Is DocuSign HIPAA compliant?

Modern healthcare organizations often need to collect electronic signatures when accepting patients and obtaining consent for medical procedures. They also need patients to consent to data sharing when necessary, and the ability to get a signature electronically without a physical visit to a healthcare facility saves everyone time and money.

Electronic communication streamlines patient care and administrative functions, benefiting everyone involved in the healthcare experience.

DocuSign offers healthcare companies a comprehensive solution for exchanging sensitive documents such as contracts, human resources documentation, business agreements, and patient communication. The software enables signatures to be gathered electronically to facilitate fast action and eliminate unnecessary delays in providing healthcare. 

But is DocuSign HIPAA compliant? The short answer is yes, DocuSign is HIPAA compliant, but only when used properly and with the appropriate safeguards in place. We’ll explore these caveats in more detail below. 

In this article:  

• What makes a software solution HIPAA compliant?
• Security Rule safeguards
• Is DocuSign HIPAA compliant?
• DocuSign's HIPAA-compliant solution for healthcare
• Data loss prevention strengthens HIPAA compliance
• Frequently asked questions

Wh‎at makes a software solution HIPAA compliant?

When operating in the U.S. healthcare industry, organizations need to comply with HIPAA data privacy and security regulations. Compliance extends to software products and services an organization employs to collect, store, and process data that includes a patient’s protected health information (PHI).

When PHI is used, collected, and processed digitally, it is referred to as electronic protected health information (ePHI).

Specifically, the HIPAA Security Rule addresses the HIPAA safeguards that need to be taken to protect ePHI. The Security Rule defines administrative, technical, and physical safeguards that must be in place to protect ePHI.

‎Healthcare organizations, considered covered entities in HIPAA terminology, need to take the following actions to maintain compliance with security regulations.

• Companies have to ensure the confidentiality, integrity, and availability of any ePHI they collect, create, store, or transmit.
• All anticipated threats against ePHI need to be identified and addressed to protect the data.
• Protection needs to be implemented to address the impermissible use or unapproved disclosure of ePHI.
• All members of the workforce need to be trained regarding HIPAA compliance and their role in protecting sensitive information.

Organizations need to perform risk analysis to determine specific threats to their ePHI. The risk analysis process must include:

• Evaluating the possibility and impact of risks to ePHI
• Implementing security measures to address the identified risks
• Documenting the security measures and the reasons they were implemented
• Maintaining continuous and appropriate security controls

Se‎curity Rule safeguards

‎Now, let’s look at some of the specific Security Rule safeguards that affect the HIPAA compliance of a software solution. The product needs to be capable of allowing a healthcare organization to meet these protective requirements by addressing the following HIPAA safeguards.

Administrative safeguards

Information access management is a crucial administrative safeguard that needs to be in place to protect any software processing ePHI. Organizations must ensure that only authorized personnel have access to the minimum amount of ePHI to perform their job.

Adopting role-based access controls (RBAC) supports this requirement and should be implemented for all software solutions involved with ePHI.

Technical safeguards

Multiple technical safeguards are designed to address software used to process ePHI.

• Access controls must be implemented to ensure that only authorized individuals can use or view ePHI.
• Audit controls have to be in place to record and examine access to systems containing ePHI.
• Policies must be in place to guard against ePHI being altered or destroyed.
• Data transmission security must be protected with measures such as encryption.

Is‎ DocuSign HIPAA compliant?

‎No software product is intrinsically compliant with HIPAA data security standards. The following are some of the ways DocuSign supports HIPAA compliance as long as healthcare service providers, other covered entities, and business associates implement the appropriate HIPAA safeguards to protect sensitive patient information.

• The electronic signatures collected in DocuSign provide an audit trail that is not available when filling out paper forms. The audit trail identifies actions taken with the document including when it was opened, viewed, and signed. Signed documents are digitally sealed using Public Key Infrastructure (PKI) to ensure no tampering occurs.
• Multi-factor authentication is supported via several techniques to address patient and client concerns. Identity verification can be carried out via:
  • Email addresses
  • One-time access codes
  • Phone calls
  • SMS text message passcodes
  • Photo ID verification
  • Face-to-face verification over a video connection
• DocuSign employs AES 256-bit encryption at all times to protect ePHI.
• DocuSign will enter into a Business Associate Agreement as a third-party provider with covered entities as mandated by HIPAA.
• DocuSign is ISO 27001, 27017, and 27018 certified as an information security management system, ensuring that it meets stringent international security standards.

Do‎cuSign's HIPAA-compliant solution for healthcare

‎DocuSign Agreement Cloud for Healthcare is a dedicated digital signature solution designed to meet the needs of organizations operating in the healthcare industry. It includes DocuSign eSignature for Certified EHRs, a software tool that streamlines patient intake by digitizing the manual paperwork process.

This DocuSign product offers flexibility, accessibility, and convenience for patients to complete necessary forms, HIPAA releases, and consents digitally from anywhere. This flexibility and convenience helps to improve the patient experience.

DocuSign Agreement Cloud for Healthcare can also pre-fill forms with patient data, meaning patients don't have to fill out the same information repeatedly—another aspect that can improve patient experience. Out-of-the-box, pre-defined fields such as demographics, insurance information, medications, and allergies streamlines template creation for staff.

Completed documents are automatically uploaded to the patient’s EHR, ensuring quick and accurate filing. The solution supports efficient filing with automated matching to patient records and assignment to corresponding EHR document types.

Some key benefits of DocuSign Agreement Cloud for Healthcare include:

• Compliant with ESIGN, UETA, and HIPAA regulations.
• ISO 27001:2013 certified, ensuring high information security assurance.
• All data is encrypted in transit and at rest.
• Each transaction includes a traceable, tamperproof and complete audit trail and exportable certificate of completion.

Da‎ta loss prevention strengthens HIPAA compliance

‎Data loss prevention (DLP) software strengthens HIPAA compliance by ensuring ePHI is not deliberately or accidentally misused throughout an organization. The Reveal Platform by Next is an advanced DLP solution that protects an organization from data leaks caused by malicious or unwitting insiders. Insider risks are hard to prevent and can cause irreparable damage to an organization, including violations and costly fines and penalties.

Reveal enforces a company’s data handling policy with intelligent endpoint agents that deliver machine learning at the point of risk. The platform identifies and categorizes data as it is being used to prevent its misuse.

Reveal also promotes a more HIPAA-conscious workforce by providing informative messaging that describes why an activity was restricted by the data handling policy.

Talk to us today and try Reveal with a free demo. You’ll quickly see the advantages of implementing Reveal in a HIPAA-regulated environment.

Fr‎equently asked questions

Why is multi-factor authentication important for protecting ePHI?

Multi-factor authentication is important for protecting ePHI due to the sensitive and potentially valuable nature of the information. Hackers target healthcare data for purposes of identity theft or blackmail and can subvert basic security measures with compromised login credentials harvested while phishing.

Multi-factor authentication makes it significantly more difficult for threat actors to gain unauthorized access to ePHI.

What is the importance of role-based access controls (RBACs)?

Role-based access controls are important because they provide a method of simplifying the management of ePHI access.

Companies can develop policies that assign a designated level of access to individuals or groups performing specific functions related to ePHI. Access will be restricted when individuals attempt to use ePHI in ways that do not conform to their role in the organization.

Why should risk assessments be performed regularly?

Risk assessments and compliance audits should be performed regularly to ensure that security measures are still aligned with business processes and data resources. As the IT environment evolves, new vulnerabilities may present a threat to the systems that process ePHI. Companies need to be prepared to modify their security posture to address new risks before they lead to data leaks or breaches.