What are the HIPAA e-Signature Requirements?

HIPAA

Digital signatures have been show to increase the efficiency of many administrative processes in the healthcare industry, yet some healthcare organizations may be unsure about the HIPAA e-signature requirements.

Are e-signatures equivalent to patients signing physical documents and do they meet the requirements laid down in HIPAA? If certain mechanisms are implemented to ensure the legality and security of the contract, document, agreement, or authorization, and there is no danger to the integrity of PHI, it is permissible for HIPAA covered entities and business associates to use e-signatures as confirmation that an individual has read and agrees with the content of documents.

Are E-Signatures Mentioned in HIPAA?

Proposals for using e-signatures under HIPAA rules were formulated in the initial draft of the 2003 Security Rule, but then taken out before the legislation was passed. Later guidance relating to Business Associate Agreements and the exchange of electronic health information has been posted on the U.S. Department of Health and Human Services website that states: “No standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law.”

Normally, a signature is not needed for healthcare transactions, so the issue of e-signatures and HIPAA compliance is irrelevant. However there are two use cases in particular where signatures are required and e-signatures are useful: Business associate agreements and patient authorizations.

Most software companies and cloud platform providers are classed as business associates of HIPAA covered entities as their software or platforms come into contact with PHI. Consequently, a business associate agreement (BAA) must be obtained from those companies prior to the service being used. The BAA must also be signed. It is convenient for an e-signature to be used to digitally sign those document.  

For all uses and disclosures of PHI that are not expressly permitted by the HIPAA Privacy Rule, authorization must be obtained from the patient. While these authorizations can be obtained in writing during a patient visit, electronic copies of the authorizations may be more convenient in some cases. E-signatures would be required in those cases to confirm authorization has been given by the patient.

The Conditions Required for E-Signatures under HIPAA Rules

Since e-signatures are not mentioned in HIPAA Rules, and the HHS has not prohibited their use, they are acceptable provided they are compliant the Federal Electronic Signatures in Global and National Commerce (ESIGN) Act and the Uniform Electronic Transactions Act (UETA).

The conditions of UETA and the ESIGN Act are:

Legal Compliance. Not only should the contract, document, agreement, or authorization adhere with the federal rules for e-signatures, they should also clearly show the terms, the intent of the signatory, and the option should be available for the signatory to receive a printed or emailed copy of the contract. Covered entities are also advised to seek legal advice about any state or local legislation that might also determine whether e-signatures be used.

User Authentication. Covered entities must put in place a system to validate the identity of all participating parties in order to prevent disputes about whether the person who entered into the agreement actually had the authority to do so. Mechanisms such as two-step verification, completing “secret knowledge” questions, adapting specialized e-signature software and phone/voice authorization can resolve this problem.

Message Integrity. A system to stop digital tampering of the agreement after it has been completed must be implemented to ensure the integrity of the agreement both in transit and at rest. This condition is very similar to the security requirements of the HIPAA Security Rule for electronic communications and should be given the same level of importance. OCR may require to see e-signature risk assessments during compliance reviews and HIPAA audits.

Non-Repudiation. In order to ensure that the signatory will not be able to deny having completed the agreement, e-signatures used under HIPAA rules should have a timestamped audit trail showing dates, times, location and the chain of custody. This will ensure that contracts are legally enforceable and that authorization for the sharing of PHI cannot later be argued. Providing the signatory with a printed or emailed copy of the document is one step that can be used to prevent repudiation.

Ownership and Control. The last requirement for e-signatures to be used under HIPAA rules relates to copies of signed documents stored on the servers of e-signature service providers. In order for a covered body to ensure the integrity of PHI, all of the proof supporting the e-signature should be on the same document under the ownership and management of the covered entity. All other copies of this – except those given for the signatory – should be digitally destroyed unless the covered entity has entered into a business associate agreement with the e-signature company.

The implementation of e-signature technology has its benefits, but it also has the potential to increase medical mistakes and opportunities for fraud. The level of danger will be different according to the nature of the transaction. It is important for covered entities to conduct a risk assessment before deciding whether e-signatures are implemented.