Creating drug-free workplaces begins with smarter workflows.
At FormFox, Inc., we're continuously innovating data and workflow solutions for the substance abuse testing industry. Our technology connects those who participate in workplace screening programs, including employers, collectors, laboratories, TPAs and MROs. With our partners, we strive to remove the dangers of substance abuse in the workplace. We have assumed the critical role of transforming the workflows surrounding screening processes, making them smarter and faster. Removing the risk of paper-based errors and inefficiencies, and streamlining and securing the transmission of information, are central to our mission and serve as the foundation of our FormFox web-based software solutions.
The rapid adoption of FormFox as the industry's preferred solution for electronic custody and control forms (eCCF) has simplified the screening process and facilitated quick, secure information exchange across a network of over 3,500 sites. In response to an increasingly self-serve world, we are working to expand the role of FormFox as a complete, integrated workflow solution set.
The FormFox name evokes the qualities we engineer into our software - intelligence and speed. These are the qualities to which we owe our success, and that we are systematically applying to electronic workflow management. FormFox workflows address the complex, variable processes found in our industry while meeting the unique needs of each participant, with ease and scale. Improving quality, increasing efficiency and ensuring compliance of screening programs is our way of creating drug-free workplaces.
FormFox, Inc. is based in Salt Lake City, Utah.
FormFox was developed by Compliance Information Systems, Inc. (CIS), a leading provider of
data management solutions in the drug testing industry for nearly twenty-five years.
FormFox handles a wide variety of specimen collection procedures:
- Laboratory-based urine specimens.
- Laboratory-based hair specimens.
- Laboratory-based oral fluid specimens.
- Laboratory-based blood specimens.
- Instant (POCT) tests using urine specimens.
For all of the above, FormFox guides the collector through the appropriate specimen collection
procedure and generates a custody and control form (CCF) in accordance with account-specific
information provided by the testing laboratory. Client instructions include the laboratory account
number, type of specimen, and any associated client demographic information required for the
collector to perform the procedure and generate a valid CCF. FormFox can generate both
electronic and paper CCFs, according to the needs of the participating laboratory, MRO, donor,
FormFox can also accept and disseminate donor and test demographic information. This allows
employers and service providers to order specimen collection services from FormFox-enabled
facilities, which greatly reduces data entry and procedural errors at the collection site. It also
facilitates more accurate data management and event tracking for laboratories and MROs by
eliminating errors that often occur with manual data entry.
Back to Top
Back to Top
Requirements To Get Started
You don't need much to utilize the power of FormFox! Below you will find the few things that you'll want to have ready for your FormFox implementation.
A good rule of thumb is to ask if your computer will support the items below.
Any internet connection will work for FormFox, the faster the better!
Adobe is necessary in order to print out the new custody and control form. Visit http://adobe.com
to download for free.
Signature Pad (Must have to deliver DOT eCCFs)
The signature pad that is supported by FormFox is called the "ePad VP9801 USB with Integrisign".
Any printer will do for printing out custody and control forms.
Barcode Scanner (optional)
We suggest a barcode image scanner that allows an image of the CCF to be captured. (only works with IE).
The computer (or iPad) and printer need to be in the collection area where the samples are sealed. The computer can be set up with and ePad or ePad Ink and a barcode scanner or you can use an iPad 3 or newer and use the camera to capture the barcodes.
FormFox Security Considerations
Data security is a predominant concern for any viable electronic CCF application environment, and FormFox adheres to the most stringent security standards and best practices for information technology systems.
The use of computing devices at the collection site has prompted concerns regarding the security of the data being gathered and the liabilities that may be put upon the collection site owners as they utilize these computing resources.
The architecture of the FormFox system minimizes the security concerns from system access vulnerability to the methods of passing data during the collection process. Application security as well as system security concerns will be explained below.
Back to Top
Any access into the FormFox system requires username and password authentication. Authentication occurs on the web server. There is no local tablet or desktop app processing. The tablet app is essentially a browser instance on the tablet device. Interfaces with the tablet camera and signature capabilities are handled by the FormFox app. Data from these devices are streamed to the server. All other FormFox processing occurs on the web server.
FormFox has the following requirements for user passwords in the system:
- Minimum of 8 Characters in length.
- Contain at least 1 letter and 1 number.
- Cannot be the same as your last password.
- Cannot be the same as your username.
FormFox also makes use of a security question and answer that are associated with the user login. When a user wants to change or reset the password on their account they must first answer the security question correctly before they are allowed to make the change.
FormFox logs all user authentication activity in the system audit which allows site admin users the ability to review login and login attempts.
