The Use of E-Signatures Under HIPAA Rules

Signature

The following article considers the use, benefits and disadvantages of e-signatures in the healthcare industry, and whether they are compliant with HIPAA rules.

The increasing utilisation of digital signatures in the healthcare industry increased the efficiency of many processes and procedures for both patients and staff alike. However, ambiguity remains over the use of e-signatures under HIPAA rules. Provided that mechanisms are put in place to ensure the legality and security of the contract, document, agreement or authorization, it appears that e-signatures can be as legitimate as traditional signatures for security purposes. HIPAA also requires that there must be no risk to the integrity of PHI.

HIPAA’s Stance on the Use of E-Signatures

The 2003 Security Rule’s first draft included proposals for the use of e-signatures under HIPAA rules. However, such proposals were removed before the legislation was enacted. Subsequent guidance relating to Business Associate Agreements and the exchange of electronic health information has been published on the U.S. 

Department of Health and Human Resources website that states:

“No standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law.”

A signature is not often required for many healthcare transactions that disclose PHI for treatment or payment. Therefore, many consider the question over the use of e-signatures and their compliance with HIPAA rules redundant. However, specific conditions must be in place for certain circumstances. This includes when a signed authorization is required for a disclosure of PHI not permitted by the HIPAA Privacy Rule, such as for marketing or research purposes.

Use of E-Signatures under HIPAA Rules

The conditions necessary for e-signatures under HIPAA rules also have to take into account the Federal Electronic Signatures in Global and National Commerce Act (ESIGN Act) and the Uniform Electronic Transactions Act (UETA).

The conditions that need to be met are:

Legal Compliance. The contract, document, agreement, or authorization should comply with the federal rules for e-signatures. Furthermore, they should also clearly demonstrate the terms, clearly demonstrate the intent of the signatory, and the option should exist for the signatory to receive a printed or emailed copy of the contract. Covered entities (CEs) are also advised to seek legal advice about any state or local laws that might also determine can e-signatures be used under HIPAA rules.

User Authentication. CEs must implement a system to validate the identity of all transacting parties in order to avoid disputes about whether the person who entered into the agreement actually had the authority to do so. Mechanisms such as two-step verification, answering “secret knowledge” questions, implementing specialized e-signature software and phone/voice authorization should be used to resolve this issue.

Message Integrity. A system to prevent digitally tampering with the agreement after it has been signed must be implemented to ensure the integrity of the agreement both in transit and at rest. This is similar to the safeguards of the HIPAA Security Rule and should be treated with the same level of gravity. OCR Inspectors may be looking for e-signature risk assessments and a high level of integrity in all areas when conducting the next round of HIPAA audits.

Non-Repudiation. E-signatures used under HIPAA rules should have a timestamped audit trail indicating dates, times, location and the chain of custody to ensure that the signatory cannot deny having signed the agreement. This will ensure that contracts are legally enforceable and that authorization for the disclosure of PHI cannot later be contested. Providing the signatory with a printed or emailed copy of the document is one step to avoiding repudiation.

Ownership and Control.This rule relates to copies of signed documents residing on the servers of e-signature service providers. In order for a CEs to ensure the integrity of PHI, all of the evidence supporting the e-signature should be on the same document under the ownership and control of the covered entity. All other copies – except those provided for the signatory – should be digitally shredded.

Risk Assessments for use of E-Signatures under HIPAA Rules

The increasing use of e-technology such as e-signatures comes with it both benefits and dangers. As stated above, it potentially creates a more streamline service and easier access to documents by those who need to access them.  However, it also has the  potential to increase medical errors and opportunities for fraud. The level of risk will vary according to the circumstances of the situation. CEs are advised to conduct a risk assessment before deciding can e-signatures be used under HIPAA rules in their particular environment.

It is critically important that the conditions necessary for e-signatures under HIPAA rules are addressed and solved before a CE adopts e-signatures for any critical communications in which a patient’s individually identifiable protected health information is involved.