM INFORMATION IN THE SUBMITTED FORMS VIEW
Very long forms may exceed the max_input_vars setting in your hosting server’s PHP.ini. This will cause the form to submit however the actual form will most likely be empty and not actually sent through the API since it’s larger than your limit.
To solve this increase you max_input_vars in your PHP.ini. If you are on a shared hosing account and do not have access to the PHP.ini settings or are unsure on how to change them there are 3rd party plugins available in the WordPress plugin repository that will allow you to change your settings from the WordPress admin panel.
WHAT IS A BAA?
A Business Associate Agreement (BAA) typically is required for companies that are subject to the Health Insurance Portability and Accountability Act (HIPAA) to ensure that protected health information (PHI) is appropriately safeguarded. Failure to manage data privacy risks with non-business associate vendors may lead to both violations of HIPAA and state privacy laws. You will be unable to use the HIPAA FORMS Service until you have signed the BAA with Code Monkeys LLC (the developers of the service) and will receive a notice to do so within the “submitted forms” tab as well as in the settings tab until it has been signed. We HIGHLY recommend that you have a BAA in place with your web designer as well if you use a 3rd party contractor for web design service.
CAN WE USE OUR OWN BAA INSTEAD OF YOURS?
Yes, in most cases we will sign your BAA in place of our default agreement.
You can email your signed BAA to us at spencer at codemonkeysllc.com. We will review it and assuming everything looks good we will sign it and replace the BAA on file for your account.
CAN WE MODIFY/EXTEND THIS PLUGIN?
WE STRONGLY RECOMMEND NOT MODIFYING THE FUNCTIONALITY OF THIS PLUGIN!
This plugin is released under the GPL license and is open source allowing you to modify the plugin however we strongly recommend against attempting to modify the core functionality of the plugin. The plugin simply acts as an interface to the API service where most of the “under the hood” functionality lives however some functionality such as encryption prior to sending the form data to the API happens within the plugin. Breaking or disabling this encryption process could result in non-encrypted private protected sensitive health information being submitted which would be a HIPAA violation and may lead to both violations of HIPAA and state privacy laws.
While we recommend not modifying the core functionality of the plugin changing the CSS/Styles is totally fine and recommended.
CAN IMAGES/FILES BE ATTACHED TO FORMS?
We offer a secure HIPAA compliant file upload add-on option with unlimited uploads and unlimited storage to our service for an additional $30/mo or $300/yr. This option is not available with our basic free subscription.
With our file upload option enabled the basic file upload fields within Caldera or Gravity Forms are over-ridden by our plugin and the files are submitted directly from the browser to our secure encrypted file storage system when the form is submitted.
If files have been uploaded and attached to a submitted form you’ll be able to view those files from within the submitted form interface of the HIPAA Forms dashboard.
Secure generic pre-signed access URLs are generated when you load the submitted form that expire after 1 hour for greater security.
HOW CAN WE USE THIS ON A STAGING SITE?
The answer to this question depends on HOW you handle a staging version of the website.
You are only able to submit and view forms from within the domain associated with your license key. If your staging version in under a subdomain of that domain you will be fine, the root domain is all that matters. However if your staging version is under a different domain you will only be able to use the service from staging OR live, not both at the same time.
If you are “pre-launch” we would recommend setting the domain on your HIPAA FORMS Service account to your staging server domain first. Then once you are ready to go live simply switch the domain to the live domain.
We understand that this can be frustrating to developers that do not have a staging version under the same root domain as we’re developers ourselves. We are exploring possible solutions to this for future releases to help with this issue.
1. Removed deprecated fields only option and removed additional fields call to API to reduce call size and increase speed of loading forms
2. Improved file upload handling if no file selected
3. Added option to export forms, form notes & form history to CSV files
4. Reworked raw form field submission to strip all html and include additional options for export
1. Form history improvements and bug fixes
2. Submitted forms list now displays unviewed forms as white and viewed forms as gray
3. File upload now available
File upload capability added for subscriptions that enable this new feature
1. DOCS UPDATE
2. Added cm-submitted-form-title class to submitted form title h2 tag in order to style it easier from CSS
1. Fixed “select all” checkbox bug in Gravity Forms.
2. Added better way of checking if Gravity Forms Active while keeping original as fail safe.
1. Fixed Gravity advanced multifield address field being ignored by validation if required.
2. Added previous version fix for required conditional hidden radio/checkbox fields to multipage/multistep forms.
1. Put fix in for conditional hidden radio/checkbox fields in Gravity Forms
2. Started form specific history although will not be 100% until next release.
1. Changed front-end nonce back to original method to prevent input from being added to head
2. Major change to how submitted forms are pulled from API to reduce amount of data being passed to solve some hosts to break on very long forms. Actual form doesn’t pull until toggled now.
