HIPAA Rules & E-Signatures

The implementation of digital signatures in the healthcare sector has helped to improve the efficiency of many processes, yet the question still remains can e-signatures be used under HIPAA rules. Effectively the answer is “yes”, provided that processes are put in place to ensure the legality and security of the contract, document, agreement or authorization, and there is no danger to the integrity of PHI.

Proposals for the implementation of e-signatures under HIPAA rules were included in the first draft of the 2003 Security Rule, but then removed before the legislation was passed. later guidance relating to Business Associate Agreements and the exchange of electronic health information has been released on the U.S: Department of Health and Human Resources website that states: “No standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law.”

Typically, a signature is not needed for many healthcare transactions that share PHI for treatment or payment – making the question of can e-signatures be implemented under HIPAA rules redundant. However, when a completed authorization is needed for a disclosure of PHI not allowable by the HIPAA Privacy Rule – for example for marketing or research purposes – specific conditions must be in existence.

The Conditions Required for E-Signatures under HIPAA Rules

The conditions Required for e-signatures under HIPAA rules also have to consider the Federal Electronic Signatures in Global and National Commerce Act (ESIGN Act) and the Uniform Electronic Transactions Act (UETA). The conditions are:

Legal Compliance. Not only should the contract, document, agreement, or authorization adhere with the federal rules for e-signatures, they should also clearly show the terms, clearly demonstrate the intent of the signatory, and the option should exist for the signatory to receive a printed or emailed copy of the contract. Covered entities are also told to seek legal advice about any state or local laws that might also determine can e-signatures be implemented under HIPAA rules.

User Authentication. Covered entities must put in place a system to validate the identity of all transacting parties in order to avoid disputes about whether the person who completed the agreement actually had the authority to do so. Mechanisms such as two-step verification, answering “secret knowledge” questions, implementing specialized e-signature software and phone/voice authorization can resolve this problem.

Message Integrity. A system to stop digitally tampering with the agreement after it has been completed must be implemented to ensure the integrity of the agreement both in transit and at rest. This condition is very similar to the security measures of the HIPAA Security Rule and should be managed with the same level of gravity. OCR Inspectors may be looking for e-signature risk assessments and a high level of integrity in all areas when completing the next round of HIPAA audits.

Non-Repudiation. In order to ensure that the signatory cannot deny having completed the agreement, e-signatures used under HIPAA rules should have a timestamped audit trail showing dates, times, location and the chain of custody. This will ensure that contracts are legally enforceable and that authorization for the sharing of PHI cannot later be contested. Providing the signatory with a printed or emailed copy of the document is one step to preventing repudiation.

Ownership and Control. The final condition for e-signatures to be implemented under HIPAA rules relates to copies of signed documents residing on the servers of e-signature service providers. In order for a covered body to ensure the integrity of PHI, all of the proof supporting the e-signature should be on the same document under the ownership and control of the covered body. All other copies – except those used by the signatory – should be digitally shredded.

Complete a Risk Assessment to Establish Can E-Signatures be Implemented under HIPAA Rules

The use of e-signature technology has its benefit, but it also has the potential to increase medical mistakes and opportunities for fraud. The level of danger will vary according to the nature of the transaction, and it is advisable for covered groups to complete a risk assessment before deciding can e-signatures be used under HIPAA rules in their particular environment.

It is vitally important that the conditions necessary for e-signatures under HIPAA rules are tackled and solved before a covered entity adopts e-signatures for any critical communications in which a patient’s individually identifiable PHI is involved.