Anvil Logo
Products
Industries
Resources
Developers
Pricing
Document AI
Get started freeGet a demo
Anvil Logo
Products
Industries
Resources
Developers
LoginGet started free

Ask Anvil

Answers to questions about automating PDFs, e-signatures, Webforms, and other paperwork problems.
Have a question? Ask us directly and we’ll answer it shortly.
E-signatures
Categories
PDFs
Webforms
E-signatures

How do I collect SOC 2 and HIPAA compliant e-signatures from clients?

What HIPAA-eligible signing actually requires

HIPAA does not certify products. The U.S. Department of Health and Human Services does not bless software. Compliance becomes possible only when the vendor signs a Business Associate Agreement (BAA) with you and you implement the Security Rule's administrative, physical, and technical safeguards on top.

SOC 2 Type II is a separate, voluntary attestation. An independent auditor confirms a vendor's security, availability, and confidentiality controls operated effectively over a defined period (typically 12 months). It tells you the controls are real. It does not, by itself, make your workflow HIPAA-compliant. You need the BAA too.

The five-step setup

  1. Get the BAA. Confirm the vendor offers one and which plan tier it's gated to (almost always enterprise or higher), then sign before any PHI moves through the system. Read it for breach-notification windows, sub-processor disclosures, and termination behavior.
  2. Verify SOC 2 Type II. Request the latest report under NDA and check the period-of-coverage dates on the cover page. Look for TLS 1.2 or higher in transit, AES-256 at rest, role-based access controls, audit logging, and a documented incident-response process.
  3. Configure signer authentication. HIPAA's person-or-entity authentication requirement (45 CFR 164.312(d)) and the ESIGN Act's intent-to-sign requirement (combined with UETA's attribution rule in section 9) push you past click-through signing. Use Knowledge-Based Authentication, SMS one-time codes against a pre-collected phone number, MFA on portal accounts, or government-ID with selfie matching for higher-stakes contracts. Record which method was used for each signer.
  4. Verify the audit trail. A defensible trail captures document hash (pre and post-sign), signer IP and user agent, authentication method, disclosure-and-consent versions, and authoritative timestamps anchored to an external clock. The same evidence model satisfies ESIGN, UETA, and eIDAS. The e-signature audit trail schema lays out the fields to capture.
  5. Set retention. HIPAA's Privacy Rule (45 CFR 164.530(j)(2)) and Security Rule (45 CFR 164.316(b)(2)(i)) require certain documentation, including signed authorizations, BAAs, and audit logs, to be retained for at least six years from creation or from the date the record was last in effect, whichever is later. State law often imposes a longer floor on medical records themselves.

Common platforms

Anvil, DocuSign, Dropbox Sign, Adobe Acrobat Sign, PandaDoc, and signNow all publish SOC 2 Type II reports and offer a BAA, but most gate it to enterprise or corporate-tier plans, which is the usual procurement surprise. Whichever platform you pick, the same eight items have to be true before you collect a signature: BAA on file, current SOC 2 report reviewed, encryption verified, authentication chosen, audit trail confirmed, six-year retention set, access controls reviewed, and disclosure-and-consent language reviewed by counsel.

Back to All Questions
Anvil Logo

The fastest way to build software for documents

Anvil Document SDK is a comprehensive toolbox for product teams launching document flows where PDF filling, signing, and complex conditional scenarios are necessary.
Explore Anvil
Anvil Webforms