Q: How is patient data encrypted?

Multiple encryption layers protect patient data: • At rest — AES-256 encryption on AWS RDS (PostgreSQL) and AWS S3 (file storage) • In transit — TLS 1.3 between browser and servers, and between Formisoft and all third-party services • Passwords — hashed with bcrypt (10+ salt rounds) • Form passwords and API tokens — cryptographically secured Patient data never leaves US borders.

Q: What roles and permissions are available?

Four roles with distinct access levels: • Admin — full access including team management, billing, organization settings, and all patient data • Provider — view and manage patients, appointments, and submissions (no settings or billing) • Staff — manage patients and appointments day-to-day (no settings) • Patient — limited access to their own data only Team members are invited by email and assigned a role by an admin. Roles can be changed at any time.

Question 1

Is Formisoft HIPAA compliant?

Accepted Answer

Yes. Formisoft is designed to meet HIPAA's administrative, physical, and technical safeguard requirements:

256-bit AES encryption at rest and TLS 1.3 in transit
Role-based access controls with four permission levels
Complete audit logging of all data access and modifications
US-only data hosting on AWS infrastructure
Secure token generation for magic links
Bcrypt password hashing and HMAC-signed webhooks

A Business Associate Agreement (BAA) is available on the Enterprise plan.

Question 2

How is patient data encrypted?

Accepted Answer

Multiple encryption layers protect patient data:

At rest — AES-256 encryption on AWS RDS (PostgreSQL) and AWS S3 (file storage)
In transit — TLS 1.3 between browser and servers, and between Formisoft and all third-party services
Passwords — hashed with bcrypt (10+ salt rounds)
Form passwords and API tokens — cryptographically secured

Patient data never leaves US borders.

Question 3

What is audit logging and how does it work?

Accepted Answer

Every action in Formisoft is logged automatically. When anyone on your team performs an action, an audit entry is created with:

Action type — create, read, update, delete, export, login
Resource affected — patient, form, submission, appointment, etc.
User who performed the action
IP address and user agent (browser/device)
Precise timestamp

Audit logs are admin-only, fully searchable, and exportable for HIPAA compliance reviews.

Question 4

What roles and permissions are available?

Accepted Answer

Four roles with distinct access levels:

Admin — full access including team management, billing, organization settings, and all patient data
Provider — view and manage patients, appointments, and submissions (no settings or billing)
Staff — manage patients and appointments day-to-day (no settings)
Patient — limited access to their own data only

Team members are invited by email and assigned a role by an admin. Roles can be changed at any time.

Question 5

Is a Business Associate Agreement (BAA) available?

Accepted Answer

Yes. A BAA is available on the Enterprise plan. The BAA establishes Formisoft as a business associate handling protected health information (PHI) on behalf of your covered entity. Contact our sales team to discuss Enterprise pricing and get a BAA in place.

Question 6

Where is my data hosted?

Accepted Answer

All data is stored and processed exclusively in the United States on AWS infrastructure:

Database — AWS RDS PostgreSQL in a US region
File storage — AWS S3 in a US region
Application servers — US-based

Data never leaves US borders. This meets HIPAA requirements and many state-level healthcare data regulations.

Question 7

How are magic links secured?

Accepted Answer

Magic links use JWT (JSON Web Tokens) signed with a secret key: • Each token contains the patient ID, appointment ID, form IDs, and organization ID • Tokens expire after 7 days • No login or account creation required for patients • Tokens are single-use for appointment-based intake

Security & HIPAA

Explore more topics

Still have questions?