Is Formfy HIPAA compliant or HIPAA certified?

No. Formfy implements the technical controls aligned with the HIPAA Security Rule (encryption in transit and at rest, per-signature audit trail, role-based access, automatic logoff) but Formfy does NOT currently claim HIPAA certification and does not currently offer a Business Associate Agreement. If your workflow involves Protected Health Information (PHI), you should not transmit it through Formfy until those programs are in place. We are transparent about this — review our security overview and consult counsel for HIPAA-covered workflows.

What does "HIPAA compliant e-signature" actually mean?

There is no government-issued HIPAA certification for software. When a vendor claims to be HIPAA compliant, they are claiming their controls map to the Security Rule’s required and addressable specifications AND that they will sign a Business Associate Agreement. A vendor that describes their controls but will not sign a BAA is not HIPAA-compliant for your purposes — the BAA is the legal mechanism that obligates them.

Do I need a BAA to use e-signatures for HIPAA workflows?

Yes. Under 45 CFR §164.504(e), any vendor that creates, receives, maintains, or transmits Protected Health Information on behalf of a Covered Entity must have a written Business Associate Agreement. An e-signature platform that handles signed documents containing PHI falls into this definition. The BAA cannot be retroactive — it must exist BEFORE PHI is sent through the vendor.

What technical controls does HIPAA actually require for e-signatures?

The Security Rule (45 CFR §164.312) requires five categories of technical safeguards for electronic PHI: (1) Access control — unique user IDs, automatic logoff, encryption/decryption. (2) Audit controls — recording and examining ePHI access. (3) Integrity — protection from improper alteration. (4) Person-or-entity authentication — verifying signer identity. (5) Transmission security — encrypting ePHI in transit. Each maps to specific controls a vendor should document.

How long must I retain e-signature audit trails for HIPAA?

Under 45 CFR §164.530(j), Covered Entities must retain HIPAA-required documentation for 6 years from the date of creation or last effective date, whichever is later. Audit logs that document access to PHI fall under this retention requirement. Most e-signature vendors retain logs longer than 6 years by default; verify retention policy before signing.

Are signed PDFs stored in Google Drive or Dropbox HIPAA compliant?

Only if you have a BAA executed with the storage provider. Google Workspace and Microsoft 365 offer enterprise tiers with BAA support; consumer Dropbox and Google Drive (free or personal plans) do not. The platform tier matters — paying $12/month for Workspace Business Standard does not give you a BAA; you need the appropriate enterprise SKU and the BAA paperwork executed before storing PHI.

My med spa is cash-pay only — does HIPAA apply?

Possibly not. HIPAA applies only to Covered Entities (healthcare providers who transmit billing or eligibility electronically, health plans, and clearinghouses) and their Business Associates. A cosmetic-only practice that never transmits insurance claims electronically is generally not a Covered Entity. However, even one covered transaction can pull the entire practice into HIPAA scope, and state laws (especially California's CMIA) can impose similar obligations. Consult counsel before assuming HIPAA does not apply.

What does the HHS audit trail requirement mean in practice?

The Security Rule's audit control standard (45 CFR §164.312(b)) requires you to record and examine activity in systems containing ePHI. For e-signatures, that means capturing: who accessed the document, when, from what IP, what action was taken (viewed / signed / revoked), and the resulting document state. The audit log itself is also ePHI when it ties names to clinical context — protect it accordingly.

HIPAA E-Signature (2026)

Framework: HIPAA Privacy Rule + Security Rule (45 CFR Parts 160, 162, 164)Jurisdiction: United States (Federal)

Answer first

HIPAA does not single out electronic signatures, but if you collect, transmit, or store Protected Health Information (PHI) via a signed digital document, the Privacy Rule and Security Rule both apply. That means encryption in transit and at rest, access controls, audit logging, integrity controls, and a Business Associate Agreement (BAA) with any vendor that handles PHI on your behalf. Formfy implements the technical controls (encryption, audit trail, role-based access) but does NOT claim HIPAA certification — review the Security Rule's required + addressable specifications and execute a BAA with any vendor before running covered workflows.

