HIPAA does not prohibit the electronic transmission of PHI. Electronic communications, including email, are permitted, although HIPAA-covered entities must apply reasonable safeguards when transmitting ePHI to ensure the confidentiality and integrity of data.
The eSignature token used in the extendedReach URL is unique to each recipient and hashed with a secret key, an industry standard that has been widely adopted. Link visits are recorded and links expire immediately after signatures are collected.
Source: HHS.gov