The ability to sign documents electronically has led to gains in efficiency in many industries, including the healthcare sector. However, there is still doubt over whether e-signatures are acceptable under HIPAA rules. The simple answer is “yes, they are acceptable and can be used”, but steps must be taken to validate the security and legal status of the document and to ensure that there is not a risk of a protected health information (PHI) data breach.
What HIPAA Says About E-Signatures
E-signatures were part of HIPAA rules in the first iteration of the Security Rule back in 2003 before being taken out ahead of the legislation coming into force. The Department of Health and Human Resources website includes a section on Business Associate Agreements and sharing medical data electronically that was posted online following this date. It says:
“No standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law.”
In most cases, no signature is needed for healthcare transactions when PHI is revealed for the purposes of payment or treatment. This means the question of whether e-signatures are acceptable under HIPAA is somewhat unnecessary. Certain other cases that are not covered by the HIPAA Privacy Rule, if PHI were to be used for research purposes for example, would require a signed agreement. If this is given as an e-signature, other criteria also need to be met.
The Criteria Needed to Accept E-Signatures Under HIPAA
For an e-signature to be acceptable under HIPAA, it must also be in accordance with the Uniform Electronic Transactions Act (UETA) and the Federal Electronic Signatures in Global and National Commerce Act (ESIGN Act). It must meet the following criteria:
Legal Compliance. The document must comply with federal regulations related to e-signatures. There must be an option for the signatory to receive an emailed or printed copy of the document. Certain information must be clearly demonstrated on the document, such as the terms of any agreement and the intent of the signatory. Legal counsel should be sought by covered entities to ensure the acceptability of the e-signature under HIPAA would not be affected by any local or state laws.
User Authentication. Systems must be put in place by covered entities to verify the identities of all parties of the transaction. Failure to do so could result in questions affecting the validity of the document or the signatory’s authority to enter into any agreement or contract. A number of options exist to minimize this risk, such as two-step verification, voice authorization systems, specialized software, or verification questions.
Message Integrity. To prevent the document being tampered with following signature, a system must be established to protect the contents from alteration while it is both in transit and at rest. This is similar to criteria related to the HIPAA Security Rule and should be considered to be as important. OCR Inspectors could potentially include risk assessments related to e-signatures in future audits and a strong level of message integrity will be needed to ensure acceptability.
Non-repudiation. For e-signatures to be acceptable under HIPAA regulations and avoid claims that signatories did not sign the document, an audit trail should record time stamps, dates, locations, and the chain of custody. This protects the document against disputes over its enforce-ability and claims against the validity of the PHI disclosure authorization.
Ownership and Control. Covered entities must be able to ensure PHI is protected. To do so, they must keep all evidence supporting the validity of the e-signature on the same document retained under their ownership. Any other copy – other than those belonging to the signatory – should be deleted and destroyed. No copies should exist on the servers of e-signature service providers.
Conducting a Risk Assessment to Confirm Whether E-Signatures can be Used Under HIPAA Regulations
E-signatures offer many advantages but go hand in hand with a risk of increasing fraud or medical errors. Risk assessments should always be carried out by covered entities to determine whether their specific situation allows them to accept e-signatures and whether their use is worth any potential increase in risk.
It is of the utmost importance that all relevant HIPAA requirements relating to the use of e-signatures be dealt with before covered entities engage in any communications where e-signatures are used to authorize matters relating to PHI.