1. Fixed required conditional fields breaking validation if hidden
2. Added archived forms interface
3. Add notes to bottom of web & PDF versions of submitted forms
1. Stripped slashes from custom email notification html
2. Removed Gravity Forms date picker icon and hidden icon path field on submitted forms
1. Added fix for hipaa user role not able to view dashboard in some situations
2. Added fix for saving selected form settings
3. Added validation check to prevent saving malformed json when saving selected form settings
Fixed bug if new notes property doesn’t exist
Fixed undeclared variable bug if no “send to” option set in selected form settings.
Added notes feature for standard subscribers
1. Added more options to default notification email settings.
2. Added form-specific custom notification email option.
3. Changed internal notification email handling significantly, please test & report any issues asap!
Minor fix for unset location variable causing email notice to break.
Fixed stupid undefined property notice
1. Added further support for the free basic API subscription option
2. Changed the plugin to revert to the free basic option if a paid subscription expires instead of deactivating the forms.
3. Changed nonce handling on front end to try and get around aggressive cache issues.
Added support for free basic option
1. Added support for Gravity Forms multi-step links
2. Fixed style bug in admin settings tabs
3. Started adding option to customize notification email subject
1. Fixed Caldera validation on checkbox/radio groups
1. Fixed unclosed tag in js causing Caldera validation to break on Safari.
2. Added 7 day grace period and alert message to admin submitted forms view on subscription expiration.
1. Added fallback fix for jQuery not getting values from textarea fields in some cases.
2. Started adding the new interface for form history & notes.
1. Tested for WordPress version 4.9.8
2. Updated docs/faq’s
Bug fix for adding/changing form builder if only 1 option exists
1. Updated settings
2. Completely changed how to manage the hipaa_forms user role capabilities
3. Added option to customize notification emails
1. Increased z-index for privacy modal to ensure it sits over other fixed & absolute positioned elements
2. Removed needless WP admin settings menu item as all settings are updated from within the plugin itself
3. Fixed pagination bug
1. Added option to filter forms by form name.
2. Updated initial view before adding a license key.
3. Test on Wordpres 4.9.7
1. Fixed bug mistakenly setting a value of 1 for a selected user if not set causing users with hipaa_user role to not see forms.
2. Fixed validation error on optional location select field if set to required and no value is set for an option.
3. Added support for secondary staging domain to be used.
4. Fixed css issue with sending animation bar not showing when submitting a form.
1. Fixed support ticket bug not showing replies.
1. Fixed signature field validation error.
2. Added HIPAA privacy notice customization options.
3. Added info icons to settings.
4. Updated BAA to be more clear on who the covered entity & who the associate or subcontractor is.
Fixed bug in iOS not getting textarea values using .val(), not using .attr(‘value’), frickin iOS.
1. Improved form validation for both Gravity & Caldera relying on their built-in error classes as well as adding a “scroll-to first error” function.
2. Fixed a bug with checkbox/radio input validation on both Caldera & Gravity.
3. Added function to replace Gravity file upload input with message that it is not HIPAA compliant & has been removed.
4. Improved default mobile styling a little for appended items at bottom of form on mobile.
5. Added touchstart event listener for mobile to validate signature field.
6. Added some security to support ticket system.
Bug fix for Gravity Forms if signature option has no value
1. Fixed multiple signature initialization when clicking back and next again in Gravity Forms multipage
2. Add additional Gravity Forms validation messages on error
3. Fixed Gravity multipage progress bar not reflecting current step
4. Added scroll to top of form when clicking prev/next in Gravity multipage
Something went wrong with the last SVN commit and some JS files weren’t included
1. Add callback function option
2. Over-rode Gravity Forms multipage next/previous function to make HIPAA compliant & enabled multipage
3. Improved field validation for Gravity Forms
4. Add optional signature field validation
5. Removed HIPAA privacy modal from showing in submitted forms
6. Other minor improvements
Minor fix for unset variable on plugin options
Minor fix for unset variable if Gravity not selected.
Updated expired nonce notice
Fixed deprecated attr() checkbox check
Fixed PDF delete on modal window close
Fix to remove email notice headers if using SendGrid plugin
Bug fix for Gravity forms allowing submissions with empty required fields
CRITICAL BUG FIX
Fixed minor loop warning for Gravity Forms
Basic design and code cleanup
This update includes an improved user interface and the following specific form settings:
1. Option to show/hide the signature field
2. Option to specify a success message or a redirect url after a form is submitted
3. Option to set who can see the submitted forms with the following options:
A. All users with admin/hipaa user role
B. Only specific users
C. Only a specific doctor/user selected within a form (ie. Patient selects a specific doctor in a form, only that doctor will see the submitted form). NOTE: Admins see all forms regardless of settings.