HIPAA compliance built into every document session.

Who needs a BAA with Docuplete?

Under HIPAA, a Business Associate Agreement (BAA) is required when a covered entity or business associate shares PHI with a service provider that handles PHI on their behalf. If you are a healthcare provider, health plan, or healthcare clearinghouse — and you are using Docuplete to collect, process, or transmit PHI — you need a BAA.

Docuplete provides a BAA for customers on qualifying plans. View the Docuplete BAA →

How Docuplete protects PHI

Every document session in Docuplete that handles PHI is protected by the following technical safeguards:

• AES-256-GCM encryption at rest — Client interview answers, including all PHI fields, are encrypted using AES-256-GCM authenticated encryption on all paid plans. Sensitive fields are never stored in plaintext.
• TLS in transit — All data between clients, Docuplete servers, and your integrations is transmitted over TLS. PHI is protected through its entire lifecycle.
• OTP identity verification — Before a patient can sign a document, they confirm their identity with a one-time code sent to their email. This creates a verified attestation record.
• RFC 3161 trusted timestamp — Every signed document receives a trusted timestamp from an independent TSA authority — cryptographic proof of exactly when it was signed.
• SHA-256 tamper detection — A SHA-256 hash of every completed document is recorded at generation time. Any modification to the file after signing produces a hash mismatch.
• Full audit trail — Every session generates a complete record: session creation, OTP verification, signature event, and submission — each with a precise timestamp, IP address, and device fingerprint.
• Multi-tenant isolation — Every query is scoped to your organization. PHI from other Docuplete customers is inaccessible by design, enforced at the database and API middleware level.

What HIPAA requires for document workflows

HIPAA's Security Rule requires covered entities and business associates to implement technical safeguards for electronic PHI (ePHI). For a document workflow like Docuplete's, the most relevant safeguards are:

• Access control — Only authorized users can access sessions and documents. Docuplete uses tokenised session links that are scoped to the individual patient or client.
• Audit controls — Docuplete maintains a complete audit trail for every session, including who accessed it, when, and what actions were taken.
• Integrity — SHA-256 document hashing ensures ePHI stored in the completed PDF cannot be altered after generation without detection.
• Transmission security — TLS encrypts all ePHI in transit between the patient, Docuplete servers, and your systems.
• Authentication — OTP verification confirms patient identity before allowing signature on documents containing ePHI.

Common HIPAA use cases in Docuplete

• Patient intake forms — Collecting demographic, insurance, and medical history information before appointments.
• HIPAA authorization for release of information — Capturing patient authorization for disclosure of health information with OTP-verified signature.
• Prior authorization forms — Collecting clinical information for insurance prior auth requests.
• Telehealth consent forms — Documenting informed consent for telemedicine encounters.
• Medical history forms — Comprehensive health history questionnaires for new patient onboarding.

Related