@duffcloudservices/site-forms 0.2.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +34 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -255,6 +255,40 @@ pnpm --filter @duffcloudservices/site-forms test # vitest --run
|
|
|
255
255
|
pnpm --filter @duffcloudservices/site-forms type-check # vue-tsc --noEmit
|
|
256
256
|
```
|
|
257
257
|
|
|
258
|
+
## Compliance requirements for form submissions
|
|
259
|
+
|
|
260
|
+
### Sensitive forms (`isSensitive: true`)
|
|
261
|
+
|
|
262
|
+
Forms flagged as sensitive (law firm intake, HIPAA intake, any privilege-sensitive questionnaire) carry platform-enforced rules that form authors and site integrators must not override:
|
|
263
|
+
|
|
264
|
+
1. **Notification emails suppress submission content.** When `isSensitive: true`, the portal notification email for a new submission contains only a portal link — never field values, names, or any submission body. This is required for attorney-client privilege (ABA Rule 1.6) and HIPAA confidentiality.
|
|
265
|
+
|
|
266
|
+
2. **Access audit logging.** Every time a portal user opens a sensitive-form submission, the platform writes an audit log entry (`PortalAuditLog`, event: `submission_viewed`). This cannot be disabled.
|
|
267
|
+
|
|
268
|
+
3. **Set via portal, not YAML.** The `isSensitive` flag lives in the `PortalSiteForms` table (managed via the portal Form Manager). It is not part of the `.dcs/forms/*.yaml` snapshot — the runtime itself has no concept of sensitivity.
|
|
269
|
+
|
|
270
|
+
### Form version tracking
|
|
271
|
+
|
|
272
|
+
Every submission row stores `formVersion` (the schema version of the form at submission time). If a form's fields change after submissions are collected, old submissions remain interpretable: the portal can reconstruct what was shown by looking up the version-keyed schema. This is required for compliance audit trails.
|
|
273
|
+
|
|
274
|
+
### General form requirements
|
|
275
|
+
|
|
276
|
+
All DCS-managed forms that collect personal data must:
|
|
277
|
+
- Link a Privacy Policy URL in proximity to the submit action
|
|
278
|
+
- Store `formVersionId`, submission timestamp, and submitter IP with every submission row (handled automatically by the platform)
|
|
279
|
+
- Not collect unnecessary data fields (data minimization)
|
|
280
|
+
|
|
281
|
+
### Intake questionnaires (attorneys, healthcare)
|
|
282
|
+
|
|
283
|
+
Use the **Legal Intake — Standard** form template (created via the portal Form Manager → Templates) when building intake forms for law firms. This template:
|
|
284
|
+
- Pre-populates the attorney-client privilege disclaimer and consent checkbox (non-removable)
|
|
285
|
+
- Automatically sets `isSensitive: true`
|
|
286
|
+
- Includes matter-type and adverse-parties fields for conflict screening
|
|
287
|
+
|
|
288
|
+
For healthcare intake, mark the form as `FormKind: "hipaa"` so the submission handler applies PHI-aware redaction for notification emails.
|
|
289
|
+
|
|
290
|
+
---
|
|
291
|
+
|
|
258
292
|
## Related docs
|
|
259
293
|
|
|
260
294
|
- **Authoring guide** — [`.docs/forms/AUTHORING.md`](../../.docs/forms/AUTHORING.md)
|
package/package.json
CHANGED