At a glance

HIPAA covers e-signatures indirectly: any signed document containing PHI is regulated by the Privacy Rule (use/disclosure) and Security Rule (technical safeguards). The signature itself is not what matters legally — what matters is that PHI is being handled.
There is no "HIPAA-certified" e-signature standard. Vendors who claim certification are claiming alignment with the Security Rule, not government regulatory approval — verify by asking for their Security Rule mapping document and BAA template.
A Business Associate Agreement (BAA) is the legal contract that obligates a vendor to handle PHI on your behalf. Without one, sending PHI through a vendor is itself a HIPAA violation, regardless of how strong their security controls are.
Required Security Rule technical safeguards: access control, audit controls, integrity, person-or-entity authentication, transmission security. A compliant e-signature stack must implement controls in all five categories. Formfy maps to all five at the platform level.
Formfy does NOT currently claim HIPAA certification and does not currently offer a Business Associate Agreement. Operators handling PHI must execute a BAA + complete a HIPAA risk analysis with a covered platform before deploying any covered workflow.
Audit-trail completeness is the single most important Security Rule signal. Look for server-side timestamps (not the signer device clock), IP capture, browser/device fingerprinting, identity verification, and tamper-evident document seals using cryptographic hashes.
Penalties for HIPAA violations are tiered (45 CFR §160.404): unknowing violations start at $137 per record (capped at ~$2.1M/year for repeat violations of the same provision); willful neglect violations can reach $68,928 per record. Even unintended breaches by Business Associates can trigger Covered Entity liability.

What the law requires (and how Formfy aligns)

1. Privacy Rule — permitted uses and disclosures of PHI

The Privacy Rule (45 CFR §164.500–534) governs WHO can access PHI and FOR WHAT PURPOSE. For e-signature workflows, the most common touchpoints are patient consent forms, treatment authorizations, release of information forms, and provider-side service agreements that reference patient records. Each form must (1) describe the specific PHI being collected, used, or disclosed, (2) identify the recipient and purpose, (3) include an expiration date or event, and (4) state the patient's right to revoke. Generic 'I consent' checkboxes do not satisfy 45 CFR §164.508(c) authorization content requirements — the form text must be specific.

Source: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

2. Security Rule — required technical safeguards

The Security Rule (45 CFR §164.302–318) lists five technical safeguard categories that apply to electronic PHI (ePHI), including any signed document containing PHI. (1) Access control — unique user identification, automatic logoff, encryption/decryption (the latter is 'addressable' but functionally required). (2) Audit controls — record and examine activity in systems containing ePHI. (3) Integrity — protect ePHI from improper alteration. (4) Person-or-entity authentication — verify the signer is who they claim. (5) Transmission security — encryption in transit. A compliant e-signature stack maps each of these to a specific control: Formfy implements TLS 1.2+ in transit, AES-256 at rest, per-signature audit logs, hash-based document integrity, and email/SMS-based signer verification.

Source: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

3. Business Associate Agreement (BAA) — the contractual gate

Under 45 CFR §164.504(e), a Covered Entity (provider, health plan, clearinghouse) MUST execute a written BAA with any vendor that creates, receives, maintains, or transmits PHI on its behalf. The BAA assigns Security Rule obligations to the vendor and enables HHS enforcement against the vendor directly. An e-signature platform that handles signed documents containing PHI is a Business Associate. If your vendor does not offer a BAA, you cannot legally send PHI through their platform regardless of their other security claims. Formfy does not currently offer a BAA — operators with HIPAA-covered workflows should review this restriction before deploying.

Source: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

4. Audit trail — what must be captured for e-signatures on PHI

The Security Rule's audit-control specification (45 CFR §164.312(b)) requires hardware, software, or procedural mechanisms to record and examine activity in systems with ePHI. For an e-signature, this means at minimum: server-side timestamp (not the signer's local clock), source IP address, user agent / device signal, identity verification method used, and the document hash before + after signing. Formfy generates a per-signature certificate of completion that includes timestamp, IP, browser fingerprint, and a document SHA-256, downloadable as a PDF. Operators should retain audit logs for at least 6 years per the Privacy Rule retention requirement (45 CFR §164.530(j)).

5. Risk analysis — operator obligation before deployment

Before using ANY e-signature platform for PHI workflows, the Covered Entity must conduct a Security Rule risk analysis (45 CFR §164.308(a)(1)(ii)(A)). This is a documented assessment of vulnerabilities, threats, and impact across the entire workflow — not just the e-signature step. The analysis covers: who can access the platform, how authentication works, what happens if a signed document is intercepted, retention and destruction policies, and incident-response procedures. Vendor security claims (including HIPAA certification claims) are inputs to your risk analysis, not substitutes for it.

Source: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html

6. Patient access and amendment rights

Under 45 CFR §164.524 and §164.526, patients have the right to access, copy, and request amendment of their PHI — including PHI captured in signed forms. Your e-signature platform should support exporting a patient's signed documents on demand (typically within 30 days, extendable once by 30 days under the Privacy Rule) and either incorporating amendments or recording an amendment denial in the audit log. Workflows that lock signed documents into a vendor without a portable export path are problematic — a vendor exit becomes a Privacy Rule violation. Verify portable export (PDF + structured-data download) is documented in your BAA before signing.

