OneSpan Sign gets HIPAA compliant for the US healthcare industry

If you work in the US healthcare industry, you are likely very familiar with HIPAA. HIPAA, the Health Insurance Portability and Accountability Act, is the US law defining privacy standards aimed at protecting the privacy and security of protected health information (PHI). 

Enacted in 1996 with the purpose of setting standards for the electronic transmission of certain patient data, HIPAA has been overseeing privacy compliance in health records for over 20 years. The law extends from front-line healthcare providers to software solutions that may house confidential patient information, and everything in between. Failure to comply with HIPAA regulations can result in civil and criminal penalties for healthcare providers.  

As an electronic signature platform that electronically transmits patient information to enable paperless authorizations, we are committed to ensuring healthcare and life sciences organizations meet compliance and security standards. That’s why we recently took the necessary steps based on a checklist of controls and safeguards to achieve HIPAA compliance. Healthcare providers evaluating eSignature technology can feel confident selecting a HIPAA-compliant vendor to help them go digital.

How is OneSpan Sign compliant with HIPAA?

According to the HIPAA Journal, there are a certain set of conditions for using eSignature under HIPAA rules. OneSpan Sign meets the following conditions for HIPAA:

• Business Associate (BA) compliance: OneSpan Sign took the necessary steps based on a checklist of controls and safeguards to achieve HIPAA compliance for its electronic signature solution.
   
• Legal compliance: We comply with the Electronic Signatures in Global and National Commerce Act (ESIGN) and the Uniform Electronic Transactions Act (UETA), recognizing e signatures as legal and enforceable.
   
• User authentication: Covered Entities (CEs) evaluating eSignatures must implement a system to validate the identity of signers to avoid disputes whether the person who entered into an agreement had the authority to do so.

OneSpan Sign offers multiple authentication methods to help CEs verify the signer’s identity upon signing:

• Email
• Q&A
• Texting a one-time passcode (OTP) via SMS
• Knowledge-based authentication (KBA)
• Client-side digital certificates (e.g., smartcards, eIDs, etc.)
• SSO
• Biometrics (e.g., fingerprint and "selfie" authentication)
• Government ID verification (with or without face comparison)
• Digipass passkeys

OneSpan also supports:

• Message integrity: Anti-tampering controls ensure the integrity of PHI, both in process and once completed. OneSpan Sign tamper-seals the document by applying a digital signature to the signature block after each signer has signed – and demonstrates evidence of tampering if someone attempts to alter the document in any way, rendering it invalid.
• Non-repudiation: It’s important to prove your signer’s intent to sign in case they deny it. OneSpan Sign helps you prove signer intent by providing a detailed audit trail that logs every action the signer takes in reviewing and eSigning a document. Every time a document is altered, it is automatically detected. Also recorded are the signer's identity, the validity of the digital certificate, the validity of the signing process, the authenticity of the document, and the accurate time of signing.  
• Ownership and control: OneSpan Sign leverages global data center networks with technology partners such as Amazon Web Services to host its solution in state-of-the-art SOC 1, 2, 3, PCI DSS Level 1, ISO 27001, FIPS 140-2, and HIPAA-compliant data centers around the world.

Background on HIPAA

HIPAA, formally known as the Health Insurance Portability and Accountability Act of 1996, is a set of regulations that were enacted as a multi-tiered approach aimed at improving the health insurance system. HIPAA has specifications that ensure the confidentiality and privacy of protected health information (PHI) in both physical and digital form.  

Covered Entities, which include healthcare providers that use, store, maintain, or transmit patient health information, are expected to be compliant with HIPAA. Furthermore, the HIPAA Omnibus Rule, enacted in 2013, put further safeguards on PHI by extending requirements for HIPAA compliance to Business Associates (BAs) - BAs include vendors (like OneSpan) to help a Covered Entity carry out its activities and functions. Certain conditions apply – please contact OneSpan Sign for more information on eligibility.