Can E-Signatures Be Used Under HIPAA Rules?
E-signatures can be used under HIPAA Rules provided mechanisms are put in place to ensure the authenticity of the signatory, to ensure the contract, document, agreement, or authorization signed with a digital signature meets legal compliance requirements, and to ensure that any PHI contained within the document is protected from unauthorized access and disclosure.
The use of digital and electronic signatures in the healthcare industry helps improve the efficiency of many processes, yet questions exist about whether e-signatures can be used under HIPAA Rules. The questions primarily exist because, in the original text of HIPAA (§1173), the Secretary for Health and Human Services (HHS) is instructed to:
“Adopt standards specifying procedures for the electronic transmission and authentication of signatures with respect to the transactions referred to in subsection (a)(1).” [subsection (a)(1) relates to the financial and administrative transactions in Part 162 of the HIPAA Administrative Simplification Regulations].
A proposed standard for the use of HIPAA-compliant digital signatures – rather than e-signatures – was included in the first draft of the HIPAA Security Rule. The reason digital signature software was chosen in preference to electronic signature software was that, at the time, only digital signature software could meet the requirement for non-repudiation in open network environments.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
However, the standard was removed from the 2003 HIPAA Security Rule Final Rule due to “a lack of technical maturity and stakeholders’ lack of readiness to implement electronic capture of clinical data”. Concerns were also raised that the available technology lacked the features to implement the proposed message integrity, nonrepudiation, and user authentication provisions securely.
How E-Signatures Are Used in the Healthcare Industry
Following the removal of the proposed HIPAA electronic signature standard, HHS published guidance relating to using an electronic Business Associate Agreement signed with an e-signature. The guidance stated, “Assuming the electronic contract satisfies the requirements of State contract law, the HIPAA Privacy Rule generally allows for electronic documents, including Business Associate Contracts, to qualify as written documents for purposes of meeting the Rule’s requirements”.
The green light from the HHS to use electronic signature software for healthcare activities prompted its use in many more activities usually governed by HIPAA, including (but not limited to):
- Acknowledgment of the receipt of a HIPAA Notice of Privacy Practices.
- Patient consent when an opportunity to agree or object exists.
- Verification of identity prior to a telehealth consultation.
- Remote pre-operative consent for possible procedural risks.
- Authorizations for otherwise impermissible uses and disclosures of PHI.
- Remote authorizations by personal representatives and medical POAs.
- The revocation of consent or authorization by a patient or third party.
- Acknowledgment of HIPAA training and receipt of the sanctions policy.
- e-Prescribing (subject to 21 CFR Part 1306 and 21 CFR Part 1311).
- Health plan authorizations and healthcare provider billing.
With regards to the final use of e-signatures under HIPAA Rules, the Centers for Medicare and Medicare Services (CMS) published a Proposed Rule in 2022 advocating a HIPAA e-signature standard to accelerate the processing of healthcare attachment transactions. Healthcare attachments transactions are Part 162 transactions:
- In which a provider needs to submit additional information to a health plan to support a request for prior authorization, or
- In which a provider has submitted a claim for a service and the health plan decides more information is required to make a payment determination, or
- In which a provider submits a claims attachment along with their initial submission of a healthcare claim transaction for a service they have rendered.
Usually, healthcare attachment transactions are conducted by mail or fax, but the CMS is advocating the creation of three new transaction codes in order that the transactions can be conducted electronically – accelerating authorizations, saving providers and health plans time and money, and reducing queries. However, due to the risk of theft and fraud, the attachments will have to be electronically signed to ensure message integrity, non-repudiation, and user authentication.
How the Proposed Rule May Impact HIPAA E-Signature Requirements
The Proposed Rule does not mandate the use of an electronic signature in healthcare attachment transactions, as providers and health plans can continue to send attachments by mail or fax (or any other secure channel of communication). However, if an attachment transaction is conducted electronically using one of the three new transaction codes, the attachment must be digitally signed using protocols developed under HL7 IG for CDA® R2 (Digital Signatures and Delegation of Rights 1).
The proposed HIPAA electronic signature standard will impact very few HIPAA covered entities and business associates at present. However, both the CMS and Office for Civil Rights have issued further Proposed Rules that could ultimately extend the HIPAA electronic signature standards to other healthcare activities governed by the HIPAA Privacy and Security Rules – particularly with regard to verifying the identity of patients, personal representatives, and medical POAs.
