The use of electronic or “e-signatures” is becoming widespread as more and more people have access to portable electronic devices. As with any new development in technology, there was some concern over the compatibility of these e-signatures and existing HIPAA Rules as their use by professionals in the healthcare industry became common. After careful consideration by experts, their use was finally deemed HIPAA-compliant, provided the users put mechanisms in place to ensure the legality and security of the contract, document, agreement or authorization such that there is no risk to the integrity of private health information (PHI).
HIPAA and E-Signatures
The 2003 Security Rule was originally supposed to contain guidance about the use of e-signatures in the healthcare industry, but all mention of e-signatures were removed shortly before the legislation was enacted. Subsequent guidance relating to Business Associate Agreements and the exchange of electronic health information has been published on the U.S: Department of Health and Human Resources website that states:
“No standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law.”
There are many circumstances in which the use of an e-signature is not required, such as for transactions that disclose PHI for treatment or payment. However, when a signed authorization is required for a disclosure of PHI not permitted by the HIPAA Privacy Rule specific conditions must be in place. On example of such a scenario is when PHI is disclosed to a third party for marketing or research reasons.
E-Signatures Requirements under HIPAA Rules
The conditions necessary for e-signatures under HIPAA rules must also adhere to the Federal Electronic Signatures in Global and National Commerce Act (ESIGN Act) and the Uniform Electronic Transactions Act (UETA). The conditions are:
Legal Compliance: Not only should the contract, document, agreement, or authorization comply with the federal rules for e-signatures, they should also clearly demonstrate the terms, clearly demonstrate the intent of the signatory, and the option should exist for the signatory to receive a printed or emailed copy of the contract. Covered entities are also advised to seek legal advice about any state or local laws that might also determine can e-signatures be used under HIPAA rules.
User Authentication: Covered entities must implement a system to validate the identity of all transacting parties to avoid disputes about whether the person who entered into the agreement had the authority to do so. Mechanisms such as two-step verification, answering “secret knowledge” questions, implementing specialized e-signature software and phone/voice authorization can resolve this issue.
Message Integrity: The CE must implement a system to prevent digitally tampering with the agreement after it has been signed to ensure the integrity of the agreement both in transit and at rest. This condition is very like the safeguards of the HIPAA Security Rule and should be treated with the same level of gravity. OCR Inspectors may be looking for e-signature risk assessments and a high level of integrity in all areas when conducting the next round of HIPAA audits.
Non-Repudiation: To ensure that the signatory cannot deny having signed the agreement, e-signatures used under HIPAA rules should have a timestamped audit trail indicating dates, times, location and the chain of custody. This will ensure that contracts are legally enforceable and that authorization for the disclosure of PHI cannot later be contested. Providing the signatory with a printed or emailed copy of the document is one step to avoiding repudiation.
Ownership and Control: The final condition for e-signatures to be used under HIPAA rules relates to copies of signed documents residing on the servers of e-signature service providers. For a covered entity to ensure the integrity of PHI, all the evidence supporting the e-signature should be on the same document under the ownership and control of the covered entity. All other copies – except those provided for the signatory – should be digitally shredded.
Risk Assessments and E-Signatures
When considering the use of e-signatures, CEs must balance the potential increases in efficiency and the novel opportunities for medical errors and for fraud. The level of risk will vary according to the nature of the transaction. It is strongly recommended that CE’s check that the conditions necessary for e-signatures to be used under HIPAA rules are addressed before they attempt to use e-signatures for any critical communications in which a patient’s individually identifiable protected health information is involved.