At present, there are no HIPAA e-signature requirements other than “any electronic signature used will result in a legally binding contract under applicable state or other law”. However, this may soon be about to change.
When HIPAA was passed in 1996, it included an instruction for the Secretary of Health and Human Services to “adopt standards specifying procedures for the electronic transmission and authentication of signatures with respect to [covered] transactions” – the transactions being those for which standards exist in Part 162 of the HIPAA Administrative Simplification Requirements.
Subsequently, when the original Notice of Proposed Rule Making (NPRM) for the Security Rule was published in 1998, the actual document was entitled “Security and Electronic Signature Standards”. The NPRM included multiple HIPAA e-signature requirements for when electronic signatures were used to sign a covered transaction, but the use of e-signatures was not mandated.
However, at the time, only digital signature software – rather than e-signature software – was capable of securely supporting message integrity, nonrepudiation, and user authentication in open network environments, and the proposed HIPAA e-signature requirements were dropped due to “a lack of technical maturity and stakeholders’ lack of readiness”.
The Growth of Electronic Signatures in Healthcare
Despite the failure to finalize the HIPAA e-signature requirements, the use of electronic signatures in healthcare grew following the publication of guidance by HHS’ Office for Civil Rights permitting the digital signing of electronic Business Associate Agreements provided it resulted in a legally binding contract under state or federal laws. Some the uses of electronic signatures in healthcare include:
- To acknowledge receipt of a Notice of Privacy Practices when the Notice has been delivered electronically.
- Remote authorizations for uses and disclosures of Protected Health Information (PHI) not permitted by the Privacy Rule.
- Verification of identity when a third party is a personal representative or has medical Power of Attorney.
- Electronic prescriptions, including the electronic prescribing of controlled substances regulated by the DEA.
- Health plan authorizations, healthcare provider billing, and other transactions for which standards exist in Part 162.
Due to the lack of HIPAA e-signature requirements, Covered Entities and Business Associates are required to comply with the federal digital signature regulations in the Electronic Signatures in Global and National Commerce Act (ESIGN Act) or Uniform Electronic Transactions Act (UETA), and state digital signature regulations if they operate in a state which has introduced its own legislation.
Additionally, when using an electronic signature for healthcare activities that include the use or disclosure of Protected Health Information (PHI), Covered Entities must also comply with the HIPAA Privacy and Security Rules inasmuch as they must ensure the privacy of individually identifiable health information and protect the confidentiality, integrity, and availability of electronic PHI.
CMS Proposes a HIPAA e-Signature Standard
In December 2022, the Centers for Medicare and Medicaid Services (CMS) published a Proposed Rule which has the objective of resolving an issue with healthcare attachment transactions. Currently, when a provider needs to submit additional information to a health plan to support an authorization request, or a health plan requires additional information from a provider before paying a claim, the additional information cannot be attached to the existing transaction and has to be faxed or mailed.
This issue – which can delay authorizations and payments – is being resolved by the introduction of additional transaction codes for healthcare attachment transactions. However, to prove they are genuine attachments to an existing transaction, the attachments will have to be signed using a digital signature. To ensure the signatures meet the requirements of message integrity, nonrepudiation, and user authentication, CMS has proposed a HIPAA e-signature standard.
The standard will not require the use of any specific e-signature software – and will not mandate the use of e-signatures for the new transaction codes. Covered Entities may continue to use fax and mail if they wish. However, if Covered Entities choose to adopt electronic signatures for healthcare attachment transactions, whatever software is implemented to verify the signature must use the HL7 IG for CDA® R2 protocol for attaching electronic signatures to digital transactions.
The Possibility of More HIPAA E-Signature Requirements to Follow?
If finalized, this standalone requirement may be extended to other covered transactions requiring e-signatures. Thereafter, it could possibly be further be extended to some other existing uses of electronic signatures in healthcare – particularly activities conducted remotely in which user authentication is necessary to verify the identity of an individual.
The reason for more HIPAA e-signature requirements being a possibility is that CMS and HHS’ Office for Civil Rights have both published NPRMs that attempt to overcome disparities in patient access to health data. One of the ways being suggested to overcome the disparities is to allow patients to connect to providers` portals using a healthcare app of the patient’s choice.
Both agencies acknowledge their proposals have risks attached inasmuch as patients’ healthcare apps may have insufficient authentication controls, poor encryption, or reverse engineering capabilities. HHS’ Office for Civil Rights is particularly concerned about user authentication – dedicating a significant portion of its Proposed Modifications to verification.
Many of the risks could be resolved by HIPAA compliant e-signatures. Patients could take advantage of free-to-use electronic signature software to verify their identities, and Covered Entities could use existing e-signature software to comply with the message integrity and nonrepudiation HIPAA e-signature requirements. It is just a question of putting two and two together.
What Healthcare Organizations Can do Now
It is important to note the proposed HIPAA e-signature requirement has not yet been finalized; and, if it is, it will only apply to one specific type of covered transaction which can still be conducted by other communication channels. Nonetheless, there are reasons to suggest HIPAA e-signature requirements could be applied to many covered activities in coming years.
To get ahead of any future changes, Covered Entities and Business Associates can review any covered activities in which digital signatures are used and see if the software being used complies with the HL7 IG for CDA® R2 protocol (or can be upgraded to comply with the protocol). It is also advisable to conduct a risk assessment to determine any risks or vulnerabilities associated with existing procedures for using electronic signatures in healthcare activities.
It is also worth noting that, although CMS and HHS’ Office of Civil Rights regard the failure to allow a patient to connect with a Covered Entity’s portal via a healthcare app a violation of the Privacy Rule, there is also an opt-out for denying access if the manner of transmission would present an unacceptable security risk to ePHI on the Covered Entity’s system. It is therefore advisable to review if this is a possibility that may create issues with any future HIPAA e-signature requirements.
e-Signatures and HIPAA: FAQ
Can e-signatures be used in HIPAA-covered transactions?
E-signatures can be used in HIPAA-covered transactions. However, when using e-signatures for certain transactions (i.e., healthcare attachment transactions) it is necessary to use a HIPAA compliant electronic signature based on the HL7 IG for CDA® R2 protocol. Additionally, if using e-signature software obtained from a third party service provider, it will be necessary to enter into a Business Associate Agreement with the software vendor before PHI is disclosed in any document.
What other laws regulate the use of e-signatures?
Other laws that regulate the use of e-signatures include the federal Uniform Electronic Transactions Act (UETA) and the Electronic Signatures in Global and National Commerce Act (ESIGN ACT). Some states have also passed legislation that regulates the use of e-signatures - among them New York, Illinois, and Arizona.
What should CEs look for when choosing an e-signature solution?
What CEs should look for when choosing an e-signature solution can depend on what the solution will be used for. Most solutions should meet the DEA’s requirements for electronically prescribing controlled substances and the OCR’s requirements for electronically signing Business Associate Agreements.
However, if the e-signature solution is going to be used for Part 162 HIPAA-covered transactions, patient authorizations, or remote pre-operative consent, it may be better to implement a digital signature solution rather than an e-signature solution because digital signature solutions support message integrity, nonrepudiation, and user authentication.
Are Business Associate Agreements (BAA) needed for e-signature solutions?
Business Associates Agreements are needed for e-signature solutions if Protected Health Information (PHI) is going to be disclosed in any contract, document, agreement, or authorization. An Agreement is required even if the vendor of the e-signature solution does not have access to PHI because it is encrypted as HHS’ Office for Civil Rights considers the vendor to have “persistent access” to PHI.