The latest CMS Proposed Rule would increase the requirements of the CMS Interoperability and Patient Access Final Rule of 2020 by extending patients’ rights to access PHI via an app of their choice to overcome disparities in patient access to health data. However, the CMS has acknowledged that allowing patients to access PHI via an app of their choice raises security challenges because of a lack of user authentication and verification capabilities in some healthcare apps.
The CMS’ proposals – and concerns – align closely with the “Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement” published by the Office for Civil Rights in 2021. The proposed modifications also acknowledge the security challenges of allowing patients and plan members to connect to a portal via an unsecured API – noting that any denial of access due to security concerns would be a violation of the HIPAA Privacy Rule.
A solution to the user authentication and verification challenges would be a HIPAA-compliant electronic signature standard for healthcare activities governed by the HIPAA Privacy and Security Rules. Many covered entities already use electronic signature software for healthcare to comply with the DEA’s e-signature standards for electronic prescribing of controlled substances, and it would not take a significant effort to upgrade existing DEA-compliant software to support HIPAA-compliant online signatures.
Patients and plan members wishing to access PHI remotely – or provide/revoke consent or authorization remotely – would also need to have digital signature software installed on their devices to connect with providers’ portals. However, the software would only need to have user authentication and verification capabilities, and any free digital signature software would suffice. Because of the ease of implementation, it would be no surprise to see the CMS and OCR extend the HIPAA e-signature requirements to other healthcare activities.
Note: As of January 2026, there has been no movement on the proposed HIPAA e-signature standard.
The Conditions Necessary for E-Signatures under HIPAA Rules
The conditions necessary for e-signatures under HIPAA Rules have to take into account the Federal Electronic Signatures in Global and National Commerce Act (ESIGN Act) and the Uniform Electronic Transactions Act (UETA). Several states also have additional regulations relating to e-signatures, while it is important to be aware that a patient’s e-signature is considered Protected Health Information under HIPAA when stored with other individually identifiable health information.
The conditions to consider are:
Legal Compliance. Not only should the contract, document, agreement, or authorization comply with the federal rules for e-signatures, but they should also clearly demonstrate the terms, clearly demonstrate the intent of the signatory, and the option should exist for the signatory to receive a printed or emailed copy of the contract. Covered entities are also advised to seek legal advice about any state or local laws that might also determine whether e-signatures can be used under the HIPAA Rules.
User Authentication. Covered entities must implement a system to validate the identity of all transacting parties in order to avoid disputes about whether the person who entered into the agreement actually had the authority to do so. Mechanisms such as two-step verification, answering “secret knowledge” questions, implementing specialized e-signature software, and phone/voice authorization can resolve this issue.
Message Integrity. A system to prevent digital tampering with the agreement after it has been signed must be implemented to ensure the integrity of the agreement both in transit and at rest. This condition is very similar to the safeguards of the HIPAA Security Rule and should be treated with the same level of gravity. OCR inspectors may be looking for e-signature risk assessments and a high level of integrity in all areas when conducting the next round of HIPAA audits.
Non-Repudiation. In order to ensure that the signatory cannot deny having signed the agreement, e-signatures used under HIPAA Rules should have a timestamped audit trail indicating dates, times, locations, and the chain of custody. This will ensure contracts are legally enforceable and authorizations for the disclosure of PHI cannot later be contested. Providing the signatory with a printed or emailed copy of the document is one step to avoiding repudiation.
Ownership or Control. The final condition for e-signatures to be used under HIPAA Rules relates to copies of signed documents residing on the servers of e-signature service providers. In order for a covered entity to ensure the integrity of PHI, all of the evidence supporting the e-signature should be under the ownership or control of the covered entity – by way of a Business Associate Agreement if document storage or Part 162 transactions are outsourced to a business associate service provider.
Conduct a Risk Assessment to Establish can E-Signatures be used under HIPAA Rules
The use of e-signature software for healthcare has advantages, but it also has the potential to increase opportunities for unauthorized access to, and disclosures of, Protected Health Information if the healthcare e-signature software is not configured or used correctly. The level of risk varies according to the nature of the activity for which e-signatures are used, and it is advisable for covered entities to conduct a risk assessment before deciding can e-signatures be used under HIPAA Rules.
Regardless of whether HHS expands the HIPAA e-signature standard to operations governed by the HIPAA Privacy and Security Rules, it is important the conditions necessary for e-signatures under HIPAA Rules are met before a covered entity or business associate uses electronic signatures in healthcare to sign contracts, documents, agreements, or authorizations – especially those in which a patient’s individually identifiable protected health information is used or disclosed.
