HIPAA Security

Your HIPAA Questions Answered

Does DocVerify conform with HIPAA?

DocVerify does not collect protected health information (PHI), and DocVerify is not an EMR. DocVerify allows electronic signatures to be completed on existing documents in a way that permits security requirements with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) — a United States law. As a business associate to covered entities, DocVerify has adopted measures to ensure that it conforms with HIPAA and any business associate agreements it enters into. DocVerify allows its users to allow end users to electronically sign documents if they have a HIPAA-enabled account and a business associate agreement in place.

What does it mean to be "HIPAA compliant"?

For DocVerify, being "HIPAA Compliant" means that we offer a service that enables covered entities to send and manage signed documents in a manner that conforms with HIPAA. As part of offering this service, DocVerify ensures that it operates in a way that is consistent and compatible with those laws and DocVerify's role as a business associate to a covered entity user.

What is a HIPAA-enabled account? How do I get a HIPAA-enabled account? How do I enter into a BAA with DocVerify?

A HIPAA-enabled account is an account which DocVerify permits to send and receive documents to be electronically signed, and to securely view those electronically signed documents. In accordance with our Terms of Use, users may only send documents to be e-signed if they have a HIPAA-enabled accounts. HIPAA-enabled accounts also possess additional features which are geared towards assisting covered entities to comply with HIPAA.

HIPAA-enabled accounts are available at nominal fee as an optional add-on to an Enterprise or higher editions. If you have an Enterprise edition subscription, you may HIPAA-enable your account by entering into a business associate agreement (BAA) with DocVerify.

Please contact DocVerify Sales for more information.

Please note:

• DocVerify account holders must ensure that the BAA is only accepted by someone authorized to enter into a BAA from their organization. This may mean that the “name” field in the BAA acceptance form may need to be the name of someone other than the account holder.
• DocVerify is not an EMR, and DocVerify's Terms of Use prohibit the collection of any PHI using DocVerify.
• HIPAA-enabling your account is a one-way street. Once an account is HIPAA-enabled, it cannot be reverted to a non-HIPAA account. If the BAA is terminated, your account will also need to be closed.

Can I purchase multiple HIPAA-enabled accounts for my organization through DocVerify Enterprise?

Yes! Each master account must enter into its own BAA agreement within the same organization. One BAA covers an entire Enterprise Master Account HIPAA Group.

Will DocVerify enter into our business associate agreement?

Covered entities are required by HIPAA to have a written contact in place with each of their business associates that meets the applicable requirements under HIPAA.

DocVerify offers a standard form BAA which meets the requirements of HIPAA and lets covered entities enter into it online via a convenient clickthrough mechanism. When a covered entity accepts the BAA, the name and title of the individual signing on behalf of the entity is recorded, along with the date of acceptance. A copy of the BAA is then emailed, and made available for download for future reference through DocVerify. Upon acceptance of the BAA, an account will be converted into a HIPAA-enabled account.

We acknowledge that some covered entities have certain items they need to include in BAAs with their business associates. Due to the fact that we offer HIPAA-enabled accounts at a low nominal fee, we do not negotiate customer form BAAs. However, we are open to negotiating our standard BAA for a fee.

Can I get a copy of your standard BAA to review?

You can view a copy of our standard BAA here: Business Associate Agreement (Preview Version Only)

What security measures does DocVerify Employ?

As required by HIPAA, we implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that we receive, maintain, and transmit on behalf of covered entities with respect to their HIPAA-enabled accounts. These safeguards include measures required by the Security Rule, such as:

• Regular risk assessments of systems to ensure that safeguards remain relevant and effective
• Assigned security team which is responsible for maintaining compliance with HIPAA’s security requirements
• Screening, authorization, and training of DocVerify staff who come into contact with customer data
• Data backup plans
• Disaster recovery plans
• Systems regularly monitored, updated, and patched
• Incident response plan that includes reporting of security incidents to affected covered entities
• All authenticated communications with DocVerify servers encrypted with SSL

For more information, see our Security Page.

Can HIPAA-enabled accounts be reverted into a regular account? Can I downgrade my editions?

No. Once you convert to a HIPAA-enabled account and/or edition, it cannot be reverted back to a regular account. If you want a regular account or a lower-tier plan, you must open a new account. Note that you can download your documents at any time within your retention period, but you must be very careful not to download documents that may contain PHI (we prohibit the collection of PHI, and regular accounts are not covered by a BAA).

What happens if I decide not to renew my HIPAA-enabled account?

If you decide you no longer need to use DocVerify and do not renew your HIPAA-enabled account, your account will be placed into a suspended state. While suspended, DocVerify will preserve all data contained in the account and continue to treat it in accordance with the BAA. However, you will not be able to access your documents or account directly (except for limited billing and account administration functions).

DocVerify will retain a suspended account for the period of time stated in the BAA in order to provide you with an opportunity to unsuspend your account by renewing it. At the end of the suspension period, DocVerify will close your account and delete all data and documents in it.

While an account is suspended, you may also request DocVerify to allow temporary access, or request DocVerify to close your account immediately. Contact our customer support team to do so.

What happens if I close my HIPAA-enabled account or terminate my BAA?

If you close your HIPAA-enabled account, the BAA will terminate.

If you terminate the BAA, then, subject to the terms of the BAA, your HIPAA-enabled account will be closed, and all users under that master account will also lose access. Our standard BAA is written in a way as to always provide you with an opportunity to save a copy of your documents before your account gets closed.

Does HIPAA apply to me?

If you are not a "covered entity" (as defined by HIPAA), or are not using DocVerify to collect or store PHI (generally any information about the health status, provision of health care, or payment for health care that can be linked to a specific individual, such as an individual’s name and/or contact details combined with information about health care that the individual received), then HIPAA likely does not apply to your use of DocVerify.