OneSpan Sign Gets HIPAA Compliant for the U.S. Healthcare Industry

Dilani Silva,

If you work in the U.S. healthcare industry, you are likely very familiar with HIPAA. HIPAA, the Health Insurance Portability and Accountability Act, is the US law ensuring privacy standards to protect patient medical records. Enacted in 1996 with the purpose of setting standards for the electronic transmission of certain patient data, HIPPA has been overseeing privacy compliance in health records for over 20 years. The law extends from front-line healthcare providers all the way to software solutions that may house confidential patient information, and everything in between. Failure to comply with HIPAA regulations can result in civil and criminal penalties for health care providers.  

As an electronic signature platform that electronically transmits patient information to enable paperless authorizations, we are committed to ensuring healthcare and life sciences organizations meet compliance and security standards. That’s why we recently took the necessary steps based on a checklist of controls and safeguards to achieve HIPAA compliance. Now healthcare providers evaluating e-signature technology can feel confident selecting a HIPAA-compliant vendor to help them go digital.

How is OneSpan Sign compliant with HIPAA?

  According to the HIPAA Journal, there are a certain set of conditions for using e-signatures under HIPAA rules. OneSpan Sign meets the following conditions for HIPAA:

  • Business Associate (BA) compliance: OneSpan Sign took the necessary steps based on a checklist of controls and safeguards to achieve HIPAA compliance for its e-signature solution.
  • Legal compliance: We comply with the Electronic Signatures in Global and National Commerce Act (ESIGN) and the Uniform Electronic Transactions Act (UETA), recognizing e-signatures as legal and enforceable.
  • User Authentication: Covered Entities (CEs) evaluating e-signatures must implement a system to validate the identity of signers to avoid disputes whether the person who entered into an agreement had the authority to do so.

  OneSpan Sign offers multiple authentication methods to help CEs verify the signer’s identity upon signing:

  • Email
  • Q&A
  • SMS text code
  • Knowledge-based authentication (KBA)
  • Client-side digital certificates (e.g., smartcards, eIDs, etc.)
  • SSO / OAuth
  • Biometrics (e.g., fingerprint and "selfie" authentication)


  • Message integrity: Anti-tampering controls ensure the integrity of Patient Health Information (PHI), both in process and once completed. OneSpan Sign tamper-seals the document by applying a digital signature to the signature block after each signer has signed – and demonstrates evidence of tampering if someone attempts to alter the document in any way, rendering it invalid.

  To further secure documents, we also use standard digital hashing, encryption and public key infrastructure.  

  • Non-repudiation: It’s important to prove your signer’s intent to sign in case they deny it. OneSpan Sign ensures you can prove signer intent by providing legal evidence in the form of a detailed audit trail that actively records every action the signer takes in reviewing and e-signing a document.

Every time a document is altered, it is automatically detected and alerts you to the change. Also recorded are the signer's identity, the validity of the digital certificate, the validity of the signing process, the authenticity of the document and the accurate time of signing.  

  • Ownership and control: OneSpan Sign leverages global data center networks with technology partners such as Amazon Web Services to host its solution in state-of-the-art SOC 1, 2, 3, PCI DSS Level 1, ISO 27001, FIPS 140-2 and HIPAA-compliant data centers around the world.

Background on HIPAA

HIPAA, formally known as the Health Insurance Portability and Accountability Act of 1996, are a set of regulations that were enacted as a multi-tiered approach aimed at improving the health insurance system. HIPAA has specifications that ensure the confidentiality and privacy of protected health information (PHI) in both physical and digital form.  

Covered Entities (CEs), which include healthcare providers that use, store, maintain or transmit patient health information are expected to be compliant with HIPAA. Furthermore, with the HIPAA Omnibus Rule, enacted in 2013, put further safeguards on PHI by extending requirement for HIPAA compliance to Business Associates (BAs) - BAs include vendors (like OneSpan Sign) to help a Covered Entity carry out its activities and functions. Certain conditions apply – please contact OneSpan Sign for more information on eligibility.

Dilani Silva is a Product Marketing Manager at OneSpan. In her role, she manages and executes the go-to-market strategy, positioning, messaging and sales enablement for OneSpan’s e-signature solution, OneSpan Sign.