It is also important to ensure any existing or new digital signature software complies with – or can be updated to – the HL7 IG for CDA® R2 protocol, that a Business Associate Agreement is in place with the software vendor before the software is used for activities that involve PHI, and that any e-signed contracts, documents, agreements, or authorizations are stored in compliance with the HIPAA documentation retention requirements. If you are in any doubt about whether e-signatures can be used under HIPAA Rules, it is recommended you seek professional compliance advice.
Can e-Signatures be Used Under HIPAA Rules? FAQs
What are the HIPAA e-signature requirements?
The HIPAA e-signature requirements – at present – are that e-signatures can be used to sign contracts, documents, agreements, or authorizations provided the content of the contracts (etc.) complies with federal and State laws (e.g., UETA, the ESIGN Act, or State equivalent) and that any PHI in the contracts (etc.) is protected against unauthorized access and impermissible disclosures. Additionally, if using third party software to sign documents containing PHI, a Business Associate Agreement must be in place with the software vendor.
If the CMS Provisional Rule (CMS-0053-P) is finalized in its current format, it will be necessary to use e-signature software that complies with the HL7 IG for CDA® R2 protocol to electronically sign healthcare attachment transactions – if e-signatures are used in these transactions. It is not known yet whether, in the future, these HIPAA e-signatures requirements will be extended to other electronic transactions as originally intended in the text of HIPAA.
Does HIPAA allow electronic signatures?
HIPAA allows electronic signatures provided the document being signed electronically complies with federal and State contract laws and provided any Protected Health Information (PHI) in the document is protected from unauthorized access and impermissible disclosures. Additionally, if PHI is transmitted in an electronically signed document, it will be necessary to sign a Business Associate Agreement with the software vendor.
What does HIPAA say about electronic signatures in healthcare?
Originally, what HIPAA said about electronic signatures in healthcare is that they should be used in all electronic transactions for which standards have been published in Part 162 of the Administrative Simplification Regulations. However, as the technology available at the time was not sufficiently mature to meet the requirements of user authentication, message integrity, and nonrepudiation, it is only recently that electronic signatures in healthcare have re-entered the conversation.
What is nonrepudiation in the HIPAA digital signature requirements?
Nonrepudiation in the HIPAA digital signature requirements prevents signatories denying that they signed a transaction or claiming that the transaction has changed in content since it was signed. Nonrepudiation can also be used to provide assurance to the sender that a transaction has been delivered and proof to the recipient of the sender’s identity. This way, neither the sender nor the recipient can deny the transaction was sent, received, or processed.
Are all electronic signatures HIPAA compliant?
At this time, all electronic signatures are HIPAA compliant because the Department of Health and Human Services has not developed standards for HIPAA compliant electronic signatures. However, covered entities should only use electronic signatures to sign documents containing PHI when a Business Associate Agreement has been signed with the vendor of the e-signature software. Safeguards should also be in place to protect the confidentiality, integrity, and availability of PHI in e-signed documents.
Does HHS recommend any specific HIPAA compliant electronic signature software?
HHS does not recommend any specific HIPAA compliant signature software because HIPAA is technology neutral. However, if covered entities and business associates intend taking advantage of the new transaction codes for healthcare attachment transactions and intend electronically signing the transactions, it will be necessary to implement electronic signature software that complies with the HL7 IG for CDA® R2 protocol and sign a Business Associate Agreement with the software vendor.
When will the new HIPAA electronic signature standards take effect?
It is not known when the new HIPAA electronic signature standards will take effect because the Centers for Medicare and Medicaid Services will likely receive multiple comments in response to the publication of the proposed rule. Typically, a proposed rule can take anything from three months to three years to be finalized. However, this proposed rule is limited in scope and may be at the shorter end of that scale.
What is the difference between an e-signature and a digital signature?
The difference between an e-signature and a digital signature is that an e-signature shows a party has agreed to the terms of an agreement or contract, whereas a digital signature verifies the authenticity of the signatory and the integrity of the document. Effectively, digital signatures are a more secure sub-set of electronic signatures.
Does the HIPAA Security Rule require the use of an electronic or digital signature?
The HIPAA Security Rule does not require the use of an electronic or digital signature. However, the option exists to implement either as a security measure provided the documents on which they are used comply with State and federal contract law, and provided any PHI within the documents is protected from impermissible disclosure and unauthorized access.
What are the e-signature requirements for patients who want to sign paperwork electronically?
The e-signature requirements for patients who want to sign paperwork electronically should be decided by each covered entity. Factors to take into account include the entity’s ability to send and receive paperwork via secure means of communication, the capabilities of existing systems to verify identities, and the procedures that need to be put in place to respond to digitally signed access requests, consent forms, and authorizations (or revocations thereof).
