formisoft

Security & HIPAA

Enterprise-grade
protection for PHI

HIPAA-aligned infrastructure for intake, scheduling, messaging, and payments. Encryption, access controls, audit logging, and a BAA on every plan.

Request security reviewGet started
AES-256
At rest
TLS 1.3
In transit
US
Data residency
BAA
Every plan

Defense in depth

Patient data is protected at every layer, from the moment it leaves a patient's device until it is stored in encrypted US infrastructure.

1
Patient device
HTTPS / TLS 1.3
2
Formisoft application
Auth, RBAC, org isolation
3
Encrypted storage
AES-256 database & files
4
Audit & compliance
Immutable logs, BAA

Safeguards

Technical and administrative controls across forms, patients, appointments, documents, and communications.

Encryption

PHI encrypted in the database, file storage, backups, and on every connection to our servers.

Audit logging

Every create, read, update, delete, export, and login recorded with user, timestamp, and IP.

Role-based access

Admin, Provider, Staff, and Patient roles. Permissions managed under Settings → Team.

Tenant isolation

Each organization’s data is architecturally separated. Cross-practice access is not possible.

US-only hosting

Databases, uploads, and application servers run exclusively in the United States.

Business Associate Agreement

Signed BAA included on every plan. Review under Settings → Compliance → HIPAA & BAA.

Compliance program

Built to support your HIPAA obligations as a covered entity working with Formisoft as a business associate.

HIPAA-aligned

AES-256 encryption at rest and TLS 1.3 in transit

US-only storage and processing of PHI

Signed BAA on every plan

HIPAA Security Rule administrative, physical, and technical safeguards

Immutable audit trails for compliance review

Incident response with breach notification per the BAA

Annual risk assessments and security reviews

Employee security training and access reviews

Data retention and destruction policies

No sale of patient data; no advertising use of PHI

Patient data is not used to train AI models

security.spec

Technical details

  • >Passwords hashed with bcrypt
  • >API keys hashed at rest; shown once at creation
  • >HSTS enforced on all connections
  • >Digital signatures with tamper-detection
  • >CSP, CSRF protection, and rate limiting
  • >Encrypted backups with point-in-time recovery

Compare HIPAA form builders on our compliance comparison page.

Frequently asked questions

View all security FAQs →

Yes. Formisoft is designed to meet HIPAA's administrative, physical, and technical safeguard requirements:

  • 256-bit AES encryption at rest and TLS 1.3 in transit
  • Role-based access controls with four permission levels
  • Complete audit logging of all data access and modifications
  • US-only data hosting
  • Secure token generation for magic links
  • Bcrypt password hashing and HMAC-signed webhooks

A Business Associate Agreement (BAA) is included on every plan.

Multiple encryption layers protect patient data:

  • At rest - AES-256 encryption on all databases and file storage
  • In transit - TLS 1.3 between browser and servers, and between Formisoft and all third-party services
  • Passwords - hashed with bcrypt (10+ salt rounds)
  • Form passwords and API tokens - cryptographically secured

Patient data never leaves US borders.

Every action in Formisoft is logged automatically. When anyone on your team performs an action, an audit entry is created with:

  • Action type - create, read, update, delete, export, login
  • Resource affected - patient, form, submission, appointment, etc.
  • User who performed the action
  • IP address and user agent (browser/device)
  • Precise timestamp

Audit logs are admin-only, fully searchable, and exportable for HIPAA compliance reviews.

Four roles with distinct access levels:

  • Admin - full access including team management, billing, organization settings, and all patient data
  • Provider - view and manage patients, appointments, and submissions (no settings or billing)
  • Staff - manage patients and appointments day-to-day (no settings)
  • Patient - limited access to their own data only

Team members are invited by email and assigned a role by an admin. Roles can be changed at any time.

Yes. A BAA is included on every plan. The BAA establishes Formisoft as a business associate handling protected health information (PHI) on behalf of your covered entity. You accept the BAA during onboarding.

All data is stored and processed exclusively in the United States:

  • Database - encrypted, US-hosted
  • File storage - encrypted, US-hosted
  • Application servers - US-based

Data never leaves US borders. This meets HIPAA requirements and many state-level healthcare data regulations.

Magic links use JWT (JSON Web Tokens) signed with a secret key:

  • Each token contains the patient ID, appointment ID, form IDs, and organization ID
  • Tokens expire after 7 days
  • No login or account creation required for patients
  • Tokens are single-use for appointment-based intake

Important: Formisoft provides HIPAA-aligned tools and infrastructure. Your organization remains the covered entity and is responsible for its compliance program. Consult your compliance officer or legal counsel for guidance specific to your practice.

Ready for a compliance review?

We can provide BAA details, subprocessors, and a walkthrough of our safeguards.

Contact usGet started
Privacy policyCompliance checklistSecurity FAQs