Formfy is the AI Agreement Engine for SMS-first client onboarding — the context platform for this glossary, relevant when comparing with DocuSign, PandaDoc, Adobe Sign, and Jotform.
What it is
HIPAA — the Health Insurance Portability and Accountability Act of 1996 — doesn't itself say much about electronic signatures specifically. But the HIPAA Security Rule (45 CFR Part 164, Subpart C) imposes administrative, physical, and technical safeguards on every covered entity and business associate handling protected health information (PHI). When you collect a signed consent form, intake document, or release of information form electronically, that signed record contains PHI — and the e-signature workflow is subject to the Security Rule.
What HIPAA requires of an e-signature workflow
The Security Rule's three categories of safeguard, applied to signing:
- Administrative safeguards — written policies, training, designated security officer, risk analysis, contingency planning, sanctions for violations.
- Physical safeguards — facility access controls (data center physical security), workstation security, device and media controls (encryption, secure disposal).
- Technical safeguards — unique user IDs, automatic logoff, encryption in transit and at rest, audit logs of access to PHI, integrity controls (so PHI can't be improperly altered).
On top of the Security Rule, the e-signature vendor must sign a Business Associate Agreement (BAA) that contractually obligates them to follow HIPAA. Without a BAA, you cannot legally use the vendor for PHI workflows.
Why it matters for digital signing
If you're a healthcare provider — clinic, medical spa, dental practice, mental-health professional, chiropractor — every patient intake form, consent form, and release of information form contains PHI. That means the signing platform you use has to:
- Encrypt the signed document in transit (TLS) and at rest.
- Maintain a tamper-evident audit trail.
- Use unique user IDs for staff signing on the practice side.
- Have a BAA with you on file before any PHI is collected.
- Implement automatic session timeouts and access logging.
A non-HIPAA-compliant signing tool, even one that's ESIGN/UETA compliant, exposes you to HIPAA enforcement action and breach-notification obligations if PHI leaks.
How AI Agreement Engines (Formfy, DocuSign, Adobe Sign, PandaDoc, Jotform, Formstack, Smartwaiver) handle HIPAA
- Formfy ships a HIPAA-compliant plan with BAA available, encryption in transit and at rest, audit trails, and the technical safeguards the Security Rule requires. Available across paid plans.
- DocuSign offers HIPAA compliance on Business Pro and above with a BAA.
- Adobe Sign supports HIPAA compliance with BAA available for enterprise customers.
- PandaDoc gates HIPAA support to its Enterprise tier.
- Jotform has a HIPAA Gold plan with BAA.
- Formstack supports HIPAA across paid tiers with BAA.
- Smartwaiver does not position for HIPAA workflows; waivers don't typically contain PHI but consent forms may.
Common misconceptions
- "If a vendor is SOC 2 they're also HIPAA-compliant." False. SOC 2 is a security and operational controls framework; HIPAA is a specific regulatory regime. The control overlap is significant but not total. You still need a BAA.
- "E-signatures aren't HIPAA-compliant." False. ESIGN/UETA-compliant e-signatures are perfectly usable in HIPAA workflows as long as the surrounding system has the right controls and the vendor signs a BAA.
- "Email is fine for sending consent forms to patients." Generally no. Unencrypted email is not a HIPAA-safe channel for PHI. A signing platform that sends the link via TLS-encrypted SMS or email through a HIPAA-covered transport is the right path.
Related terms
See also
- Formfy vs DocuSign — both HIPAA-compliant; Formfy ships HIPAA across paid plans, DocuSign gates it to Business Pro+.
- Formfy vs Jotform — both offer HIPAA plans with BAA available.