Passwords in FormFox expire after 90 days and must be changed by the user or site administrator.
Passwords are stored in the FormFox database in an encrypted format.
User's permissions are assigned to specifically reflect that user's role in the collection process and can be restricted by test type and administrative duties.
All user actions in the collection process and changes to user permissions are permanently logged and auditable.
Back to Top
Web Based Transactions
The FormFox system architecture is based upon the web model of Server - Client communications. FormFox is a web based application that uses 128 bit Secure Socket Layer (SSL) encryption for passing sensitive data from the web browser application on the local computing device to the FormFox Web Server. All data is encrypted at every step of the process both in storage and in transmission.
Back to Top
Many web browsers offer an "Auto Complete" feature that allows the browser to save information locally on the browser such as passwords so that the user doesn't need to re-enter the password when they want to login to a particular web site. The FormFox web site disables this feature and requires the user to always enter their password for authentication purposes.
Some web sites will also store cookies on the local computing device to "remember" information entered during the browser session on that site. FormFox does not utilize cookies for any functions on the web site.
Back to Top
Image and Document Data
FormFox requires the collector and donor to sign their respective affidavits with a digitized signature capture device. Digitized signatures are considered image data. The digitized signature image data that is acquired in FormFox with tablet applications or desktop signature-capture peripherals are written so that the data is streamed directly to the web server and there is never a copy of the image stored on the collector's computing device. The electronically-captured signature is embedded in an encrypted chain of custody document and there is no image file of the signature itself. This encrypted document is stored on the secure servers. If the collection site's computer device were to be misplaced or stolen, there would be no Personal Identifying Information (PII) at risk.
FormFox generates five (5) distinct encrypted documents for each Federal collection event:
- COPY 1: Laboratory Copy.
- COPY 2: MRO Copy.
- COPY 3: Collector Copy.
- COPY 4: Employer Copy.
- COPY 5: Employee Copy.
Each of these encrypted PDFs is indexed to the unique FormFox transaction ID number and the unique FormFox Specimen ID obtained from the security seals used for the collection event. All Copies are rendered at the time of the collection event and cannot be changed or altered. COPY 2 of the CCF is automatically transmitted to the designated MRO via web service, secure web site access, or secure fax.
The Employer Copy can be transmitted in the same fashion or printed by the collection site for physical delivery to the employer.
FormFox provides the donor the option of receiving the Employee Copy via secure email, SMS, or printed copy at the time of collection. All copies of the FormFox CCF are stored for 7 years in the FormFox database and can be retrieved by those authorized to do so (labs, MROs, collectors, employers, and employees). All FormFox documents are stored as encrypted PDFs and access control is governed as described in this document.
Back to Top
As part of periodic security reviews, FormFox is subject to penetration testing to analyze vulnerabilities and prevent malicious attempts to access the FormFox web site. This testing is conducted both by FormFox and by outside entities that conduct testing and security audits without FormFox's prior knowledge and provides feedback to FormFox concerning the results of these tests and audits.
Back to Top
Release Process and Patch Management
FormFox is updated regularly to ensure proper functionality, provide enhancements to the collection process and address potential security risks. Programmatic work is done in a development environment at FormFox that is subjected to multiple rounds of both manual and automated testing before being updated to the production site and apps. This testing encompasses both functional aspects of FormFox and analyzes potential security risks before any programmatic changes are made live. Between full releases patches may be implemented to immediately address any functional problems or security vulnerabilities.
Back to Top
The computing devices that will be using FormFox are accessing the internet through the collection site's internal network. Network security policy is based upon the owner's network security policy.
The credentials used to access the computing device as well as web site access permissions are determined by the owner of the network and are managed by that owner's system administration staff. The network owner is responsible for network and device security. FormFox can assist network and device owners and operators in assessing the suitability of their organization's security.
Back to Top
Physical Security and Hosting Environment
The primary hosting facility for FormFox is a dedicated, secure data center in Salt Lake City, UT. This
facility adheres to strict SSAE 16 Type II guidelines and is subject to AIPCA/SOC security audits.
Controls include, but are not limited to:
- Perimeter fencing with secure and audited entry points.
- Audited biometric access to data center.
- Strict vetting of all employees and visitors to the facility.
- 24-hour video surveillance.
- On-site security personnel and systems monitoring 24 hours per day, 365 days per year.
- Automatic emergency power generation.
- Continuous cooling.
- Lightning protection.
FormFox also has a contracted disaster-recovery co-location site that adheres to these same stringent
Back to Top