I would like to use Box Sign for patients of a medical practice to complete and sign certain medical intake forms. In theory, Box Sign would be HIPAA compliant if not for one significant flaw that should be simple to fix.

Here's the issue...

When the document is completed and signed, the signer (medical patient in this case) gets an unencrypted email with a link to the signed document. Anyone with the link can view and download the document. If the unencrypted email is intercepted or hacked, the patient's protected healthcare information would be at risk.

To fix this, all you need to do is have an option to exclude the document link in the confirmation email. It would be best if we could customize the confirmation email, but at a minimum, we need the option to exclude the link.

This security flaw goes beyond HIPAA compliance. Any private information in a signed form is put at risk with link included in the confirmation email.