The HIPAA electronic signature rule is – at present – a proposed rule published by the Department for Health and Human Services in December 2022. If adopted, the HIPAA electronic signature rule would apply to a limited number of covered transactions. However, it could subsequently be extended to apply to other types of covered transactions and, ultimately, to healthcare activities governed by the HIPAA Privacy and Security Rules.
When the Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996, the Secretary for Health and Human Services (HHS) was tasked with adopting standards for electronic transmissions and authentication of signatures for covered transactions – covered transactions being the transactions in Part 162 of the HIPAA Administrative Simplification Regulations relating to eligibility checks, authorizations, billing, etc.
Consequently, when the first draft of the Security Rule was released in 1998, not only did it include proposed security standards for electronic transmissions, but it also included a proposed HIPAA electronic signature rule. The proposed HIPAA electronic signature did not mandate the use of an electronic signature for covered transactions; but stated, if an electronic signature was used, it had to meet the standards for authenticity, message integrity, and nonrepudiation.
The proposed HIPAA electronic signature rule was subsequently dropped from the Security Rule as it was considered existing e-signature technology – at the time – lacked the maturity to meet the required standards. The only effective alternative – digital signature software – was also dropped from the Security Rule due to the initial and recurring costs to users and a perceived “stakeholders’ lack of readiness” to adopt the technology.
How Electronic Signatures are Used in Healthcare
Although there was no official HIPAA electronic signature rule, guidance published by HHS’ Office for Civil Rights in 2002 led to the increased adoption of electronic signatures in healthcare. The guidance stated it was permissible to use electronic signatures, provided uses complied with the Electronic Signatures in Global and National Commerce Act (ESIGN Act) or Uniform Electronic Transactions Act (UETA), and state digital signature regulations where a state has introduced its own legislation.
Although the guidance was provided in answer to a question relating to Business Associate Agreements, the use of electronic signatures expanded to health plan authorizations, healthcare provider billing, and other transactions for which standards exist in Part 162, remote authorizations for uses and disclosures of PHI not permitted by the Privacy Rule, and the verification of identities when a third party is a personal representative or has medical Power of Attorney over a patient.
When used for remote authorizations and verifying identities, Covered Entities must also comply with the Privacy and Security Rules with regards to the privacy of Protected Health Information (PHI) and the confidentiality, integrity, and availability of electronic PHI. Additionally, documents signed electronically that relate to a covered activity (i.e., Business Associate Agreements) have to be retained for six years in order to comply with the HIPAA documentation retention requirements.
The Proposed HIPAA Electronic Signature Rule
The proposed HIPAA electronic signature rule was published by the Centers for Medicare and Medicaid Services (CMS) in December 2022. The proposed rule has the objective of addressing an issue with healthcare attachment transactions inasmuch as when a provider needs to provide additional information to support an authorization request or claim for payment, the additional information cannot be attached to an existing transaction and has to be faxed or mailed.
CMS plans to address the issue by assigning three additional transaction codes to the existing code library. However, to ensure the attachments are genuine, they will have to be digitally signed by the originator using the HL7 IG for CDA® R2 protocol to meet user authentication, message integrity, and nonrepudiation requirements. (Covered Entities should note this protocol may be changed as the FIPS 186-4 standard on which the protocol is based was superseded by FIPS 186-5 in Feb 2023).
As with the 1998 proposed HIPAA electronic signature rule, the use of electronic signatures with the new transaction codes is not mandatory, and providers can continue to send healthcare attachments by fax or mail. However, when an electronic signature is used in a transaction for which CMS has published standards, the software used to authenticate documents must comply with the standards in the final HIPAA electronic signature rule (or subsequent revisions).
Will the Rule be Extended to Other Uses in Healthcare?
When the HIPAA electronic signature rule was originally proposed in 1998, the intention was to apply the rule to all Part 162 transactions. Although this is not implied in the currently proposed rule, it is possible to see how electronically signed documents could reduce fraud and accelerate transaction processing. Furthermore, the adoption of a HIPAA electronic signature rule for activities governed by the Privacy and Security Rules could resolve issues to changes HHS is attempting to implement.
The issues relating to the Privacy and Security Rules exist because of a Final Rule published by CMS in 2020 giving patients increased access to PHI maintained on providers’ and payers’ databases. This Rule – and two subsequent proposed rules – raised concerns about user authentication and identity verification when patients are allowed to sign into PHI databases from devices without adequate security mechanisms to ensure the confidentiality, integrity, and availability of electronic PHI.
Providers and payers cannot refuse patient access to PHI because this would be a violation of the Privacy Rule. However, by implementing a version of the HIPAA electronic signature rule which requires patients to authenticate and verify their identities via electronic signature software, it should mitigate most other security concerns. Covered Entities should bear this possibility in mind when implementing technologies to comply with future HIPAA electronic signature requirements.