Here’s a question I hear quite often: “Is your eSignature platform HIPAA compliant?”

No eSignature solution can absolutely guarantee “HIPAA compliance” since part of HIPAA compliance comes down to how people end up using a given platform or tool.

With that said, I totally understand why this question is so common for me to hear. So, my answer to you is this: you can choose a software that does follow best-in-class practices when it comes to protecting your data, per HIPAA guidelines.

While not an exhaustive list (ahem, read that again please!), here are just a few examples of how eSign by Edoc follows steps to secure data in a way that adheres to HIPAA guidelines:

1. Team member HIPAA training 

First and foremost, knowing just how critical education and human behaviors are when it comes to data security and controls, Edoc has resources and ongoing training available for all staff members. All staff who are involved in any way with projects that may contain sensitive data are required to take and pass a test related to HIPAA compliance, a process which we document and complete on a regular basis. 

We also have a written HIPAA and security policy to help enforce standards and best practices we follow and update. This document also outlines what should take place if any offense were to occur.

2. Team member access

Team members who have access to sensitive data only get access when needed. Because our team members are only given the minimum necessary access for them to do their work or to perform a specific task, we’re doing our best to minimize the chance for misuse of information.

3. End-to-end encryption    

eSign by Edoc uses encryption to protect sensitive data in our platform. Documents signed with eSign are kept in encrypted cloud storage indefinitely.

4. The use of prevention practices

While we can’t control how people use our software (I hope I’m being clear on that, so that’s why I repeat myself!), we can encourage people to do their best to protect information related to our software.  

A few examples of what we’d call our “prevention practices” include: offering two-factor authentication for organizations to use with their staff within eSign; enforcing MFA for our team members; and bucket versioning for eSign documents, to name just a few. We also follow the “principle of least privilege” (minimum necessary access) when creating new accounts for any administrative or IT users. Accounts and access are deactivated as soon as they are no longer needed.

5. Regular back-up of data

We use continuous and periodic (daily) back-ups with eSign by Edoc for data stored in the database. Versioning and archiving is used for documents in cloud storage according to our retention policy. Access to all stored data is restricted to whitelisted IPs and unique security keys, and it’s managed by an Identity and Access Management policy with access logging.

6. Signed Business Associates Agreement    

For organizations that have data security/integrity standards they want to uphold, we sign a Business Associate Agreement. The aim of a Business Associate Agreement is to capture how both partnering parties are cooperating to follow best practices when handling PHI. (Ask us if you want to know more!)

7. eSign’s workflow

Our audit log is aimed at preventing misuse of electronic signatures and keeping an organization’s data protected; The audit log includes time stamping as well as IP address and browser collection for each signature.

More specifically, in order to sign a document in eSign by Edoc, a new user is invited by email. Passwords collected are stored in a form that cannot be decrypted, following industry-standard best practices. Edoc tracks the IP address and browser used at the time a document was signed. Altogether, these data points serve as a digital “fingerprint” of the signer (and help us to minimize the chance of “tampering”). Additionally, no emails from our system ever have attachments—which could contain sensitive data—by design.  

In Conclusion… 

Although not an exhaustive list (see, there I am repeating myself again!), this article highlights several examples of how we follow practices to uphold the integrity of PHI and other data within the eSign platform.

Many data breaches occur because of unintentional mistakes by people. That’s why we do our best to educate our team, but we also encourage clients to continue to educate their staff on practices they can follow to handle all sensitive data. 

The more people can know about sophisticated phishing attempts, access controls and implications, secure browsing and sharing of data, and other risks related to data breaches, the better off your organization will be.

Request a Demo

If you’re looking for a secure eSignature solution that complies with HIPAA rules, request a demo of eSign by Edoc today.