Share this article on:
The use of digital signatures in the healthcare industry has helped to improve the efficiency of many processes, yet the question still remains can e-signatures be used under HIPAA rules. Effectively the answer is “yes”, provided that mechanisms are put in place to ensure the legality and security of the contract, document, agreement or authorization, and there is no risk to the integrity of PHI.
What Does HIPAA Say About E-Signatures?
Proposals for the use of e-signatures under HIPAA rules were included in the first draft of the 2003 Security Rule, but then removed before the legislation was enacted. Subsequent guidance relating to Business Associate Agreements and the exchange of electronic health information has been published on the U.S: Department of Health and Human Resources website that states:
“No standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law.”
Generally, a signature is not required for many healthcare transactions that disclose PHI for treatment or payment – making the question of can e-signatures be used under HIPAA rules redundant. However, when a signed authorization is required for a disclosure of PHI not permitted by the HIPAA Privacy Rule – for example for marketing or research purposes – specific conditions must be in place.
The Conditions Necessary for E-Signatures under HIPAA Rules
The conditions necessary for e-signatures under HIPAA rules also have to take into account the Federal Electronic Signatures in Global and National Commerce Act (ESIGN Act) and the Uniform Electronic Transactions Act (UETA). The conditions are:
Legal Compliance. Not only should the contract, document, agreement, or authorization comply with the federal rules for e-signatures, they should also clearly demonstrate the terms, clearly demonstrate the intent of the signatory, and the option should exist for the signatory to receive a printed or emailed copy of the contract. Covered entities are also advised to seek legal advice about any state or local laws that might also determine can e-signatures be used under HIPAA rules.
User Authentication. Covered entities must implement a system to validate the identity of all transacting parties in order to avoid disputes about whether the person who entered into the agreement actually had the authority to do so. Mechanisms such as two-step verification, answering “secret knowledge” questions, implementing specialized e-signature software and phone/voice authorization can resolve this issue.
Message Integrity. A system to prevent digitally tampering with the agreement after it has been signed must be implemented to ensure the integrity of the agreement both in transit and at rest. This condition is very similar to the safeguards of the HIPAA Security Rule and should be treated with the same level of gravity. OCR Inspectors may be looking for e-signature risk assessments and a high level of integrity in all areas when conducting the next round of HIPAA audits.
Non-Repudiation. In order to ensure that the signatory cannot deny having signed the agreement, e-signatures used under HIPAA rules should have a timestamped audit trail indicating dates, times, location and the chain of custody. This will ensure that contracts are legally enforceable and that authorization for the disclosure of PHI cannot later be contested. Providing the signatory with a printed or emailed copy of the document is one step to avoiding repudiation.
Ownership and Control. The final condition for e-signatures to be used under HIPAA rules relates to copies of signed documents residing on the servers of e-signature service providers. In order for a covered entity to ensure the integrity of PHI, all of the evidence supporting the e-signature should be on the same document under the ownership and control of the covered entity. All other copies – except those provided for the signatory – should be digitally shredded.
Conduct a Risk Assessment to Establish Can E-Signatures be used under HIPAA Rules
The use of e-signature technology has its advantages, but it also has the potential to increase medical errors and opportunities for fraud. The level of risk will vary according to the nature of the transaction, and it is advisable for covered entities to conduct a risk assessment before deciding can e-signatures be used under HIPAA rules in their particular environment.
It is critically important that the conditions necessary for e-signatures under HIPAA rules are addressed and solved before a covered entity adopts e-signatures for any critical communications in which a patient’s individually identifiable protected health information is involved.