Wufoo is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Wufoo will not sign a Business Associate Agreement and its website does not describe HIPAA compliance measures for handling Protected Health Information.
Wufoo is an online form builder used by individuals and businesses to create and manage online forms, including surveys, contact forms, and event registrations. When a form is used to collect health information that identifies an individual, the information can become Protected Health Information when it is created or received by a HIPAA Covered Entity or a Business Associate as part of healthcare operations. In that scenario, the form vendor’s role becomes part of the compliance analysis because the vendor can receive or maintain data submitted through the form.
A Business Associate Agreement is a legally binding contract establishing the relationship between a HIPAA Covered Entity and a business associate. The agreement is used to require the proper protection of Protected Health Information and to define permitted uses and disclosures, safeguards, reporting obligations, and breach response responsibilities. When a vendor will receive, maintain, or transmit Protected Health Information on behalf of a regulated entity, the absence of a Business Associate Agreement prevents the regulated entity from using that vendor for Protected Health Information workflows.
Wufoo will not sign a Business Associate Agreement. Wufoo was acquired by SurveyMonkey in 2011, and there is no information on the Wufoo website that describes HIPAA compliance or related compliance efforts for the platform. Without a Business Associate Agreement, Wufoo cannot be used to collect or manage forms that include Protected Health Information for HIPAA Covered Entities or Business Associates.
HIPAA applies to covered entities, including healthcare providers, health plans, and healthcare clearinghouses, and to business associates that perform functions or activities on behalf of covered entities. Entities subject to HIPAA that use online forms must separate workflows that collect Protected Health Information from workflows that collect non-health information. Wufoo may be used for forms that do not request or capture Protected Health Information, such as general contact requests or event registrations that avoid health information. When a form workflow involves Protected Health Information, a different service that will execute a Business Associate Agreement is required.