The use of electronic or “e-signatures” has seen an increase in recent years in many sectors, including the healthcare industry. However, for some time there was concern over whether the use of such signatures was HIPAA-compliant. After much debate, it is widely deemed that they are not a violation of HIPAA, provided the users put mechanisms in place to ensure the legality and security of the contract, document, agreement or authorization such that there is no risk to the integrity of private health information (PHI).
HIPAA and E-Signatures
Although proposals were made to include rules about the use of e-signatures were initially scheduled to be included in the 2003 Security Rule, it was removed shortly before the legislation was enacted. Subsequent guidance relating to Business Associate Agreements and the exchange of electronic health information has been published on the U.S: Department of Health and Human Resources website that states:
“No standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law.”
There are many circumstances in which the use of an e-signature is not required, such as for transactions that disclose PHI for treatment or payment. However, when a signed authorization is required for a disclosure of PHI not permitted by the HIPAA Privacy Rule specific conditions must be in place. On example of such a scenario is when PHI is disclosed to a third party for marketing or research reasons.
E-Signatures Requirements under HIPAA Rules
The conditions necessary for e-signatures under HIPAA rules must also adhere to the Federal Electronic Signatures in Global and National Commerce Act (ESIGN Act) and the Uniform Electronic Transactions Act (UETA). The conditions are:
Legal Compliance. Not only should the contract, document, agreement, or authorization comply with the federal rules for e-signatures, they should also clearly demonstrate the terms, clearly demonstrate the intent of the signatory, and the option should exist for the signatory to receive a printed or emailed copy of the contract. Covered entities are also advised to seek legal advice about any state or local laws that might also determine can e-signatures be used under HIPAA rules.
User Authentication. Covered entities must implement a system to validate the identity of all transacting parties to avoid disputes about whether the person who entered into the agreement had the authority to do so. Mechanisms such as two-step verification, answering “secret knowledge” questions, implementing specialized e-signature software and phone/voice authorization can resolve this issue.
Message Integrity. The CE must implement a system to prevent digitally tampering with the agreement after it has been signed to ensure the integrity of the agreement both in transit and at rest. This condition is very like the safeguards of the HIPAA Security Rule and should be treated with the same level of gravity. OCR Inspectors may be looking for e-signature risk assessments and a high level of integrity in all areas when conducting the next round of HIPAA audits.
Non-Repudiation. To ensure that the signatory cannot deny having signed the agreement, e-signatures used under HIPAA rules should have a timestamped audit trail indicating dates, times, location and the chain of custody. This will ensure that contracts are legally enforceable and that authorization for the disclosure of PHI cannot later be contested. Providing the signatory with a printed or emailed copy of the document is one step to avoiding repudiation.
Ownership and Control. The final condition for e-signatures to be used under HIPAA rules relates to copies of signed documents residing on the servers of e-signature service providers. For a covered entity to ensure the integrity of PHI, all the evidence supporting the e-signature should be on the same document under the ownership and control of the covered entity. All other copies – except those provided for the signatory – should be digitally shredded.
Risk Assessments and E-Signatures
The CEs must consider the balance between the potential increases in efficiency and the novel opportunities for medical errors and for fraud when deciding to adopt a new technology. The level of risk will vary according to the nature of the transaction, and it is advisable for CEs to conduct a risk assessment before deciding if e-signatures be used in a manner which is compliant with HIPAA rules.
To prevent an accidental violation, the CE is strongly advised to check that the conditions necessary for e-signatures to be used under HIPAA rules are addressed and solved before a covered entity adopts e-signatures for any critical communications in which a patient’s individually identifiable protected health information is involved.