HIPAA onboarding and security guidelines for BoldSign users

HIPAA, the Health Insurance Portability and Accountability Act, is a U.S. federal law enacted in 1996 to protect the privacy and security of individuals’ medical information. HIPAA sets national standards for protecting sensitive patient data, ensuring that healthcare providers, insurance companies, and other entities handling health information maintain strict confidentiality and security measures.

The BoldSign Business plan is HIPAA-compliant. Enabling HIPAA compliance involves configuring the platform and ensuring that you follow best practices to secure protected health information (PHI). While BoldSign itself is designed to support HIPAA compliance, you’ll need to take certain steps to ensure your usage meets HIPAA standards.

Here’s how to enable and ensure HIPAA compliance in BoldSign:

1. Sign a Business Associate Agreement (BAA)

• What it is: A BAA is a legal contract between a covered entity such as a healthcare provider or insurance company and a business associate. It is required under the Health Insurance Portability and Accountability Act (HIPAA) when a business associate performs functions or activities on behalf of a covered entity that involves the use or disclosure of Protected Health Information (PHI).
• How to obtain it: Contact BoldSign’s support team, or create a support ticket to initiate the process of signing a BAA. This is an important step in ensuring HIPAA compliance when using BoldSign.

2. Configure security settings

• Access Controls: Ensure that access to BoldSign is restricted to authorized users only. This includes setting up strong passwords, Two-factor authentication (TFA), IP restriction, and user roles that limit access to PHI.
• Audit Trails: Enable audit trails within BoldSign to track all actions taken on documents containing PHI. This includes who accessed, signed, or modified the document and when these actions occurred.
• Data Encryption: Ensure that all data, including documents and communications, are encrypted both at rest and in transit. BoldSign typically provides this by default.

3. Use secure document handling practices

• Signer Authentication: Use signer authentication methods like SMS verification, Email verification, Access codes, or ID verification to ensure that only the intended recipients can access and sign documents.

4. Train your team

• HIPAA Training: Ensure that all users who will be handling PHI within BoldSign are trained on HIPAA regulations and understand how to use BoldSign in a compliant manner.

5. Regular compliance reviews

• Internal Audits: Conduct regular audits of your BoldSign usage to ensure that all aspects of HIPAA compliance are being met.

Security Measures for HIPAA Compliance

After signing a BAA with BoldSign, certain features and functionalities are restricted to ensure that all actions adhere to HIPAA regulations. Here are the key limitations:

1. No CCing of Recipients
The ability to CC additional recipients on signature requests is disabled by default to prevent unauthorized access to Protected Health Information (PHI), as HIPAA regulations require strict control over who can view sensitive health information. Enabling this option will allow senders to notify CC recipients about important document progress events, which could violate HIPAA compliance.

2. Restricted Distribution of Signed Documents
PDF copies of signed documents cannot be sent directly via email. Sending documents via email could lead to potential breaches. Instead, BoldSign provides a secure link to the document, which only authorized individuals can access. When creating a brand in this case, you will not be able to select attachments as a delivery method for signed documents to signers.

3. Limited Information in Document Titles and Messages
Document titles and associated messages are restricted to include only minimal, non-sensitive information to prevent accidental disclosure of PHI, HIPAA compliance requires that titles and messages not contain any information that could be considered PHI.
By following these steps, you can ensure that your handling of PHI meets the necessary legal standards. If you have specific needs or concerns, it’s also recommended to consult with legal counsel or a HIPAA compliance expert.