SignatureAPI now supports HIPAA compliance for organizations handling protected health information (PHI). If you work in US healthcare, or build tools that do, you can use SignatureAPI as part of a compliant e-signature workflow with the safeguards HIPAA requires.
What HIPAA Mode Includes
HIPAA mode is enabled per account. Once it is on, deliverable downloads require authentication with your API key rather than short-lived pre-signed URLs, so PHI-bearing files can only be retrieved by authorized callers. Envelope-level access logs are available on request, and role-based access controls in the dashboard let you apply the principle of least privilege across your team.
SignatureAPI signs Business Associate Agreements (BAAs) on request, using the Bonterms Standard Business Associate Agreement v1 as the standard template.
Using It Compliantly
HIPAA requires that only authorized individuals access PHI, so ceremony links sent over unencrypted channels like email or SMS must be protected by secondary authentication. SignatureAPI supports two patterns:
- Combine Email Link and Email Code authentication to have SignatureAPI deliver the link and require a separate verification code.
- Use Email Code authentication to deliver the link yourself through your own channel, with SignatureAPI issuing the code.
If recipients already reach the ceremony through a secure, authenticated portal, custom authentication removes the need for a second factor.
Getting Started
To enable HIPAA mode, contact us. We will turn it on for your account and send the BAA for signature. From there, configure your envelopes with the authentication pattern that fits your workflow.
Learn more about HIPAA and SignatureAPI.
