HIPAA & BAA · E-signature
Is DocuSign HIPAA compliant?
Conditionally. DocuSign will sign a standard BAA, generally for enterprise-tier customers and on request, supporting HIPAA-compliant e-signature workflows once the BAA is in place and the account is configured correctly.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: Typically available on enterprise-level plans; DocuSign provides a standard BAA on request. Confirm eligibility and the current process with DocuSign for your specific subscription.
- Official source: DocuSign — Healthcare Solutions — https://www.docusign.com/solutions/industries/healthcare (verified 2026-06)
How to use DocuSign in a HIPAA-compliant way
- Confirm with DocuSign that your plan is eligible for a BAA (generally enterprise-level) and request the standard BAA.
- Execute the BAA before sending or storing envelopes that contain PHI.
- Enable encryption, access controls, recipient authentication, and audit trails.
- Restrict admins/senders and avoid features or integrations not covered by the agreement.
- Document your risk assessment and retain the executed BAA.
Important caveats
- BAA availability is generally limited to enterprise plans — verify your specific subscription qualifies.
- DocuSign provides a standard BAA; custom terms may not be accepted, and some products/features may be out of scope.
- The BAA covers DocuSign's obligations only — compliant configuration and your own safeguards are still required.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring DocuSign correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with DocuSign.
Frequently asked questions
Does DocuSign sign a BAA?
On specific plans. Typically available on enterprise-level plans; DocuSign provides a standard BAA on request. Confirm eligibility and the current process with DocuSign for your specific subscription. A signed BAA is required before any PHI is involved.
Is DocuSign HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when DocuSign offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using DocuSign with PHI?
BAA availability is generally limited to enterprise plans — verify your specific subscription qualifies.
