Collect patient intake, screenings, and consent on TendForm — under a signed BAA, with patient data isolated in its own encrypted enclave and every access logged. Not marketing gloss: here's exactly how it works.
HIPAA forms don't share a database with anything else. Their responses live in a separate, self-run Postgres cluster in its own locked-down namespace — one place, one credential set, one backup. Nothing else on TendForm touches it.
Every answer is sealed with authenticated AES-256 encryption before it's written, using a key held outside the database. Disks are encrypted too — so a stolen backup is ciphertext, not patient data.
Reading a patient response leaves a record: who, what, when, from where. There's no way to view PHI without an audit entry — that trail is the answer to “show me who touched this.”
Audit logs and patient responses are archived to write-protected object storage that no application key can delete, and retained for seven years — beyond the six HIPAA requires, matching the longer windows many state medical-record laws expect — then expired automatically.
On the HIPAA plan we sign a Business Associate Agreement with you. Our infrastructure runs on a provider that has signed a BAA with us, on their HIPAA-covered services.
HIPAA forms are never ad-supported and never edge-cached. Submissions go straight to the API over TLS. Analytics stay anonymous — no PHI ever reaches them.
A dedicated Postgres enclave (CloudNativePG on Kubernetes) with a default-deny network policy: only the app can reach it, only over TLS, never from the public internet. ePHI lives in exactly one place we can point to.
Envelope encryption on every PHI field (a per-record key wrapped by a master key kept out of the database), on top of provider disk encryption at rest and TLS in transit.
A least-privilege database role, database-level audit (pgaudit), and an application access log that records every read, export, and decryption of a response.
Continuous backups to object storage with a documented, monthly-tested restore drill — because under HIPAA, an untested backup isn't a backup.
HIPAA compliance is never one vendor's checkbox. TendForm provides the safeguards — isolation, encryption, audit, retention — and signs a BAA. You, as the covered entity, are responsible for signing that BAA, configuring your forms, managing your staff's access, and running your own risk assessment. We self-assess annually using the free HHS Security Risk Assessment (SRA) Tool, and we'll share our architecture with your compliance team on request.
No product is — there is no official “HIPAA certification.” TendForm is HIPAA-ready: we sign a Business Associate Agreement and implement the Security Rule's technical safeguards (access control, audit, integrity, transmission security, encryption). Compliance is shared: you're responsible for configuring your forms correctly, controlling your own staff's access, and signing the BAA.
Upgrade to the HIPAA plan, accept the BAA, then flip a form (or your whole account) into HIPAA mode. From that point its responses route into the encrypted enclave with full audit logging. Forms without HIPAA mode are unaffected.
In a single, isolated Postgres enclave and its dedicated encrypted-archive buckets — separate from the rest of TendForm. That one-sentence answer is the point of the design: your compliance reviewer always knows exactly where ePHI is.
Yes. Every access to a patient response is recorded and retained for seven years. Account admins (and read-only auditors you designate) can query and export the access history.
DigitalOcean (compute, Kubernetes, object storage — under a signed BAA on their HIPAA-covered services) and Cloudflare (edge/TLS for non-PHI marketing pages). HIPAA form submissions bypass the edge cache and go straight to the API.
Upgrade to the HIPAA plan, sign the BAA, and flip on HIPAA mode.
“HIPAA-ready” describes TendForm's safeguards and our willingness to sign a BAA. It is not a certification or legal advice. Compliance depends on how you configure and use the product.