HIPAA (Health Insurance Portability and Accountability Act)

**What HIPAA requires for e-signatures**

HIPAA does not prohibit electronic signatures — in fact, it encourages electronic transactions. However, the platform must:

1. Encrypt PHI in transit (TLS) and at rest (AES-256) 2. Maintain access controls — only authorised users can view signed documents 3. Provide an audit trail — who accessed what, when, and from where 4. Execute a Business Associate Agreement (BAA) with the healthcare entity 5. Implement automatic session timeouts and authentication requirements

**BAA requirement**

A Business Associate Agreement is a contract between a healthcare provider (covered entity) and any vendor that handles PHI on their behalf. If your e-signature provider stores or processes patient consent forms, they are a business associate and MUST sign a BAA. Not all providers offer BAAs — check before committing.

**Common healthcare e-signature use cases**

• Patient consent forms and intake documents • HIPAA authorization for release of information • Business Associate Agreements between providers and vendors • Clinical trial informed consent (also regulated by 45 CFR 46) • Telehealth consent forms • Employee health screening documentation

**HIPAA and audit trails**

HIPAA requires a detailed audit trail for all PHI access. This aligns well with e-signature platforms that already capture timestamps, IP addresses, and verification methods. Signbee's SHA-256 signing certificates satisfy the audit trail requirement.