Yes, HelloSign has described itself as HIPAA compliant. Security controls meet HIPAA requirements, and HelloSign is willing to provide a signed business associate agreement (BAA).
HelloSign provides HIPAA-compliant solutions for covered entities, ensuring security and privacy for all documents that contain protected health information (PHI). The service uses Transport Layer Security (TLS) encryption for all communications in transit and AES 256-bit encryption for stored files.
Enterprise-level security controls include two levels of encryption for each document: a unique document encryption key (DEK) for each file and a master key that protects the DEK, which is regularly rotated for additional security. This configuration offers an extra layer of security in the event that someone bypasses physical security measures to access a hard drive.
HelloSign also offers audit reports that track activity and changes made to each document, giving covered entities the ability to view the audit trail as needed. HelloSign conducts regular user access reviews and provides extensive training for employees on HIPAA’s Security and Privacy Rules.
Customers must have a HelloSign Enterprise account to access features that comply with HIPAA and Service Organization Control (SOC) 2. HelloSign is willing to sign a business associate agreement (BAA) for customers with an Enterprise account — a key HIPAA requirement.