How to use electronic signatures with your HIPAA documents

How to use electronic signatures with your HIPAA documents

The Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, was originally created to give medical patients greater control and access over their health information.

The rules and guidelines enclosed within this and subsequent legislation changed how HIPAA-covered entities like doctors, clinics, insurance companies, and other covered entities — along with their business associates — were allowed to handle patient data.

One of the main points of HIPAA was to set standards for how protected health information (PHI) is handled when transferred electronically.

In this article, we’ll discuss the rules around electronic information transfer and how e-signatures can play a role in HIPAA compliance for healthcare providers and other covered entities.

Background: HIPAA rules and electronic signatures

Digital signatures and signed documents have a strange place within HIPAA rules because HIPAA has no exact guidelines for how they should be captured while maintaining legal compliance.

Originally, electronic signatures were covered under the HIPAA Security Rule (1998), but all passages governing e-signatures were removed before the bill was passed in 2003.

The website for the Department of Health and Human Services (HHS) currently states the following:

However, currently, no standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law.

However, the Office for Civil Rights (OCR) also explains that the use of electronic signatures will satisfy the HIPAA Privacy Rule “assuming that the electronic contract satisfies the applicable requirements of State contract law.”

In other words, as long as state law is satisfied, the use of e-signatures or an e-signature solution to sign documents maintains the integrity of PHI and doesn’t violate HIPAA rules.

Can I use electronic signatures to stay HIPAA compliant?

Healthcare industry professionals and healthcare organizations can use electronic signatures as a way to validate forms and protect themselves from potential HIPAA violations.

To do this, covered entities need to follow guidelines established by the Federal Electronic Signatures in Global and National Commerce Act (ESIGN Act) and the Uniform Electronic Transactions Act (UETA) in order to create acceptable electronic signatures.

These mandates allow for user authentication in a way that reduces tampering and maintains message integrity so that electronic signatures are considered authentic and legally binding.

Here’s a quick look at the essential items you need to cover when working with HIPAA electronic signatures:


As mentioned above, HIPAA offers no additional guidance for electronic signatures beyond what satisfies state and federal law. As long as those requirements are met, any electronic signature that you use would be considered valid under HIPAA.

You’ll also need to ensure that the patient receives a copy of the document once the signing is complete.


One of the biggest challenges when using electronic formats to send HIPAA-compliant documents comes down to authorization.

When sending electronic documents, you need to ensure that all disclosures are made following the HIPAA Privacy Rule and the HIPAA Security Rule.

This means that you’ll need to send your documents to a patient in a way that is secure and validated to avoid any breach of privacy. You also need to make sure that you’re sending documents to the correct individual. There are multiple methods that you can use for this, including two-step authentication, security questions, and phone validation.

Document integrity

When sending documents electronically, you’ll need to make sure that the documents can’t be tampered with after the form is filled out and signed.

This is part of the HIPAA Security Rule. You could do this by locking the document, adding a password, or storing it in such a way that the document is secure and out of reach from everyone except authorized users.


Audit trails are essential for non-repudiation. The risk with electronic signatures is that the signer can always deny ever signing the actual document. An audit trail makes that far more difficult by including a timestamp for when the document was signed.

With PandaDoc, we go even further than normal standards with this by providing document insights to let you see real-time activity on your document. You’ll know when it was opened, viewed, and signed so that you can stay on top of the process from start to finish.

Document control

Lastly, covered entities need to ensure that they have control of all necessary documents to prove the authenticity of their signed documents and the accompanying electronic signature.

In many cases, this comes down to digital certificates that can certify the authenticity of the document or downloading records to store them on file. You’ll also need a way to effectively find the files that you need.

This is critical in the event of an audit.

How do electronic signatures help my HIPAA documents?

Allowing signers to fill out HIPAA-related documents can be a major boost to your administrative processing. Because files can be sent and stored electronically, it’s now possible for many common HIPAA forms to be completed digitally, even by signers outside of the office.

From an administrative standpoint, this could allow front desk administrators to more effectively manage long waits and queue times. In busy medical complexes like hospitals or clinics, filling out forms electronically could make for easier filing and greater legibility on the forms themselves.

Electronic signatures play an important role here because they can be used to prove that patients received all information relevant to them, including important disclosures like a company privacy policy or HIPAA compliance guidelines.

Under HIPAA, patients must be informed of their right to privacy and their ability to control their medical records. They must also sign release forms allowing healthcare providers to transmit their data.

Electronic signatures can help with all of that by requesting that patients acknowledge that they have received this information and that they agree with organizational policies regarding data.

How does PandaDoc help?

PandaDoc can help covered entities in a few different ways. Most importantly, PandaDoc provides a safe and secure environment where HIPAA documents can be sent.

Our electronic signature tools make acquiring digital signatures simple and easy. Our document builder comes with a variety of tools to provide additional clarity and visibility throughout the signing process.

In addition to simple e-signatures, covered entities can use PandaDoc fields to add dates, initial boxes, checkboxes, and more to ensure that patients acknowledge specific parts of the required agreements and disclosures.

Additionally, because PandaDoc is HIPAA compliant, we’re also able to fulfill the requirements set forth in the HIPAA Security Rule regarding the safety, transmission, and protection of electronic personal health information (ePHI) as long as it’s stored on our servers.

Our platform is designed to bring signers to the document rather than sending multiple copies of the document to users. Because of this, copies of the document aren’t proliferated, reducing the potential risk and/or exposure of the covered entity.

HIPAA regulations (The HIPAA Privacy Rule) require a signed Business Associate Agreement (BAA) with every completed document. PandaDoc will provide a BAA for all Enterprise customers with five or more seats.

Protect your organization from exposure and get essential documents signed even faster with PandaDoc! Sign up for a free 14-day trial to try out our document editor.

If you already have the forms you want to sign, sign up for our Free eSign plan to send documents and collect payments today!

Related articles