Is DocuSign HIPAA Compliant?

Historically, processing claims, forms, and legal documents was an expensive and time-consuming affair that took place over fax and mail. DocuSign is one of the oldest companies in the electronic document processing space. Founded in 2004, the company has helped millions of users sign and validate documents online. Given the number of documents and communications that take place between patients, insurance providers, and care providers, DocuSign provides a straightforward way to process and onboard staff and customers. For this reason, DocuSign is used by a number of healthcare organizations.

How secure is DocuSign?

DocuSign is fairly secure, meeting a variety of certifications and standards:

• EU BCR (Binding Corporate Rules) Approval
• ISO 27001:2013
• SOC 2
• PCI DSS
• Cloud Security Alliance STAR
• Asia-Pacific Economic Cooperation Privacy Recognition for Processor

While there is no regulatory entity providing HIPAA certification, DocuSign allows HIPAA bound entities to remain compliant given they have an appropriate use case and meet certain conditions. 

How should healthcare organizations use DocuSign?

DocuSign has a variety of use cases that can benefit healthcare providers, including:   

• Physician credentialing
• Patient onboarding
• Audit and compliance processes
• Medical records updates
• Drug prescriptions 
• Lab reports
• Consent forms
• Claims processing
• Agent/broker onboarding
• Medicare/Medicaid forms
• Prior authorizations
• HIPAA forms
• Provider contracting

Some healthcare organizations that have used DocuSign include UCSF (University of California San Francisco), Santa Barbara’s Tri-Counties Regional Center, and Covered California.

What’s needed to make DocuSign HIPAA compliant?

In a white paper titled DocuSign eSignature for HIPAA Compliance, the company outlines that before sharing PHI over DocuSign, HIPAA covered entities must sign a BAA and be on an enterprise account. The white paper also highlights some of the features it provides to meet HIPAA Security Rule requirements, such as:

• A complete, court-admissible audit trail accompanies each document
• AES 256 encryption
• Digital audit trails for every envelope that captures the name, email address, authentication method, public IP address, envelope action and timestamp

You’ll likely find that in order to meet your full obligations under HIPAA, your organization will need to invest in a variety of security controls and implement crucial security processes informing employees of appropriate behavior over SaaS applications like DocuSign. For example, the HIPAA Security Rule requires access control policies and procedures that only allow authorized persons to have access to e-PHI. In order to ensure this is the case with DocuSign, you’ll likely want to formalize rules around password strength or implement a control like single sign on (SSO).

For a full understanding of how the HIPAA Security Rule might map to SaaS applications like DocuSign, review our Guide to HIPAA Compliance Checklist. It has important details you’ll want to ask any SaaS provider as a HIPAA covered entity. You can also learn more about the HIPAA Security Rule requirements from our Ultimate HIPAA Security and Compliance FAQ, which can be read for free online.