In this blog, we discuss how SigningHub implements HIPAA-compliant eSignatures.
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act of 1996) is a United States legislation that provides data privacy and security provisions for safeguarding medical information.
Follow this quick check list to know how SigningHub implements HIPAA compliant security standards. The below is extracted from: https://www.ihs.gov/hipaa/documents/IHS_HIPAA_Security_Checklist.pdf
More details can be found here
.
|
Clause |
Description |
Supported? |
Details |
|
164.312(a)(2)(i) |
Have you assigned a unique name and/or number for identifying and tracking user identity? |
Yes |
Each SigningHub account holder has a unique ID (generally an email address) to access SigningHub. All user activities and actions are tracked using this. |
|
164.312(a)(2)(ii) |
Have you established (and implemented as needed) procedures for obtaining the necessary ePHI during an emergency? |
Yes |
SigningHub is deployed on Azure cloud which is fully HIPAA compliant. In case of any disaster, SigningHub is automatically re-located by Azure to ensure access. Learn more here. |
|
164.312(a)(2)(iii) |
Have you implemented procedures that terminate an electronic session after a predetermined time of inactivity? |
Yes |
Yes, after 15 minutes of inactivity SigningHub prompts the user to terminate the session and then logs the user out after a further one minute of inactivity. |
|
164.312(a)(2)(iv) |
Have you implemented a mechanism to encrypt and decrypt ePHI? |
Yes |
All communication between a browser and the SigningHub server is protected with SSL/TLS. We only support strong SSL versions (TLS 1.0 onwards) and strong ciphers. Check our rating from Qualys SSL Labs here. Also, all documents are encrypted using AES 256 before being storing in the database. |
|
164.312(b) |
Have you implemented Audit Controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI? |
Yes |
SigningHub creates secure logs and workflow evidence reports which provide complete tracking of which activity was performed and when. The workflow evidence report is also digitally signed recording who, when, where, how and what was performed on a document. Click here to find out more information. Separately, SigningHub maintains operator logs letting auditors examine staff activities. |
164.312(c)(1) - Integrity
|
Clause |
Description |
Supported? |
Details |
|
164.312(c)(2) |
Have you implemented electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorised manner? |
Yes |
SigningHub signatures are cryptographically protected - any change in the document after signing is easily identified within SigningHub and also using third party free software like Adobe Acrobat Reader. Click here to know more about SigningHub's security functions - it uses a secure crypto engine (ADSS Server) which auto-detects any data alteration and notifies administrators. |
|
164.312(d) |
Have you implemented Person or Entity Authentication procedures to verify that a person or entity seeking access to ePHI is the one claimed to be? |
Yes |
SigningHub provides multiple authentication options including two factor authentication before the user or entity is authorised to view and sign the document. These include:
|
164.312(e)(1) - Transmission Security
|
Clause |
Description |
Supported? |
Details |
|
164.312(e)(2)(i) |
Have you implemented security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of? |
Yes |
|
|
164.312(e)(2)(ii) |
Have you implemented a mechanism to encrypt EPHI whenever deemed appropriate? |
Yes |
See above. |
