Share via

Is Microsoft Forms HIPAA-compliant? No. (But Microsoft Forms Pro probably is.)

Anonymous
2024-05-19T01:58:43+00:00

TL;DR

  • The company states that Microsoft Forms is an "in-scope service" with regard to HIPAA & HITECH compliance, i.e., Forms is HIPAA-compliant.
  • Forms adds this statement to the form footer: "The owner of this form has not provided a privacy statement as to how they will use your response data. Do not provide personal or sensitive information."
  • That statement renders the form unusable because (a) the statement contradicts the very purpose of the form; (b) Microsoft does not allow customers to modify the footer; and (c) with the contradictory statement and without a link to a privacy statement, the form is no longer HIPAA-compliant.
  • Microsoft Forms Pro, which does allow customers to modify the footer, thus appears to be HIPAA-compliant.
  • Question: Do you see anything in my analysis that is incorrect?

Comment

  • Why does Microsoft do things like this?! Are they trying to drive away business? Google Forms is HIPPA-compliant and much easier to use. Google Forms is not as feature rich as Microsoft Forms, which is why I looked at Microsoft's offering, but good golly Miss Molly, what a mess Microsoft has made of it.

Background

  • I have a Microsoft 365 Business Premium account.
  • I am a "covered entity" (healthcare provider) as defined by HIPAA.
  • Microsoft Forms is (supposedly) an "in-scope service" with regard to HIPAA & HITECH compliance, i.e., Microsoft Forms is HIPAA-compliant.
  • Thus, because of the account I have, and given that Forms is an in-scope service, I have a Business Associate Agreement with Microsoft (by default) that allegedly includes Forms (since Forms is listed as an "in-scope service") should include Forms (but, unfortnately, it does not). Thus, my current BAA with Microsoft is misleading and erroeneous. [edited on 31 May 2024]

Situation

  • I created a form that requests Protected Health Information (PHI), e.g., past or current psychiatric diagnosis, and Personally Identifiable Information (PII), e.g., date of birth.
  • Thus, strict adherence to the HIPAA Privacy Rule and Security Rule is very important.
  • As indicated above, I am—according to Microsoft—in compliance.
  • However, there is a problem. At the bottom of the form I created is this statement: "The owner of this form has not provided a privacy statement as to how they will use your response data. Do not provide personal or sensitive information." Those statements make the form unusable and no longer HIPAA-compliant.

Questions

  1. How do I create a Privacy Statement within my Microsoft account and link to it on the form?
  2. How do I remove this sentence: Do not provide personal or sensitive information?

Answers

  1. I think I know how (see posts, below), but I will need to pay for Microsoft Forms Pro to implement it.
  2. I cannot modify the footer unless I pay for Forms Pro.

Available Information (previous posts)

  • Microsoft Forms: how to provide a privacy statement? (13 Jun 2022) - "1. In the Microsoft365 admin center(Sign in with tenant admin account), choose Azure Active Directory." - I see no such directory in my admin center.
  • MS Forms - Update Footer / Privacy Statement is not possible (6 Nov 2023)
    Question: I believe there used to be the option to edit the footer of an MS Form to add a privacy statement - this seems to have disappeared. Can this functionality be brought back? It's a little contradictory to say 'The owner of this form has not provided a privacy statement ' when there is no option to add one!

Response: One possibility is that the feature to customize the footer in Microsoft Forms is currently not available. According to a post here, this feature was available in the past but seems to have been removed. // Another possibility is that the feature is only available in certain versions of Microsoft Forms. For example, it might be available in Microsoft Forms Pro or Dynamics 365 Customer Voice, but not in the standard version of Microsoft Forms. [Link to the post below.]

Microsoft 365 and Office | Microsoft Forms | For business

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-05-30T10:33:00+00:00

    Hi Mia:

    Thank you for responding back to this form; however, I find it very frustrating as well that when you search "Are Microsoft Forms HIPAA Compliant" you are taken to a Microsoft page that states they are. Not only that, many other companies that deal with compliance state Forms is compliant, and break down the components which shows that it is.

    I just spent 2 days creating a very elaborate, labor intensive form to streamline Provider Referrals my practice receives, and then I read the privacy statement at the bottom and I was dumbfounded and decided to research again the status of this form being HIPAA compliant. With the privacy statement that is currently on the form and no way to replace it, I will now have to junk this form--and I didn't have 2 days to spare with this project to begin with. Most of my forms are tailored directly in my EMR, so I have very little use for Microsoft Forms (in fact this is only the second time I have had to use it in having my Microsoft Business account the past 5 years). So the idea of buying the Pro Version just to put my privacy statement on the form seems ridiculous.

    Sincerely,

    Rose

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2024-05-20T03:52:59+00:00

    Hello Mia,

    I appreciate your kind response.

    Another frustration (not your fault, of course) is that you must write, "we suggest you submit feedback directly to the product development team", which puts the onus on customers to help Microsoft improve their products.

    Why don't they let you (Community Moderators) relay helpful feedback to the product development team? That would be much more efficient and customer-centric.

    Sincerely,

    Mark

    1 person found this answer helpful.
    0 comments
  3. Anonymous
    2024-05-31T11:16:20+00:00

    Exactly!

    You articulate the problem even more vividly than I did.

    Microsoft could save a lot of money by allowing moderators to forward problems like this to the product development team. Fewer customers would leave; they could save mony on user experience research; and they could prevent problems with regulatory authorities (a misleading statement about HIPAA-compliant products might get them in trouble).

    0 comments
  4. Anonymous
    2024-05-19T05:49:30+00:00

    Dear respected,

    Welcome to Microsoft Community.

    We went through your post carefully and we understand your demand of editing the forms footer but we are sorry to convey that as you have correctly stated, Microsoft Forms is not HIPAA-compliant, but Microsoft Forms Pro is. Unfortunately, you cannot modify the footer in Microsoft Forms unless with a Microsoft Forms Pro subscription.

    For such a feature limitation, we suggest you submit feedback directly to the product development team so they can hear your voice and provide a better user experience. See: How do I give feedback on Microsoft 365? - Microsoft Support

    Besides, to create a privacy statement and link to it on the form, you can create a separate document or webpage with the privacy statement and provide a link to it in the form in the description section.

    Feedback submit by this way directly goes to the related team. This is the best way to let Forms product developers aware of this situation and also know your requirements, your valuable ideas and suggestions will help improve the product and make it better for every user.

    I appreciate your time and effort on checking these above and thank you for your time and cooperation. I hope that you are keeping safe and well! 

    Sincerely,

    Mia | Microsoft Community Moderator

    0 comments