SignatureAPI supports HIPAA compliance for organizations handling protected health information (PHI). This page explains how to use SignatureAPI in a HIPAA-compliant manner and highlights key safeguards and configuration steps.

What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act of 1996) is a U.S. law that sets standards for protecting sensitive health data. It applies to covered entities, such as healthcare providers and insurers, as well as their business associates—third parties that handle PHI on their behalf. HIPAA compliance requires administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of PHI.

Business Associate Agreements (BAAs)

SignatureAPI can sign Business Associate Agreements (BAAs) upon request, using the Bonterms Standard Business Associate Agreement v1 as our standard template.
BAAs are not automatically extended to all customers. If you require a BAA, please contact us to initiate the process.

Using SignatureAPI in a HIPAA-Compliant Way

SignatureAPI offers features to help you securely handle PHI, but your compliance also depends on how you implement and configure these features. To protect PHI and comply with HIPAA, you must secure document links sent via email or SMS with secondary authentication. By default, SignatureAPI emails ceremony URLs directly to recipients, which could expose PHI if intercepted. HIPAA requires that only authorized individuals can access PHI, so you must verify recipient identity before granting access.

Enforcing Secondary Authentication

When creating an envelope for recipients who will access PHI, set the ceremony_creation property to manual for each recipient. This prevents automatic email delivery, allowing you to control when and how links are sent. When delivering ceremony links via email, you have two secure options to ensure HIPAA compliance:
  1. SignatureAPI delivers ceremony links by email with enforced authentication:
  2. You deliver ceremony links by email with enforced authentication:
    • Set ceremony_creation to manual for each recipient.
    • When creating the ceremony, set the authentication method to email_code.
    • This generates a ceremony URL for each recipient, which you can distribute using your own secure email or SMS system.
    • Each recipient must enter a one-time code sent to their email before accessing the document.
If you deliver links through a secure, authenticated portal, secondary authentication via SignatureAPI is not required. See custom authentication for more details.
Never send direct-access links via unencrypted channels without secondary authentication. This risks PHI exposure and violates HIPAA requirements.

Secure Deliverable Downloads with Authentication

By default, deliverables are downloaded using short-lived, pre-signed URLs, which are sufficient for most use cases. However, when HIPAA is enabled on your account, downloading deliverables requires authentication using your API key—just like other API endpoints. This ensures secure, authorized access to files that may contain PHI.

Configure Role-Based Access Controls

HIPAA requires role-based access controls to ensure that access to PHI is limited to the minimum necessary for each user’s job function (the principle of least privilege). Configure differentiated user permissions in your SignatureAPI dashboard to control who can access different types of PHI and system functions. Envelope-level access logs are available upon request.

Best Practices

Delete Envelopes Upon Completion

We recommend that you delete envelopes as soon as they are completed. After an envelope is completed and the deliverable is generated, download the deliverable and store it securely in your own system. This ensures that you retain access to the signed documents. Once you have downloaded the deliverable, send a Delete Envelope request to initiate the deletion process. After deletion is complete, all envelope data is permanently removed from SignatureAPI. The downloaded deliverable can be verified independently, even if the envelope no longer exists in SignatureAPI.

Enabling HIPAA Mode

To enable HIPAA mode on your account, contact SignatureAPI support.