Can healthcare organizations use DocuSign in association with electronic protected health information (ePHI) without breaking HIPAA Rules? Does DocuSign support HIPAA compliance?
DocuSign is a provider of electronic signature technology and transaction management services. Companies use DocuSign to obtain signatures on documents such as contracts to confirm they have been read, understood, and terms and conditions have been accepted.
eSignature services are useful in the healthcare industry as they can reduce the time taken on administrative tasks. Healthcare providers can use eSignature services on documents such as service level agreements, business associate agreements, patient consent forms, and credentialing forms. Many business associates sign their BAAs using electronic signatures.
However, before any eSignature service can be used on documents containing protected health information, it is necessary for to enter into a business associate agreement with the service provider, as they are classed as business associates under HIPAA.
Can DocuSign Be Considered HIPAA Compliant?
For DocuSign to be HIPAA compliant, the company must be willing to enter into a BAA with a HIPAA-covered entity. It is stated on the DocuSign website that the company is prepared to sign a BAA and already has done so with healthcare providers and life science clients.
DocuSign additionally confirms that the company never accesses ePHI and all documents that go through its service are secured. DocuSign says it satisfies its responsibilities with respect to ePHI and that it fully complies with HIPAA privacy and security requirements and meets HHS requirements for digital signatures.
Before using the service with any ePHI, a signed BAA must be obtained and as long as covered entities obtain a signed BAA, DocuSign is a HIPAA compliant eSignature service. In order to qualify for a BAA, users must sign up for an Enterprise account with DocuSign.