HIPAA Security You Can Trust

• We automatically provide a BAA for HIPAA-covered usage.
• The BAA is digitally signed automatically when you sign up for a HIPAA-compliant plan.
• Covers our responsibilities as a Business Associate for protecting PHI.
• Your signed BAA is always available at /billing if it was signed during HIPAA plan signup.

• Encryption in transit via TLS (latest modern standards).
• Encryption at rest (AES-256).
• Encryption keys managed with KMS (key management system).
• No PHI in emails—patients access forms via secure links.

• Form submissions containing PHI are accessible only to the form owner and authorized collaborators.
• PHI data is never available to our staff.
• We do not share form submission data with third parties except sub-processors required to operate the service (e.g., hosting). We have a BAA already in place with the vendors, and data is always encrypted.
• No PHI is ever routed to any AI model—AI models are only used for smartly constructing the forms.

Your patients' submission data stays inside your ChatterForms account.

• We maintain audit logs for key actions (form access, submission events, publishing changes).
• Submission activity is tracked for traceability and compliance workflows.
• Security monitoring and alerting help detect suspicious behavior.

• Role-based permissions for collaborators (where enabled).
• Session controls and automatic timeouts.
• Least-privilege access practices.

• Stripe handles all card data (PCI compliant).
• ChatterForms does not store credit card numbers.

• No PHI is ever routed to any AI model.
• AI models are only used for smartly constructing the forms—not for processing or analyzing PHI.
• AI features operate within your workspace context.
• You control what you generate and publish.