The form data is encrypted on submit and transmitted over TLS/SSL (with included encryption).  At rest, the data is stored on AWS RDS database that uses AES-256 encryption.  Here is more on the RDS encryption: LINK

Each submitted form has unique double-key AES-256 encryption. 

Below is a dataflow diagram of the PHI data after submit.