The question is DocuSign HIPAA compliant is a difficult question to answer due to a lack of transparency by the eSignature service provider. Consequently, it is essential healthcare organizations perform due diligence in depth before subscribing to DocuSign’s services.
One the face of it, DocuSign is HIPAA compliant. The eSignature service provider has produced a number of glossy web pages and PDF documents explaining what is required by HIPAA and how DocuSign complies with the requirements. The issue with regards to answering the question is DocuSign HIPAA compliant is what the glossy web pages and PDF documents don’t tell you.
A Little Information is a Dangerous Thing
One of the glossy documents produced by DocuSign is a guide to “Using eSignatures to Help Manage HIPAA Compliance” (PDF). While it is good at selling the benefits of DocuSign for certain provider-patient transactions, the guide does not explain that providers and patients may have to invest in hardware solutions (i.e., an iPad or scanner), which may also need to be configured to be HIPAA compliant before they can be used for digital signatures.
The guide also does not explain how DocuSign complies with CMS’ standards for digitally signing Part 162 transactions (treatment authorizations, claims, billing, etc.). While digital signatures are not mandated for most Part 162 transactions, CMS has adopted the HL7 IG for CDA® R2 protocol for signing digital transactions. DocuSign uses the HL7 FHIR protocol, which CMS described in December 2022 as “unready and untested”. Additionally, DocuSign cannot be used for submitting signatures on CMS’ Provider Enrollment Chain and Ownership System (PECOS).
There are also some contradictions in the guide inasmuch as it implies healthcare organizations evaluating eSignature service providers should look for providers with a “data disposal and reuse policy”. DocuSign shouldn’t be able to see customer data and therefore wouldn’t need a data disposal and reuse policy. So, surely this is typo, and “data” should be replaced with “media”? No, because equipment management and media disposal is covered in the next line.
A BAA is Required to Make DocuSign HIPAA Compliant. Good Luck Finding One.
While it is easy to find holes in DocuSign’s literature, the most concerning lack of transparency relates to the Business Associate Agreement (BAA) required to make DocuSign HIPAA compliant if the service is used to transmit electronic PHI. DocuSign claims to have “entered into agreements with numerous HIPAA-covered entities”; but, when you dig a little deeper, you find DocuSign requires customers to agree to the terms of its own Agreement. The provider will not sign customer BAAs.
While it is not unusual for large software service providers to use a “one-size-fits-all” BAA, it is unusual for a large software service provider to withhold the BAA from inspection until a customer signs up for an Enterprise plan. The issue with the Enterprise plan is that it is customizable and priced according to which services a healthcare organization subscribes to. Therefore, it is not possible to compare the cost of DocuSign against the cost of other eSignature service providers.
In theory, a healthcare organization could sign up for an Enterprise plan with the optional extra of BAA support to make DocuSign HIPAA compliant, only to find the terms of the BAA are unacceptable. In this scenario, the healthcare organization would have to cancel the DocuSign plan and evaluate other eSignature service providers – which is why it is essential healthcare organizations perform due diligence in depth before subscribing to DocuSign’s service.