HIPAA-ready by default
Encryption, audit logging, role-based access, and a signed BAA on every plan — built for outpatient practices handling PHI.
ISO 27001
Certified under ISO/IEC 27001:2022. Independently audited annually.
ISO 27799
Certified under ISO 27799:2016. Health informatics security management for healthcare organizations.
HIPAA
Administrative, physical, and technical safeguards for all patient health information.
Defense in depth
Patient data is protected at every layer, from the moment it leaves a patient's device until it is stored in encrypted US infrastructure.
Safeguards
Technical and administrative controls across forms, patients, appointments, documents, and communications.
Encryption
PHI encrypted in the database, file storage, backups, and on every connection to our servers.
Audit logging
Every create, read, update, delete, export, and login recorded with user, timestamp, and IP.
Role-based access
Admin, Provider, Staff, and Patient roles. Permissions managed under Settings → Team.
Tenant isolation
Each organization’s data is architecturally separated. Cross-practice access is not possible.
US-only hosting
Databases, uploads, and application servers run exclusively in the United States.
Business Associate Agreement
Signed BAA included on every plan. Review under Settings → Compliance → HIPAA & BAA.
Frequently asked questions
Yes. Formisoft runs on ISO 27001 and ISO 27799 certified infrastructure and is designed to meet HIPAA's administrative, physical, and technical safeguard requirements:
- ISO 27001 information security management and ISO 27799 health informatics security
- 256-bit AES encryption at rest and TLS 1.3 in transit
- Role-based access controls with four permission levels
- Complete audit logging of all data access and modifications
- US-only data hosting
- Secure token generation for magic links
- Bcrypt password hashing and HMAC-signed webhooks
A Business Associate Agreement (BAA) is included on every plan.
Formisoft is hosted on infrastructure certified to international healthcare security standards:
- ISO 27001, information security management systems
- ISO 27799, security management in health informatics
These certifications complement our HIPAA-aligned administrative, physical, and technical safeguards, encryption, audit logging, and signed BAA on every plan.
Multiple encryption layers protect patient data:
- At rest - AES-256 encryption on all databases and file storage
- In transit - TLS 1.3 between browser and servers, and between Formisoft and all third-party services
- Passwords - hashed with bcrypt (10+ salt rounds)
- Form passwords and API tokens - cryptographically secured
Patient data never leaves US borders.
Every action in Formisoft is logged automatically. When anyone on your team performs an action, an audit entry is created with:
- Action type - create, read, update, delete, export, login
- Resource affected - patient, form, submission, appointment, etc.
- User who performed the action
- IP address and user agent (browser/device)
- Precise timestamp
Audit logs are admin-only, fully searchable, and exportable for HIPAA compliance reviews.
Four roles with distinct access levels:
- Admin - full access including team management, billing, organization settings, and all patient data
- Provider - view and manage patients, appointments, and submissions (no settings or billing)
- Staff - manage patients and appointments day-to-day (no settings)
- Patient - limited access to their own data only
Team members are invited by email and assigned a role by an admin. Roles can be changed at any time.
Yes. A BAA is included on every plan. The BAA establishes Formisoft as a business associate handling protected health information (PHI) on behalf of your covered entity. You accept the BAA during onboarding.
Start on secure infrastructure
HIPAA-aligned intake on US infrastructure. BAA from day one.
