Electronic signature for healthcare, consent before care.

Document eSign is HIPAA-aware and offers a HIPAA-eligible Business Associate Agreement (BAA) on the Enterprise plan for workflows that handle protected health information. The platform supports the controls a BAA expects - AES-256 encryption at rest, TLS 1.2+ in transit, custom consent capture, and access logging - but it does not replace your own HIPAA compliance program, training, or policies. You stay responsible for how your practice handles PHI; Document eSign covers the signing and record-keeping piece under the BAA. To put a BAA in place before you send any PHI, reach out through the contact page. Until that agreement is signed, do not route documents that contain protected health information through the platform.

If you are handling protected health information, yes - put a HIPAA-eligible Business Associate Agreement in place first. A BAA is the contract that lets a vendor process PHI on your behalf, and it is available on the Enterprise plan. Reach out through the contact page and we will set it up before you send anything that contains PHI. If a form carries no protected health information - a general staff acknowledgment, a marketing release with no clinical detail - you do not need a BAA to collect that signature, and the Free and Business plans work fine for it. When in doubt about whether a specific form counts as PHI, treat it as PHI and get the BAA in place first.

Yes. Patients open a secure link from their email and sign in the browser - no signup, no app, nothing to install. They review the form, agree to your consent wording, and sign by typing or drawing, then the completed PDF comes back sealed with a certificate of completion. At the front desk you can also hand a patient a tablet to sign intake and consent in person, locked to the one form so they cannot navigate away. Both paths - remote link and in-person tablet - land on the same tamper-evident audit trail, so it does not matter whether the patient signed from home the night before or in the waiting room two minutes before the visit.

Yes. Electronically signed consent forms are recognized under the U.S. ESIGN Act of 2000 and state UETA laws, and they carry the same legal weight as a wet-ink signature when the signer intended to sign, consented to signing electronically, the signature is attributed to them, and a record is retained. Document eSign captures all four on every form: each completed document gets a certificate of completion that records the consent agreement, the timestamp, the signer's IP address, and the device used, on an append-only audit trail. The finished PDF is sealed so any later change breaks the seal. That package is materially stronger evidence of consent than a scanned paper form, which carries none of that metadata.

Yes. You can replace the default ESIGN consent notice with your own treatment, telehealth, or PHI consent language, set either per template or across the whole workspace, which matters when a clinical or regulatory requirement calls for specific disclosure wording. The patient is shown your text and must agree to it before the form opens for signing, and that agreement - the exact wording, the timestamp, and the patient's IP - is written to the certificate of completion alongside the signature. The consent itself becomes part of the defensible record rather than a separate step you have to evidence later. Practices use this for consent to treatment, financial responsibility forms, and HIPAA authorizations where the disclosure language is part of what makes the form valid.

Yes. Require an emailed one-time passcode (OTP) so the patient must enter a code sent to their email before the form opens, or set a per-signer access PIN that you share separately out-of-band, so only the intended patient can sign. For either method, the verification type, the time it happened, the patient's IP address, and their device are all recorded on the certificate of completion next to the signature, so the proof of who signed travels with the form. This matters most on authorizations and records-release forms where attribution is worth documenting. SMS one-time-passcode verification is coming soon as an additional phone-based factor.

Yes. Bulk send takes one consent template and a CSV of your patient list and creates a separate, personalized envelope for each person - up to 5,000 per batch - so a yearly consent refresh across a whole panel runs as a single tracked job rather than hundreds of manual sends. Each patient gets their own private record and their own certificate of completion; nobody sees anyone else's form. You watch live progress as envelopes go out and get completed, and any rows that fail to send - a bad email address, a missing field - are exported so you can fix and resend just those. Bulk send is on the paid plans.

Yes. Telehealth consent can be signed electronically under the ESIGN Act and UETA, the same as any other consent form. Send the form to the patient to sign in their browser before the visit: they tap the secure link, agree to your telehealth consent wording, and sign from a phone, tablet, or laptop with nothing to install. The consent agreement, the timestamp, and the patient's IP are captured on the certificate of completion, so you have a dated, attributed record that the patient consented before the appointment started. Many practices send telehealth consent the day before the visit so it is done by the time the patient joins the call, and it lands sealed in your workspace the moment they finish.

Documents are encrypted with AES-256 at rest and TLS 1.2+ in transit, so forms are protected both while stored and while moving between the patient and your workspace. On the Enterprise plan you can add single sign-on (SSO), IP allowlisting, and data residency, alongside the HIPAA-eligible BAA that governs how protected health information is handled. Every form also carries its own append-only access and audit trail, so you can see who opened, signed, viewed, or exported a record and when. Nothing is auto-deleted or expired - a signed consent stays in your workspace until you choose to remove it - so your retention is driven by your own policy, not by the platform aging documents out from under you.

No. Document eSign is for document e-signatures - consent forms, intake, authorizations, provider agreements - and it does not support electronic prescribing of controlled substances (EPCS), which has its own dedicated DEA requirements for identity proofing and two-factor signing that a general e-signature tool does not meet. It also does not provide remote online notarization (RON). For e-prescribing you need a certified EPCS system, and for any form your jurisdiction requires to be notarized you need a separate notary. For the very large set of patient and provider forms that need a signature but not e-prescribing or notarization, an e-signature with a full audit trail and a sealed certificate is sufficient and defensible.