The average cost of a stolen record is $242. See how much your organization can save with cloud data protection: Generate your ROI report.

Blog 2 min read

Is DocuSign HIPAA Compliant?

by Michael Osakwe Published Jul 28, 2021

Historically, processing claims, forms, and legal documents was an expensive and time-consuming affair that took place over fax and mail. DocuSign is one of the oldest companies in the electronic document processing space. Founded in 2004, the company has helped millions of users sign and validate documents online. Given the number of documents and communications that take place between patients, insurance providers, and care providers, DocuSign provides a straightforward way to process and onboard staff and customers. For this reason, DocuSign is used by a number of healthcare organizations.

How secure is DocuSign?

DocuSign is fairly secure, meeting a variety of certifications and standards:

While there is no regulatory entity providing HIPAA certification, DocuSign allows HIPAA bound entities to remain compliant given they have an appropriate use case and meet certain conditions. 

How should healthcare organizations use DocuSign?

DocuSign has a variety of use cases that can benefit healthcare providers, including:   

  • Physician credentialing
  • Patient onboarding
  • Audit and compliance processes
  • Medical records updates
  • Drug prescriptions 
  • Lab reports
  • Consent forms
  • Claims processing
  • Agent/broker onboarding
  • Medicare/Medicaid forms
  • Prior authorizations
  • HIPAA forms
  • Provider contracting

Some healthcare organizations that have used DocuSign include UCSF (University of California San Francisco), Santa Barbara’s Tri-Counties Regional Center, and Covered California.

What’s needed to make DocuSign HIPAA compliant?

In a white paper titled DocuSign eSignature for HIPAA Compliance, the company outlines that before sharing PHI over DocuSign, HIPAA covered entities must sign a BAA and be on an enterprise account. The white paper also highlights some of the features it provides to meet HIPAA Security Rule requirements, such as:

  • A complete, court-admissible audit trail accompanies each document
  • AES 256 encryption
  • Digital audit trails for every envelope that captures the name, email address, authentication method, public IP address, envelope action and timestamp

You’ll likely find that in order to meet your full obligations under HIPAA, your organization will need to invest in a variety of security controls and implement crucial security processes informing employees of appropriate behavior over SaaS applications like DocuSign. For example, the HIPAA Security Rule requires access control policies and procedures that only allow authorized persons to have access to e-PHI. In order to ensure this is the case with DocuSign, you’ll likely want to formalize rules around password strength or implement a control like single sign on (SSO).

For a full understanding of how the HIPAA Security Rule might map to SaaS applications like DocuSign, review our Guide to HIPAA Compliance Checklist. It has important details you’ll want to ask any SaaS provider as a HIPAA covered entity.

Subscribe to our newsletter

Receive our latest content and updates

Nightfall logo icon

About Nightfall

Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack, Google Drive, GitHub, Confluence, Jira, and many more via our Developer Platform. You can schedule a demo with us below to see the Nightfall platform in action.

 

Schedule a Demo

Select a time that works for you below for 30 minutes. Once confirmed, you’ll receive a calendar invite with a Zoom link. If you don’t see a suitable time, please reach out to us via email at sales@nightfall.ai.

call to action

See how much Nightfall can save your organization.

See your ROI