7. Breach notification — the 60-day clock

Under the Breach Notification Rule (45 CFR §164.400–414, expanded by HITECH Act 2009), Covered Entities must notify affected individuals within 60 days of discovering a PHI breach. Business Associates must notify the Covered Entity, who then has 60 days from THAT notification — not from the original incident date. For breaches affecting 500+ individuals, the Covered Entity must also notify HHS and prominent media outlets in the affected state. This makes vendor selection critical: an e-signature platform with weak audit logs may not even be ABLE to determine the scope of a breach, which is itself a violation. Verify your vendor supports timely breach forensics.

Source: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

8. State law overlay — CMIA, NY SHIELD, Texas HB 300

HIPAA is a federal floor, not a ceiling. Several states impose stricter requirements that apply alongside HIPAA. California's Confidentiality of Medical Information Act (CMIA) defines 'medical information' more broadly than HIPAA defines PHI, and applies to non-HIPAA-covered entities like fitness apps. New York's SHIELD Act adds breach-notification requirements for any business holding NY-resident health data. Texas HB 300 expands the definition of Covered Entity to anyone who 'obtains, assembles, collects, analyzes, evaluates, stores, or transmits PHI,' which can pull non-clinical SaaS vendors into Texas's HIPAA-equivalent framework. For practices operating in multiple states, your most-restrictive applicable law sets the bar — not HIPAA alone.

9. Risk-analysis documentation — what HHS auditors look for

When HHS Office for Civil Rights (OCR) opens a HIPAA investigation, the first document they ask for is your written Security Risk Analysis. Per HHS guidance and audit case law (St. Joseph Health $2.14M settlement 2016, University of Texas MD Anderson Cancer Center $4.3M penalty 2018, multiple HHS Resolution Agreements), a deficient or missing risk analysis is one of the most-cited compliance failures. The analysis must cover: scope (what ePHI exists, where it flows), threat identification (technical, environmental, human), vulnerability assessment, likelihood-and-impact rating, current controls inventory, residual risk determination, and a risk management plan that addresses identified gaps. The analysis must be PERIODIC (typically annually) and event-driven (new vendor, system change, breach). Most operators dramatically underestimate the depth required — a one-page checklist does not satisfy 45 CFR §164.308(a)(1)(ii)(A).

10. Practical onboarding checklist for HIPAA-covered e-signature workflows

Before sending the first PHI-bearing form through any e-signature platform: (1) confirm the practice qualifies as a Covered Entity (or is a Business Associate of one); (2) execute the BAA with the e-signature vendor — verify the BAA template addresses all 45 CFR §164.504(e)(2) required elements; (3) complete a Security Risk Analysis covering the new workflow; (4) document workforce HIPAA training on the new platform (45 CFR §164.530(b)); (5) configure unique user accounts with role-based access (no shared credentials); (6) test the audit-log export and retention policy; (7) document an incident-response plan for the platform (who to call, what to preserve, how to notify); (8) calendar the annual risk-analysis refresh. Cutting any step is a finding waiting to happen if HHS audits you later.

Which workflow fits your situation?

Solo therapist collecting telehealth consent forms

Recommended: Either execute a BAA with a HIPAA-aware platform OR keep the consent form on paper and store the signed PDF in a HIPAA-compliant storage system.

Why: A telehealth consent contains PHI (the fact that a specific patient is receiving treatment). Without a BAA in place, electronic signature collection through any consumer SaaS — including Formfy — is a HIPAA violation regardless of encryption claims.

Med spa collecting cosmetic procedure waivers

Recommended: Determine whether your practice qualifies as a HIPAA Covered Entity. Many cash-pay cosmetic-only practices that do not bill insurance are NOT Covered Entities.

Why: HIPAA only applies to Covered Entities (providers who bill electronically, health plans, clearinghouses). A cosmetic-only med spa that does not transmit billing electronically may be exempt — but the moment they bill insurance for a single covered service, the entire practice may fall under HIPAA. Consult counsel.

Healthcare staffing agency with credentialing forms

Recommended: Treat any form that references a candidate clinician’s prior patient interactions or licensing-board records as PHI-adjacent, and run it through your HIPAA workflow.

Why: Credentialing files often contain clinical-incident references and state-board complaints, which can constitute PHI when tied to specific patient cases. The Privacy Rule treats this as the same category of regulated data.

Hospital system with existing HIPAA-cleared vendor stack

Recommended: Use your existing BAA-covered vendor (Adobe Sign, DocuSign Healthcare, or similar enterprise tier) — not Formfy — until Formfy ships a BAA program.

Why: A hospital is a Covered Entity by default; using a non-BAA platform for any PHI-bearing form creates direct enforcement exposure. Stick with the procurement-approved vendor that already executed your BAA.

Frequently Asked Questions

Sign documents with a defensible audit trail

Formfy captures timestamp, IP, and identity signals on every signature. 15-day free trial. No credit card.

Start Formfy free

Last verified: 2026-04-25. This page is for general information and is not legal advice — consult counsel for jurisdiction-specific guidance.