SignatureAPI supports HIPAA compliance for organizations handling protected health information (PHI). This page explains how to use SignatureAPI in a HIPAA-compliant manner and highlights key safeguards and configuration steps.

What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act of 1996) is a U.S. law that sets standards for protecting sensitive health data. It applies to covered entities, such as healthcare providers and insurers, as well as their business associates—third parties that handle PHI on their behalf. HIPAA compliance requires administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of PHI.

Business Associate Agreements (BAAs)

SignatureAPI can sign Business Associate Agreements (BAAs) upon request, using the Bonterms Standard Business Associate Agreement v1 as our standard template.
BAAs are not automatically extended to all customers. If you require a BAA, please contact us to initiate the process.

Using SignatureAPI in a HIPAA-Compliant Way

SignatureAPI offers features to help you securely handle PHI, but your compliance also depends on how you implement and configure these features. To protect PHI and comply with HIPAA, you must secure document links sent via email or SMS with secondary authentication. By default, SignatureAPI emails ceremony URLs directly to recipients, which could expose PHI if intercepted. HIPAA requires that only authorized individuals can access PHI, so you must verify recipient identity before granting access.

Enforcing Secondary Authentication

When sending ceremony URLs to recipients via unencrypted channels like email or SMS, you must configure additional authentication to ensure only authorized individuals can access documents containing PHI. SignatureAPI provides two secure options to ensure HIPAA compliance:
  1. SignatureAPI delivers ceremony links by email with additional authentication:
Configure the signing ceremony to use multiple authentication methods with both Email Link and Email Code authentication. This ensures recipients receive a ceremony link by email but must also enter a verification code (sent in a separate email) before accessing documents containing PHI.
  1. You deliver ceremony links by email with additional authentication:
Configure the ceremony to use Email Code authentication. This generates a ceremony URL that you can deliver through your own secure email or SMS channels. When recipients access the ceremony, they must enter a verification code (sent by SignatureAPI to their email) before they can view documents containing PHI.
If you deliver links through a secure, authenticated portal, secondary authentication via SignatureAPI is not required. See custom authentication for more details.
Never send direct-access links via unencrypted channels without secondary authentication. This risks PHI exposure and violates HIPAA requirements.

Secure Deliverable Downloads with Authentication

By default, deliverables are downloaded using short-lived, pre-signed URLs, which are sufficient for most use cases. However, when HIPAA is enabled on your account, downloading deliverables requires authentication using your API key—just like other API endpoints. This ensures secure, authorized access to files that may contain PHI.

Configure Role-Based Access Controls

HIPAA requires role-based access controls to ensure that access to PHI is limited to the minimum necessary for each user’s job function (the principle of least privilege). Configure differentiated user permissions in your SignatureAPI dashboard to control who can access different types of PHI and system functions. Envelope-level access logs are available upon request.

Best Practices

Delete Envelopes Upon Completion

We recommend that you delete envelopes as soon as they are completed. After an envelope is completed and the deliverable is generated, download the deliverable and store it securely in your own system. This ensures that you retain access to the signed documents. Once you have downloaded the deliverable, send a Delete Envelope request to initiate the deletion process. After deletion is complete, all envelope data is permanently removed from SignatureAPI. The downloaded deliverable can be verified independently, even if the envelope no longer exists in SignatureAPI.

Don’t Send Unencrypted Deliverables via Email

To comply with HIPAA’s requirements for safeguarding PHI, never send unencrypted deliverables via email. Email is not a secure channel by default and may expose sensitive health information if intercepted. If you must send deliverables by email, ensure that the files are encrypted and that only the intended recipient can decrypt them. You can also provide access through a secure, authenticated portal instead of sending the file directly. For guidance on encrypting deliverables for secure transmission, contact SignatureAPI support. We can help you configure an encryption process that meets HIPAA standards.

Enabling HIPAA Mode

To enable HIPAA mode on your account, contact SignatureAPI support.