HIPAA Rules & E-Signatures

There are currently no HIPAA Rules for e-signatures. However, this may soon change due to a proposed rule published last year by the Centers for Medicare and Medicaid Services proposing a standard for e-signatures for specific types of transactions.

When Congress passed HIPAA in 1996, one of the instructions to the Secretary for Health and Human Services (HHS) was to “adopt standards specifying procedures for the electronic transmission and authentication of signatures”. This instruction led to the publication in 1998 of a proposed rule for “Security and Electronic Signature Standards” (PDF).

While most of the proposed security standards ultimately survived to become known as the HIPAA Security Rule, the HIPAA rules for e-signatures were abandoned due to e-signature software not having the capabilities (at the time) to ensure authenticity, message integrity, and nonrepudiation in open network environments.

Nonetheless, following the publication of guidance about the use of e-signatures in healthcare, Covered Entities adopted the technology to streamline processes, increase efficiency, and strengthen HIPAA compliance with the provisions of the Security Rule. The uses of e-signatures in healthcare became more varied to include:

• The verification of Part 162 transactions
• Subcontractor and Business Associate Agreements
• Notice of Privacy Practices acknowledgements
• E-prescriptions (subject to DEA rules for e-signatures)
• Verifying patients prior to telehealth consultations
• Obtaining a patient’s consent or authorization remotely
• Acknowledging risks prior to a medical procedure
• Creating an EHR audit trail and event log
• Employee acknowledgement of HIPAA training

When these activities included the creation, use, storage, or transmission of PHI, it could be argued that some HIPAA rules for e-signatures applied inasmuch as any PHI created, used, stored, or transmitted had to be protected from unauthorized access and impermissible disclosures. Nonetheless, for more than twenty years, there were no specific HIPAA rules for e-signatures.

CMS’ Proposed HIPAA Rules for E-Signatures

In December 2022, the Centers for Medicare and Medicare Services (CMS) published a Proposed Rule suggesting three new transaction codes were added to the existing Part 162 transaction list to account for healthcare attachment transactions. Healthcare attachment transactions are transactions in which:

• A provider submits additional information to a health plan to support a request for prior authorization, or
• A provider has submitted a claim and the health plan requires additional information to make a payment determination, or
• A provider submits an attachment to provide additional information for a healthcare claim to make a payment determination.

Because healthcare attachments cannot be submitted with the same code as the original transaction, the creation of the new transaction codes will enable the attachments to be submitted electronically – accelerating authorizations, treatments, and payments. However, the attachments will have to be e-signed to ensure authentication, message integrity, and nonrepudiation.

This is where the HIPAA rules for e-signatures come in because, rather than being able to use any e-signature software, Covered Entities wishing to take advantage of the new transaction codes will have to e-sign healthcare attachment transactions using software that complies with the HL7 IG for CDA® R2 protocol (or higher once FIPS 186-4 is retired later this year).

The proposed rule will not mandate that healthcare attachment transactions have to be conducted electronically, so Covered Entities will still have the option of conducting them by other channels of communication. However, the issues of delayed authorizations, treatment, and payment will still persist – plus there is a risk to the integrity of the transaction is sent via unencrypted email.

The Implications of the Proposed Rule

While this may seem like HIPAA rules for e-signatures are being introduced for a very limited use, the rules could be extended to other Part 162 transactions (as originally intended in HIPAA) or to other healthcare activities in which the identity of the individual and integrity of the message have to be guaranteed to comply with the HIPAA Privacy and Security Rules.

Additionally, the 2020 Interoperability and Patient Access Final Rule and the subsequent Advancing Interoperability Proposed Rule could allow patients to request access to PHI via an app of their choice. If the Advancing Interoperability Rule is finalized, HHS may develop new HIPAA rules for e-signatures so that Covered Entities can protect themselves from patients connecting to a PHI database via an unsecure app lacking basic user authentication and encryption capabilities, or an app capable of reverse engineering.

At the present time, all of this is conjecture and – if it happens – may be some years away from happening. Nonetheless, Covered Entities need to be aware of these possibilities if adopting e-signature software for any healthcare use that may later be subject to HIPAA rules for e-signatures.